Past TILT Clinics

June 2022

DPO Consultancy

DPO Consultancy is a Dutch company that operates on a worldwide scale with a focus on data privacy solutions. They are a one-stop-shop, with clients in various branches, like the Dutch government, the automotive industry, and life sciences.

Assignment

The assignment for this clinic was to investigate and produce a report on how life sciences parties can optimally arrange that study data can be used for possible future scientific research and still comply with the GDPR.

Before a clinical trial starts, individuals that want to participate in the clinical trial, the study subjects, are informed about and consent to the usage of their personal data in an informed consent form (ICF). In this ICF the purpose of processing their data for that specific study is also included. In practice it is often a desire of scientists to further study and use the collected raw data for other research. Within the scope of the GDPR one has to deal with the challenges of this secondary use of personal data. An example to illustrate this: Sponsor A conducts a clinical trial through clinical site B to test a new medicine for breast cancer. Study subjects are informed that their data will be processed to answer the research question of that specific study, to which they consent. Investigator C works at research facility X, and would like to use the raw data of that study for her own research project. Investigator C asks Sponsor A to share the raw data with her. However, Sponsor A realizes that a possible data transfer to Investigator C should be done in a GDPR compliant manner.

In their research, students asked themselves questions such as:

- How should you assess a situation in which Sponsor A receives a request from Investigator C? 

- What aspects should you assess? 

- Should you inform study subjects of the secondary use of their data?

- How can be dealt with the principle of purpose limitation when reusing the study data for different research purposes?

- What are the possible legal bases for processing the data for other research?

- How do you mitigate privacy risks involved in such a data transfer?

(March – April 2020)

SafeCity

Safecity received a pioneer grant from the ISDNfund (A Dutch authority to support safe internet) for the development of a comparison website on the reliability of apps and IOT devices, in the context of cybersecurity and data protection. The goal here was to develop a website where end-users can check the reliability of the relevant app or IOT device, leading to more awareness in cyber and data security for users, and motivating the developers of apps and IOT devices to get a high score at the reliability comparison.

Assignment

Students were tasked with developing a well thought-out questionnaire that gives an indication of the level at which an app or IOT device meets certain criteria pertaining to:

• Privacy / GDPR with data.
• Security of data storage.
• Handling data and combining with other data.
• Integrity of developer /provider.

Students were also tasked with developing a ranking system based upon this questionnaire, to compare and categorise the relevant apps or IOT devices.

(April - May 2020)

InnoSportLab Sport & Beweeg

InnoSportLab Sport & Beweeg is a non-profit innovation center, located in Eindhoven, who innovate to make sports and exercise a matter of course. To accomplish this they work together with end-users, companies, governments and knowledge institutions. Together they invent smart new products, services and methods that contribute to this mission, within both the sports environment and public space.

Assignment

The assignment concerned the development of two products/services that thrive on data gathered in public spaces: “Meet & Move” and “Neighbourhood Movement map”. The focus of this clinic was to develop insights into the possible data protection issues related to these products/services, and to subsequently create the necessary underlying documentation for accountability purposes.

Meet & Move uses smart technology (for example, artificial intelligence and Bluetooth) to efficiently and effectively measure exercise behaviour in public spaces. The following parameters are to be measured: Meeting (Group size, Hotspots, User peak times) and Activity (different levels of intensity). Students were tasked with answering the following questions by InnoSportLab Sport & Beweeg:

• Can we, in consultation with a municipality, hang up measuring instruments ourselves in public spaces such as WiFi / Bluetooth beacons and (passive thermal) cameras?
• Under what conditions can we use camera images in public space to recognize moving / meeting patterns using AI technology?
• The same question for Bluetooth use, in order to be able to continue to track people at central points via Bluetooth / WiFi, in combination with camera images.
• Should we filter out certain data? Do we need to store certain data and should we consider where to store data? Can we, and if so under what conditions, give people unique IDs based on recognition?
• If the project concerns the actual processing of personal data, what is needed in terms of accountability to meet the minimum requirements of the GDPR and can you provide these? (Register, Need for DPIA? Overview of PbD measures that are or could be taken to mitigate risks? Other, like privacy policy, terms and conditions, data processing agreements?

Neighbourhood Movement map is a platform with the aim to collect the wishes and needs of residents, which can be translated into advice for municipalities to organize their neighbourhood in an exercise-friendly manner. Residents are asked for: age, social-cultural situation, place of residence (zip code), motivation and/or obstruction to move. To grade the ease of movement, InnoSportLab uses this information to distinguish different district persona in a neighbourhood. Residents further indicate their wishes and needs on a map. Here district, persona, and place of residence are linked to certain wishes and needs. Students were asked to review the possibility of this, as well as to investigate the relevant conditions for this under the GDPR. The students were then tasked with assessing what measures need to be in place in order to process relevant personal data in conformity with the GDPR.

(October 2020 – March 2021)

WECS

Women in Energy, Climate and Sustainability (WECS) is a public foundation established to promote gender equality as an enabler for the transition towards a climate neutral economy in Europe and worldwide. WECS objective is to facilitate gender diversity and women empowerment in the fields of energy, climate and sustainability. WECS serves as an enabler for projects and partnerships designed to achieve the objectives of the foundation, which are closely aligned with and supportive of a number of relevant international initiatives, including:

• The Paris Agreement
• United Nations Sustainable Development Goals, in particular, Goal 5: Gender Equality; Goal 7: Affordable and Clean Energy; Goal 12: Responsible Consumption and Production; and Goal 13: Climate Action.
• EU strategic long-term vision for a prosperous, modern, competitive and climate-neutral economy by 2050
• European Green Deal
• European Gender Strategy.

WECS is represented by Dr. Gokce Mete, Head of Knowledge and Daria Nochevnik, Head of Operations and Communication.

Assignment

Recent data of the International Renewable Energy Agency (IRENA, 2019) showed that women represented about 32% of workforce in the renewables industry, which is only 10% higher compared to the share of women in the traditional oil and gas industry. At the same time, women were likely to be employed in lower-paid, non-technical and administrative positions in the sector than in technical, managerial or policy-making roles. When it comes to senior management roles in the power and utilities sector women held less than 15% (EY, 2019). In the public sector, women held about 17% of high-level decision-making positions in the environment, transport, and energy sectors across Europe (EIGE, 2012). The status quo in the industry was in sharp contrast with the fact that women represent more than half of university students, and almost 50% the workforce across the world.

Data and current research on gendered perspectives on social equality and women’s access to the decision-making processes are limited to developing world context (Global South). However, with the emergence of new technologies, new energy carriers, and the ongoing digitalization in the energy sector, the importance of analyzing the impact of energy projects and transformations on gender equality and inclusion in the developed world becomes necessary. Further, as the numbers above show, the involvement of women working in the in the energy sector is an issue. Against this background, WECS was seeking to develop a methodology towards a model Gender Impact Assessment in the energy sector, to be presented to the European Commission, with a view to be streamlined into the European Green Deal and European Gender Strategy.

Project milestones for the students included:

1. Identifying existing Gender Impact Assessment toolkits developed by national governments, EU institutions or international organisations (i.e. World Bank) in the energy and other sectors, such education, health and town planning.
2. Identifying best practices, if any, in the energy sector or in other sectors.
3. Mapping out lessons learned from environmental and social impact assessments (whether and if so, how gender specific questions have been included).

The final goal of the project was for the students to produce:

1. A report on milestones 1-3 on the key findings, presented to the WECS Foundation.
2. A model methodology for a gender impact assessment of projects in the energy sector.

Assignment: Development educational tool for engineers
The engineers of the future faced a faster pace of technology development and increasingly complex problems. They needed both in-depth discipline expertise and cross-disciplinary insight. When developing technology for society, a basic understanding of legal subjects was of great importance. As the Technical University Eindhoven is primarily a university of technology, the ‘legal’ discipline was currently limitedly taught to students.

The opened TU/e innovation Space hosts several student teams and spin-offs which experience a lack of understanding on their legal position. According to similar institutions at other (technical) universities, these universities face similar problems. The key objective of this project was to educate (future) engineers about their legal position through an education tool.

The goal of the Clinic was to help develop and test the content of an education tool. This tool was used to help engineering students answer the questions:

1. have I created intellectual property?
2. who owns the intellectual property I have created?
3. what are legal topics to consider when starting a business?

Students worked at the law firm Louwers IP|Technology Advocaten and at the TU/e Innovation Space, both located in Eindhoven.

Louwers IP|Technology Advocaten is a modern niche firm in the field of IT/internet, privacy and intellectual property, and especially at the intersection of law and technology. Since 2006, the firm is established in design and technology region Brainport Eindhoven and from August 1, 2014 also in the equally innovative region of The Hague. More information regarding our law firm visit.

On Friday, the 4th of May 2018, the students participating in the TILT IP clinic with Crossyn Automotive presented the results of their 2-months long research on intellectual property law in the era of connected cars.

Crossyn is a Tilburg-based startup that developed an advanced analytics platform that collects, analyses, and enriches vehicle sensor data. The insights from these data can be used to create personalised data driven mobility services, while making sure the driver remains in control of their data.

Automotive industry is currently facing disruptive changes posed by big data and connectivity, summed up as smart mobility, which is at the core of Crossyn’s business. In such competitive and innovative environment having a comprehensive intellectual property (IP) portfolio is paramount, especially for a startup. Thus, the students of the TILT clinic were tasked with advising Crossyn on an appropriate IP framework that could be applied to their products and services.

To do this the students, under supervision of their mentors from Tilburg University and Crossyn, conducted a fact-finding exercise and several interviews with Crossyn staff, in order to understand Crossyn’s business objectives and potential IP assets, and performed normative research on applicable legislation and relevant case-law.

Based on that they first identified Crossyn’s products and services that could benefit from IP protection and then proposed to Crossyn the areas of IP law that are pertinent to their IP assets, including database rights, patents, copyright, trademarks, trade secrets, and license agreements, and addressed possible courses Crossyn could follow with their IP strategy.

Three students of Tilburg University, under auspices of TILT lecturers, prepared a third-party intervention before the European Court of Human Rights in the OOO Flavus against Russia and 4 other applications. The decision of the Court will set important limits for the safeguards against state over-blocking online. Therefore, the intervention concerns mostly due process requirements, and the availability of effective safeguards against collateral over-blocking.

The brief was prepared by three Tilburg University students from Law and Technology track (Bojana Kostić, Martin Borgioli) and Human Rights track (Monika Hanych) under the supervision of TILT assist. prof. Martin Husovec and lecturer John Waterson. In the submission, they addressed mostly due process requirements and the availability of effective safeguards against collateral over-blocking.

The intervention suggests that the Court recognizes that states are not completely at liberty to design blocking schemes and that each delegation of enforcement has to be accompanied by a number of due process and remedial safeguards. Also, the legal framework shall respect the quality of law when a blocking order is issued and emphasizes that any blocking provision should be clearly prescribed by law.

Moreover, the intervention reiterate that states should not absolve itself of an obligation to provide for an effective remedy against over-blocking by simply delegating the implementation of its measures to private parties. Finally, the owner of the blocked content should have right to have access to the court, procedural equality of arms and efficient legal remedies available.

Augmented Reality in subsea construction activities

Augmented Reality (AR) is a novel technology defined as the expansion of physical reality by adding layers of computer-generated information to the real environment. These layers can be added in various ways. Virtual Reality (VR) is not the same as AR. VR submerges the user completely into a virtual environment by closing him / her off completely from physical reality. AR is like sun glasses; the user still sees his / her environment, but this environment is enriched with digital layers. Both VR and AR technologies are growing rapidly, but AR is expected to take over VR’s market share soon.

This TILT clinic focused  on one of the research questions in a joint research with Delft University of Technology and Tideway Offshore Solutions. The objective of this joint research was to assess the added value of using AR during subsea construction activities. This was  done by developing a real-time model with an AR user interface, which eventually will be used by multiple people onboard an offshore construction vessel. Subsea construction experts from the field had a main concern regarding this technology. This concern was analyzed in the TILT clinic and is described in the assignment, below.

Tilburg University students (Jaime Geer, Yusuf Muzak, Lisette Gotink and Kirill Khotulev) worked on this topic 4 weeks 2 days a week in September 11, 2017.

Amicus Brief before the ECtHR in Kharitonov v. Russia (in collaboration with HSE)

The pending case Vladimir Vladimirovich Kharitonov v. Russia was considered of a utter importance for the future of the information society, and the place of freedom of expression of many individuals in it. This was the reason why a law clinic had been set up to intervene as Amicus Curiae in this case. It is important that the European Court of Human Rights receives a full picture of the problem before it makes its important decision that, without doubt, will set a human rights standard for the freedom of expression online.

The aim of the clinic was to aid the Court through a third party submission in several ways. As friends of the Court, the clinic‘s participants were offered a brief comparative research of “balancing of interests“ involved in the blocking of hosting services cases touching upon the issues of freedom of expression, taking into consideration not only the ECtHR jurisprudence in similar cases (see, e.g., Ahmet Yıldırım v. Turkey (no. 3111/10, ECHR 2012), but also other relevant international material (see, e.g., the UN Joint declaration on freedom of expression and the Internet of June 1st, 2011). Second, the participants were suggested possible human rights limits against the indiscriminate blocking of access to a website that only contains lawful contents, in the context of Art. 10 of the European Convention of Human Rights.

The clinic was  a joint collaboration between selected students from the Master in Law and Technology of Tilburg University and the Higher School of Economics of Moscow.

The upcoming General Data Protection Regulation imposes, as opposed to the current Data Protection Directive, many obligations for ‘processors’ (as defined in Art. 4 (8) GDPR), such as providers of IT-services. 

If processors do not meet such obligations, this is sanctioned in the GDPR with very high fines (i.e. fines up to EUR 20.000.000 or 4 % of the total worldwide annual turnover of the undertaking). Under the Directive obligations and sanctions were mainly directed towards ‘controllers’ (as defined in Art. 4(7) GDPR). This change towards more responsibility for processors will have consequences for obligations and liabilities of such processors. This might create the need for them to adapt existing clauses in general terms and conditions and data processing agreements regarding obligations and liabilities in relation to privacy and data protection in order to mitigate their exposure

The Law and Technology Master students involved in the Clinic were asked to carry out a legal assessment of the compliance of the WE ARE DATA – Mirror Room project with the applicable regulation, alongside with ethical standards. The legal assessment was determined such compatibility also had been considering the relevant provisions of the General Data Protection Regulation, and was  delivered in the form of a report. The outcomes of the assessment had been presented at TILT. At given times and as arranged between the students and the coordinator, some students had been available at the premises of the Mirror Room during the TILTing Perspectives Conference 2017 (May 17-19) to host visitors and give them explanations about the Mirror Room privacy policy.

The development of the experiment had taken place in April. During one month (from April 20 to May 4, 2017) five (5) students have been workiung on the practical assignment, commissioned by the TILT in collaboration with the WE ARE DATA – Mirror Room project. The clinic had been concluded with a written report  addressed to the project’s coordinators and an oral presentation at the TILTing Perspectives Conference 2017. Students had receive input and feedback primary from the Clinic’s two academic supervisors.

Read the final report

I.                   About Privacy International

Privacy International is a non-profit, nongovernmental organization based in London dedicated to defending the right to privacy around the world. Established in 1990, Privacy International undertakes research and investigations into state and corporate surveillance with a focus on the technologies that enable these practices. We have litigated or intervened in cases implicating the right to privacy in the courts of the United States, the United Kingdom (“UK”), and Europe, including the European Court of Human Rights (“ECtHR”) and the Court of Justice of the European Union. To ensure universal respect for the right to privacy, Privacy International advocates for strong national, regional and international laws that protect this right. We also strengthen the capacity of partner organizations in developing countries to do the same.

II.                Government Hacking and Surveillance

As part of our work into state surveillance, Privacy International has focused on the issue of government hacking and proposes a TILT Clinic on this topic. The first sub-section below presents a brief explainer on hacking. The second sub-section describes Privacy International’s project to develop a set of recommendations governing government hacking for surveillance purposes. The third and final sub-section outlines the potential project addressing government hacking.

A.     A Brief Explainer on Hacking

Hacking is the act of breaking the security of and gaining unauthorised access to a system.[1]

System is used in the broadest sense to refer both to any combination of hardware and software or a component thereof. The most obvious systems of target are desktop computers, laptops, tablets and mobile phones. They may also include the proliferating number of physical devices making up the “Internet of Things” – cars, TVs, refrigerators, utility meters, baby monitors – which generate, collect and exchange data. Target systems can also include network infrastructure itself, such as the routers that direct network traffic or the computers that control network security.

III.             TILT Clinic Project

Privacy International is currently in the process of formalizing the hacking recommendations and presenting them as a vehicle for advocacy. As part of this process, we would like to select several case study countries and analyze their hacking law and practice. We have already undertaken a fairly exhaustive analysis of the relevant law and practice in the UK, but seek a better understanding of government hacking for surveillance in several other European Countries. Accordingly, we propose that the TILT clinic produce a memo considering this issue in three countries: Germany, Italy and the Netherlands.

Factually, the memo should seek, for example, to elucidate: 

• Which government authorities hack?
• For what purposes do each of these authorities hack (e.g. law enforcement)?
• What hacking techniques do each of the agencies employ?

Legally, the memo should seek to explain the current legal landscape – e.g., relevant laws, regulations, policies and jurisprudence – governing hacking, including, for example:

• What is the applicable authorization process?
  o E.g. Is there a warrant regime?
  § E.g. Do warrant applications describe the method/extent of the proposed hacking operation?
• What are, if any, applicable safeguards with respect to the privacy intrusion?
  o E.g. What is done with any irrelevant information that is accessed and/or seized as part of a hacking operation?
• What are, if any, applicable safeguards with respect to security?
  o E.g. Must the government assess the security implications for the targeted device and for communications systems more generally?
• What judicial challenges have been made to government hacking?

The legal analysis should also take into account any ongoing developments in the legal landscape, such as draft legislation that is currently pending.

Privacy International seeks to produce a report or similar advocacy vehicle to explain the hacking recommendations, which would include an analysis of several case study countries. We anticipate that the work produced by the TILT clinic could be incorporated into this advocacy output.

[1] According to the Internet Security Glossary, which is produced by the Internet Engineering Task Force (“IETF”), a body that develops internet standards, one definition of “hack” is “[t]o do some kind of mischief, especially to play a prank on, or penetrate a system.” The Glossary defines “cracker”, which it describes as a synonym for “hacker”, as “[s]omeone who tries to break the security of, and gain unauthorized access to, someone else’s system, often with malicious intent.” IETF, Internet Security Glossary, Version 2, Aug. 2007, https://tools.ietf.org/html/rfc4949. According to the Jargon File, a glossary of computer programming terms, one definition of “hacker” is “[a] malicious meddler who tries to discover sensitive information by poking around.” The Jargon File clarifies however that the “correct term for this sense is cracker” and defines “cracker” as “[o]ne who breaks security on a system” and “cracking” as “[t]he act of breaking into a computer system.” Eric S. Raymond, ed., The On-Line Hacker Jargon File, version 4.4.8, 1 Oct. 2004, http://www.catb.org/~esr/jargon/.  

What are the legal implications of incorporating facial recognition (and other biometric) capabilities into body-worn camera technologies designed for use by law enforcement, transport, and public safety personnel.

Zepcam company profile:
Zepcam is a Dutch technology company specialized in body worn video and mobile video systems for professional use. Zepcam develops products and solutions for clients in public safety, public transport, fire departments and the industry.
The company offers integrated high-end solutions that cover the complete technical chain: field device, back-end and network solution, client applications and video management system integrations for command & control rooms. This integrated approach results in significant better quality, ease of implementation and high operational reliability.
The video systems of Zepcam are used for recording and live streaming of video, audio and location via 2G, 3G, 4G and Wi-Fi.  Zepcam products are used for video evidence, reduction of aggression, lone worker situations, improving situational awareness and remote assistance of field engineers.
Zepcam is a recognised pioneer and leader in its markets. Its products and solutions are being sold to clients in over 30 countries, including police forces of Germany, The Netherlands and Switzerland.

Clinic Overview and application instructions:
TILT is proud to present a new TILT Clinic in cooperation with Zepcam, a market leading Dutch mobile video company based nearby in Zaltbommel.  During one month (from October 28 to November 25, 2016) four (4) students will work on a practical assignment, commissioned by Zepcam. The students will spend one day at Zepcam’s offices at the beginning of the clinic, followed by an average of two days a week at TILT, concluding with written and oral reports to company executives and the TILT community. Students will receive input and feedback from supervisors with academic as well as practical business perspectives, although the primary feedback will be from the Clinic’s two academic supervisors.
Application to the TILT/Zepcam Clinic is open to any (international and domestic) Master students at Tilburg Law School. Part of the clinic assignment will be targeted at understanding the domestic legal regulation of body-worn camera use and deployment, with a specific focus on incorporating facial recognition and other biometric technologies, in a small set of countries (ideally two or three), including the Netherlands. Because of the need to include an analysis of Dutch law in the project, we plan to select at least one student with native fluency in Dutch and with some expertise in Dutch law. Other selected students will have fluency and background expertise in the language and relevant law of another European country (with some preference for German, English, Italian, Polish, Czech, or Slovenian).

The TILT/Zepcam Clinic will run from 28 October to 25 November 2016. The specific working days will include one Friday at Zepcam in the first week (e.g. 28 October) as well as two days a week at TILT in each of the four weeks (specific days are negotiable, and to be decided based on student and supervisor availability).
Applications, including a Letter of Motivation, CV/resume, and grade list (transcript), must be submitted by email to Dr. Bryce C. Newell at b.c.newell@uvt.nl. Letters of motivation should include a statement identifying which legal jurisdiction(s) the applicant is most interested in researching, and what level of legal research experience the applicant has with the law of the identified jurisdiction(s). Complete application materials must be received on or by September 23, 2016. TILT, in coordination with Zepcam, will select up to four (4) students to participate in the Clinic. Students will be notified about participation on (or before) October 10. There is no financial remuneration for participation in the TILT/Zepcam Clinic. Travel expenses to Zepcam’s offices in Zaltbommel will be reimbursed if students do not have a free OV‐chipcard.
Participation in the TILT/Zepcam Clinic is reserved for the best students and will be a valuable addition to your CV. Clinic organizers reserve the right to select fewer than four students, at their discretion, should the applications not meet the desired criteria.
The TILT/Zepcam Clinic assignment will entail:

• Conducting research into the legal and political implications of incorporating facial recognition (and other biometric) capabilities into body-worn camera technologies designed for use by law enforcement, transport, and public safety personnel in The Netherlands and one or two additional countries (to be determined by the clinic supervisors, taking the interests/expertise of accepted students into consideration); as well as possibly some broader legal research into how body-worn cameras are regulated in these same jurisdictions;
• Presenting early findings to Clinic supervisors halfway through the Clinic, to receive and incorporate feedback and questions into the final research report;
• Drafting a final report, based on the research conducted, outlining the legal analysis and other research findings applicable in each country studied;

Presenting the completed research and findings to supervisors at Zepcam and TILT.

From the end of October until January 2017 TILT is organizing a Law Clinic commissioned by the Municipality of Eindhoven. More and more data are collected in the public space e.g. measuring air and temperature, but also traffic flows and the flow of people. These data collected in the public space are, according to the Eindhoven Municipality, available to everyone and owned by everyone. Therefore, the Eindhoven Municipality wants to assess whether it is allowed to make regulations valid for the digital daily environment. This question will be answered by the participants in the Law Clinic.

TILT gladly presents the next TILT Clinic in cooperation with Bits of Freedom.
During one month, four students will work on a practical assignment, commissioned by Bits of Freedom. The students will spend one day a week at TILT and one day a week on the premises of Bits of Freedom, at the address of Bickersgracht 208, Amsterdam. This will allow for students to become supervised and guided both from an academic as well as an in-house legal & civil rights perspective. The TILT Clinic will be in English, though knowledge of Dutch law is required.

Bits of Freedom:

Bits of Freedom is the leading Dutch digital rights organization, focusing on privacy and communications freedom in the digital age. Bits of Freedom strives to influence legislation and self-regulation, on a national and a European level. Bits of Freedom is one of the founders and a member of European Digital Rights (EDRi).

About the assignment:
Background
The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive (Directive) and will apply as of May 25, 2018. Although the Directive contained a provision on automated decision making (Art. 15), it did not address the issues associated with profiling. The GDPR now does contain a definition on profiling (Art. 4(4)) and the GDPR does, to some extent, apply to profiling (recital 72).

The rights and obligations provided for in Article 22 GDPR, however, apply only to fully automated decisions (e.g. profiling-based), which produce “legal effects” or “similarly significantly affects” the data subject. Legal effects are not defined; therefore it will be difficult for the concerned individual to prove legal effects, unless he/she has a contract with the controller. However, a "contract between the data subject and a data controller" is an exception to the right to object to profiling. The term "similarly significantly affects" is even more vague. In practice, it will often be difficult for concerned individuals to prove these requirements.

Furthermore, Articles 22 (b) and 23 of the GDPR allow the EU and Member States to restrict the scope of application of the rights and obligations provided for in Article 22 GDPR. This could weaken harmonization and may bring legal uncertainty if Member States adopt different rules.

Another issue is that it is not clear whether the GDPR sufficiently addresses the key issues associated with profiling (e.g. manipulating the individual's (economic) decisions and behaviour, categorizing individuals, sorting and discriminating among individuals, and other unfair effects), and whether it is actually the appropriate legal framework for addressing these issues. Koops has suggested that profiling and protection against automated decision making could also be addressed in other legal instruments, such as consumer protection law (unfair trade practices) or non-discrimination law, or, for the public sector, in administrative procedure law. [1]

The task

Bits of Freedom would like students to explore how the GDPR addresses the key issues related to online profiling by private parties and whether other legal instruments could play a role in this field. This could be explored by answering the following two questions:

•  What automated data processing activities fall within (or outside) the definition of “profiling”, and what profiling activities fall within (or outside) the scope of the provision concerning automated decision making? Does this leave any regulatory gaps?
• How do other legal instruments (under Dutch law), such as anti-discrimination law and consumer law, address the key issues related to profiling?

The students could, for example, decide to create two groups of two students which answers one of these questions.
 
Deliverables

• A brief written report
• A presentation of the main findings and possible recommendations
• A blog post (max. 1.200 words) for a general audience

Schedule

The Law Clinic will be held from 19 September until 15 October 2016.

The exact dates for the Clinic are the following:

• 22nd of September
• 29th of September
• 6th of October
• 13th of October

We suggest that up to two students at the same time spend time at our office, given the limited amount of space we have. Of course, all students are welcome on the day of the presentation. 
Application is open to Master students in Law and Technology of Tilburg University. TILT will select 4 students on the basis of Letter of Motivation, CV and grade list, to be submitted by email to Ms. K. La Fors, e-mail: K.LaFors@tilburguniversity.edu, ultimately by 31th of August. Out of these applications, the TILT-BoF Clinic is reserved for the best 4 students. For the selected students this clinic will surely be a valuable addition to their CV.

[1]     B.J. Koops (2014), ‘The trouble with European data protection law’, International Data Privacy Law, doi:10.1093/idpl/ipu023.

Third party Intervention Submissions by EISi

The European Information Society Institute

Four master students successfully prepared submissions for third-party interventions by the European Information Society Institute (EISi) before the ECtHR

On 19 February 2016, the European Information Society Institute, a think-tank, officially filed its third party intervention before the European Court of Human Rights in the Satamedia case. The decision of the Grand Chamber will be very important for the future of data journalism in Europe.

The brief for the intervention was prepared by four excellent students of Tilburg Law School (Cora Arts, Diana van Wanrooij) and Stanford Law School (Laurel Elizabeth Mills, Eric Dunn) as a part of a Legal Clinic under supervision of professors from Tilburg University (Martin Husovec and Karolina La Fors) and Stanford University (Phil Malone and Daphne Keller).

The submission addresses the following issues:

1. the impact that this decision may have on technologies that help journalists use data to impart new, useful information to the public
2.  the need to balance the rights of freedom of expression and privacy in a way that leaves space for journalists to innovate using these technologies, and
3.  the ways in which this Court’s existing precedents can be recalibrated to account for these important interests.

Satakunnan Markkinapörssi Oy and Satamed App No. 931/13

• The entire intervention

From 14 February - 15 March 2016, 4 students worked on a practical assignment, commissioned by Privacy Company

Privacy Company:

Privacy Company is a specialized organization and platform of experts focusing on privacy and data protection issues in a variety of domains. “Privacy Company distinguishes itself by its strong customer focus, quality and cost. Privacy Company believes in a practical and customer centric approach. Besides curbing the legal risks and threats fine Privacy Company sees opportunities to use qualitative data to improve processes, services or products. The team Privacy Company has extensive experience with privacy issues in a broad sense and consists of professionals with business, technical, organizational and legal skills.”

The assignment

On January 1st 2016 the duty to notify data breaches under the Dutch Data Protection Act came into force. The duty to notify rests upon the data controller and extends to both the Data Protection Authority and the data subject. Failure to notify either the data subject or DPA could result in a fine of 810.000 Euro or 10% of the annual net turnover. All the more reason for companies to implement a data breach procedure.

Given this background, the Netherlands interestingly seems to be the breeding ground for the future European Data Protection Regulation (expected in 2016), that will also include a data breach notification duty.

The task

The Privacy Company wanted students to comprehensively explore data breach procedures that are already implemented in other countries to answer the following questions:

• What is a data security breach that has or is likely to have serious adverse consequences for the protection of personal data?  More specifically this question can also relate to another one:
• What should the contractual arrangements with data (sub)processors look like if companies want to limit their liability?

The TILT Clinic in cooperation with ING started on the 8th of October and ended on the 8th of November.

The assignment 

The students worked on the following assignment: How can ING ensure that the most important information regarding data processing is actually read and understood by their customers?

Information obligations are very important in both the Data Protection Directive and the proposed Data Protection Regulation. Information obligations do not stand alone, but relate closely to other concepts of data protection legislation such as accountability and informed consent. Even though the importance of providing proper information is highly acknowledged, one of the major problems with information obligations is the lack of an obligation for consumers to actually read the provided information. Even though literature and the proposed Regulation offer some suggestions on how to increase chances of consumers actually reading privacy policies, ING still feels we are in need of innovative solutions to get such important information across to their customers.

ASML is one of the world's leading providers of advanced technology systems for the semiconductor industry. The company offers lithography systems, mainly for manufacturing chips. This was the first TILT Clinic in cooperation with a multinational corporation. This clinic took place in April – June 2015.

During this clinic the students worked on the following assignment: Assist in chartering the global compliance landscape (new developments, focus areas) for high tech, business-to-business companies. The legal areas covered include privacy, anti-bribery, safety and insider trading.

The project consisted of first prioritizing the main topics relevant to the business of ASML and training by ASML in-house Compliance counsel. Subsequently, the students embarked on an investigation of the most relevant new and expected developments on the identified topics, with special attention to the jurisdictions where ASML’s main customers are located (Asia & the US). The investigation also included a sector bench-mark. The assignment resulted in a brief report, and a presentation to senior management with key findings and advice.

The first TILT Clinic was in cooperation with LOUWERS IP|TECHNOLOGY ADVOCATEN, an IP and Technology boutique firm based in Eindhoven.

This clinic took place in November and December 2014. The assignment entailed the following: (How) do the five most popular health monitoring wearables comply with current and proposed data protection regulations and (how) can this be improved? During the research the students analyzed and compared the general terms and conditions and privacy policies of the five most popular wearables in view of existing and proposed EU privacy regulations.

Results

The students presented the results of their research at an international conference and published their results in a paper.