PhD research TILT
At present the following research is carried out by our PhD candidates.
Internal PhD candidates
Aviva de Groot
Website: Aviva de Groot
"Care to Explain?" Articulating legal demands to explain AI-infused decisions, responsibly
The implementation of decision (support) tools that make use of complex computational methods is accelerating. Their current opacity raises many-natured concerns, e.g. around domination, objectification, and moral agency. With the much discussed duties in European data protection law to explain automatedly generated decisions as a starting point, Aviva de Groot's research aims to identify rights relevant explanatory benchmarks for these AI-infused practices.
A premise it shares with various disciplines' research paths towards responsible AI-design is that the extent to which these technologies, for various reasons cease to resonate with our –common as well as expert– intuitive and logical reasoning, poses obstacles. De Groot's focus in this space, rather than on the affordances of the technologies we create, is on the affordances of the human epistemic practices that underlie our explanatory exchanges. In understanding 'explanation' as a form of testimony, the question becomes what such a practice should entail to be called responsible and just.
Theory is applied from philosophical accounts of epistemic (in)justice, reflection and corroboration sought in case studies of domains where explanation is, or became, regulated by law and/or professional ethics. The spotlight is on the decision maker/explainer rather than their explainees, taking on board their interdependence and fundamental equality. Justification of authority, and the maintenance of our communal knowledge space through individual responsible conduct are emphasized. Finally, a non human-exceptionalist, non-naive understanding of dignity is called upon to strengthen the element of 'care' in explanatory exchanges where the power imbalances at play are particularly salient.
website: Magda Brewczyńska
The puzzle of sharing personal data collected by private companies for law enforcement purposes
- Prof. dr. Eleni Kosta
- Dr. Esther Keymolen
The European data protection framework consists of two separate regimes with different thresholds for the protection of personal data. The first, governed by the General Data Protection Regulation (GDPR), applies to data processing operations carried out in both private and public sector, with the exception of activities that serve law enforcement purposes. The processing for those purposes, whenever performed by competent authorities, falls under the second regime, established by the Directive on the processing of personal data by Police and Criminal Justice Authorities (Police Directive).
This seemingly straightforward dualistic system is, however, challenged by increasingly common instances of collaboration between the private and public sectors for the prevention, detection and investigation of crime. Such collaboration may take different forms, with varying degrees of involvement of the private parties. It can be limited to an ad hoc facilitation of access to the records maintained by the private entities or take a form of continuous active sharing of personal data with the law enforcement authorities, which can be pursued for instance within established to that end Public-Private Partnerships (PPPs).
The aim of Magda’s PhD project is threefold. Firstly, it will offer a comprehensive overview of the European dualistic data protection framework, as well as its interplay with other legal frameworks imposing obligation on the private sector to share personal data of their clients for law enforcement purposes, such as the anti-money laundering and terrorism financing framework. Secondly, the project will provide a critical analysis of current data sharing practices in the light of the existing regulatory landscape and jurisprudence of the CJEU and the ECtHR. Thirdly, it will propose a solution to the identified challenges that may contribute to strengthening the right to the protection of personal data.
Lisa van Dongen
The potential of flexible judicial remedies in European patent enforcement in ICT and healthcare
- Prof. dr. Giorgio Monti
- Prof. dr. Leigh Hancher
- (external) Dr. Martin Husovec
One size fits all, that is the European approach to patent enforcement. Upon finding an infringement, a court nearly automatically grants an injunction against the infringer, irrespective of the kind of invention and interests at play. The balance struck may be appropriate in the majority of cases, but such automation suggests that counterbalancing factors are seldom capable of offsetting proprietary interests, at least in the decision on whether or not to grant injunctive relief. This makes sense considering that a patent is a time-limited right to exclude others from exploiting products covered by it. Yet, this is also troubling because patent enforcement can have far-reaching consequences for society
Indeed, it can create tension with other types of interests and even the underlying objectives of the patent system itself. Automated enforcement of a patent on a life-saving drug may have grave implications for hospitals and their patients, for instance. Alternatively, automated enforcement of patents on components of a larger product could result in the protection reaching further than the actual contribution to society (what the patent covers) and far above its value. Flexibilities in remedies could allow courts to enforce the patent in a way that eases such tensions somewhat, inter alia by granting an injunction with a delay or carve-out, or granting (increased) damages instead.
The law in the books allows for more flexibility in denying and tailoring remedies to reconcile case-specific interests than utilised in European courts (with the notable exception of England). What is more, is that the possibility to break with automated tendencies in enforcement will soon be further complicated by the addition of another layer to Europe’s existing patent systems, namely by the creation of the Unified Patent Court (UPC). If this system takes off, decisions of this new court will carry significant weight in European patent enforcement due to several organisational and territorial aspects, even for non-members. The Unified Patent Court thus offers both a pressing incentive and opportunity to evaluate the judicial remedy framework and its issues. Where necessary, strong automated tendencies in European patent enforcement need to be mitigated now, before the Unified Patent Court can cement them.
This is what Lisa’s PhD research aims to bring about. In short, it explores how flexible judicial remedies can contribute to the policy objectives and interests of specific industries and the patent system in general, using economic efficiency and distributional (justice) preferences as gauges. To scrutinize the one-size-fits-all approach in patent enforcement, the focus is on the immensely divergent industries of software and transcatheter heart valves. To determine what is actually possible and what might need to change for a more flexible approach to enforcement, the status quo in patent enforcement is analysed on the transnational level in Europe and in three important patent countries (England, Germany and the Netherlands), as well as what the UPC becoming operational will mean for remedy practices. This will result in a comprehensive framework mapping, and making recommendations for, the potential interplay between judicial remedies and their implementation from an interdisciplinary perspective.
Website: Brenda Espinosa-Apraez
Data regulation: the challenges of regulating data sharing in the digitalized network industries.
With the help of digital technologies such as sensors, smart metering, smart grids, and data analytics techniques, infrastructure managers in the utilities sector can obtain improved and (near-to) real-time data about the functioning of the networks they manage and about the usage of utilities.
Utilities such as drinking water and energy are essential from a socio-economic perspective. As such, the data collected by the infrastructure managers in those sectors is of strategic value not only for them, but also for actors in the same sector and beyond, who need these data to provide their services and/or develop innovative products.
The sharing of data from the utilities sector is subject to multiple legal frameworks. Starting with the sectoral market rules applicable to the provision of drinking water and energy. In addition, since part of the data is generated by or can be traced back to individuals (consumers), this triggers the application of data protection and privacy regimes. On top of this, an increasing number of legislative measures have been and continue to be adopted to regulate the flow of data in the European Union, in order to foster the data economy.
The existence of multiple legal frameworks that (directly or indirectly) apply to data sharing from in and outside the specific utility sector, results in a very complex regulatory landscape: conflating (and sometimes conflicting) policy objectives, interaction of multiple actors with varying (and sometimes opposing) interests, multiple competent supervisory authorities with different perspectives and priorities. Brenda’s research investigates the complexity of regulating data sharing, zooming in on the issues that emerge from the mesh of policy objectives, actors and interests present in the digitalized utilities.
Brenda’s PhD research is part of the LONGA VIA Project, led by Prof. Dr. Saskia Lavrijssen and supported by NWO (Dutch Research Council) and NGinfra. The project investigates the legal and organizational challenges of data-driven innovations in the infrastructure sector, in cooperation with five Dutch infrastructure managers: Alliander, Vitens, the Port of Rotterdam, Rijkswaterstaat and ProRail.
- Dr. Leonie Reins
Léo’s doctoral research focuses on the integration of sustainable development concerns in international and European economic law. More specifically, he analyses free trade agreements (FTAs) and international investment agreements (IIAs) from a substantive as well as a procedural standpoint by examining the content of these international economic treaties, i.e., the legal provisions they contain, and the manner in which the latter are interpreted and applied. Part of Léo’s research is specifically dedicated to EU external relations law and the Trade and Sustainable Development (TSD) chapters included in modern EU FTAs.
The role of data protection, and more specifically of the grounds for lawful processing, in the regulation of online tracking
- Prof. dr. Eleni Kosta
- Dr. Irene Kamara
In the course of everyday interactions with websites and mobile applications, individuals give away their personal data to companies, which collect and process them for a variety of purposes, such as to perform a contract or improve services. Over the last two decades, companies have also begun tracking individuals across the internet and collecting their personal data in order to create profiles and deliver targeted advertisements.
In recent years these activities, and the data economy they have helped bolster, have come under increased scrutiny and criticism from academia , civil society , and regulators alike, in Europe and beyond. It has, for instance, been recognised that tracking can threaten the effective protection of individuals' personal data as a fundamental right in the European Union. This research investigates the role that data protection law, and in particular the grounds for lawful processing, can play in the further regulation of online tracking, as to safeguard individuals’ rights.
Website: Olga Hrynkiv
Trade-restrictive Measures in the 21st Century: Security Exception Reconsidered.
- Prof. Panos Delimatris (TILEC)
- Prof. Joel P. Trachtman
(The Fletcher School of Law and Diplomacy, Tufts University, the US)
My Ph.D. research focuses on international trade and investment regulation, particularly on the challenges posed to the international legal order by the adoption of trade-restrictive measures. More specifically, I analyze whether and to which extent international law should limit the discretion of the states to implement and enforce economic sanctions on the grounds of national security.
The energy transition is more pressing than ever before. Questions on how to regulate and accelerate a just and socially acceptable energy transition poses a central challenge to today’s society. This research focuses on the inherent policy trade-offs between affordability, security of supply and sustainability and how the different interests in the energy sector can be balanced in a more equitable way. An important aspect in this regard constitutes the emerging concept of energy justice, which can play an essential role in guiding energy decision-making and ensuring that these trade-offs reflect public interests.
As a currently evolving concept of social sciences, however, energy justice still raises many questions on its legal applicability.
This research aims to bridge this gap by reflecting, through the lens of energy justice, on essential legal questions that EU energy law is currently facing considering the need for an accelerated energy transition. A particular focus of this research constitute network tariffs and the triangular relationship between the EU, national governments and national regulatory authorities (NRAs). By EU law, the latter are required to be autonomous and independent authorities within the discretion that is granted to them when it comes to approving or fixing methodologies for network tariffs. However, these often technical decisions carry overall effects for public interests and therefore also touch upon competences of the national governments. This research includes the analysis of trade-offs that NRAs have to balance when it comes to questions of cost-reflectivity, sustainability and non-discrimination, and how these trade-offs affect questions of NRA independency and consequences for the final end-consumer.
Website: Hellen Mukiri-Smith
The impact the use of financial services technologies (fintech) and biometric technologies in Kenya has on issues of data justice
Hellen Mukiri-Smith is undertaking her PhD research within Dr. Linnet Taylor’s Global Data Justice Project. She is conducting research on, the impact the use of financial services technologies (fintech) and biometric technologies in Kenya has on issues of data justice. The research explores:
- The extent to which biometric and fintech data ecosystems or data value chains create power asymmetries, and how power is distributed within these ecosystems or value chains among different actors.
- The regulatory environment that governs fintech and biometric technologies including, data protection and competition regulations and other upcoming regulations meant to govern biometrics use.
- How users of fintech and biometric technologies experience using these platforms and sharing their data through these platforms. What freedoms or unfreedoms do they experience? What are platform users’ valued functionings?
Privacy and cybersecurity for the Internet of Things (IoT)
- Prof. Dr. Eleni Kosta
- Dr. Lorenzo Dalla Corte
The digitalization of our society and our increased dependency on information and communication technologies, including Internet-of-things devices, has brought about serious cybersecurity risks. Introducing autonomously adaptive security systems and using artificial intelligence and machine learning for security purposes may help alleviate such risks. However, the use of machine learning and artificial intelligence for security purposes is not devoid of potential threats to individual’s privacy and data protection.
The relationship between privacy and data protection, on the one hand, and cybersecurity, on the other, is complicated. Security and privacy are often presented as trade-offs or perceived to be incompatible. At the same time, the axion ‘there is no privacy without security’ also holds. Privacy and cybersecurity measures can be mutually reinforcing and may be achieved by similar regulatory tools.
The aim of Suzanne’s PhD project is to analyse the privacy and data protection implications of autonomous vulnerability and exploitation detection and management of cybersecurity risks for the Internet of Things environment. The project aims to identify the applicable legal principles, delineate their scope, and give recommendations on the optimal trade-off between privacy and security as well as recommendations on how positive synergies integrating the legal domains of data protection and cybersecurity can be achieved in the IoT environment.
This PhD research is part of the INTERSCT project, a public private partnership funded by the Dutch National Research Council (NWO). This multidisciplinary project aims to develop a novel approach to the cybersecurity of Internet of things and to produce a paradigm shift in the engineering of secure IoT systems, by introducing autonomously adaptive security as a new evidence-driven paradigm for system design, development, and maintenance.
Regulation and Governance of Patching Security in Organizations
- Prof. Mr. Lokke Moerel
- Dr. Lorenzo Dalla Corte
To patch or not to patch? Where this has long been a question on the minds of enterprises, the reality is that striking a balance in patching timelines is often too tricky to get right. Patch too soon and risk potential failures or downtime of software, or patch too late and be subject to cyber-attacks. Consequently, patching is too often left by the wayside and organizations fail to address critical security vulnerabilities. In a time where it takes a mere few breadcrumbs for cyber attackers to exploit gaps in cyber security practices, yet the cost of breaches continues to rise, a radical shift in our approach to the risk governing of patching is essential.
Lisa’s PhD research is part of the ‘THESEUS: Make Patching Happen’ project, which combines interdisciplinary perspectives with the aim of tackling exactly this problem. The THESEUS project is a collaboration between the VU, TU Delft and Tilburg University, and is partnered with multiple high-level stakeholders such as Philips, KPN and KLM-Air France. The THESEUS team consists of a diverse pool of knowledge tackling three interdependent levels of patching practices:
Systems: Reduce risks of patching by introducing new techniques to automatically detect vulnerabilities, as well as creating automatic patching mechanisms to tackle critical availability risks.
Enterprise: Quantify the risks of patching through an assessment of aggregated results of patch triaging to form a coherent picture that considers different attacker models and real-world impact.
Governance: Effectively managing risks of patching by introducing incentive mechanisms, sector-wide benchmarks, and potentially legal instruments. Lisa will be conducting research on this strand of THESEUS while collaborating with researchers from all three tracks.
As part of her research into governance, Lisa will investigate existing legal frameworks and regulatory governance mechanisms on cyber security and data breach liability. Additionally, she will analyse the role of cyber insurance in current patching risk assessments and vulnerability response practices. These factors will then be considered alongside academic perspectives in order to determine what types of regulatory intervention are desirable and at what level of governance, to ultimately facilitate essential improvements to patching practices and prevent third-party damages. These findings will then be utilized to deliver recommendations to stakeholders and legislators to improve and incentivize patching, rather than regulating liability once damages occur, both at a national and EU level
Creating a model conceptual framework for complex multi-stakeholder environments: data exchanges within Public-Private Partnerships in the EU Anti Money-Laundering/Counter Financing of Terrorism regime.
- Prof. dr. Eleni Kosta
- Dr. Bart van der Sloot
- Dr. Bryce Clayton Newell
The AML field is one of the most complex ones in modern EU legislation and in an attempt to enhance the situation, the European Commission has recently presented a new legislative package, in which it is anticipated that PPPs will play a serious role in the new AML regime. To cooperate effectively, it is expected that entities participating in PPPs will exchange data. Concerning data sharing within the AML/CFT field, PPPs problematize the existing legal approach for four reasons:
(a) Actors: Sharing of personal data within the AML field is governed by different legal instruments. Numerous different actors (and legal competences) in a PPP will perplex the situation.
(b) Jurisdictions: PPPs are comprised of entities based in different areas and there is currently no clear legal regime on such cross-border data sharing within PPPs in the EU.
(c) Legal basis of processing: As both private and public parties participate in PPPs (for example a commercial bank and a law enforcement authority), they have different legitimate grounds and purposes of processing.
(d) High volume & several types of data (incl. sensitive data) are exchanged within PPPs in the AML field, and this might produce further data-related problems.
Since there are different actors, from different jurisdictions, which exchange several types of data, each actor having a different purpose and thus, a different legal basis, it is very possible that a mayhem may be created, when it comes to sharing of personal data within PPPs in the AML field. For its solution, there is currently no specific regulatory framework, leaving all this situation in an uncertainty, that may further be increased upon establishment of the Anti-Money Laundering Authority, which will be the centralized European authority to coordinate all national anti-money laundering authorities. It is important to solve the problem in its making, before a new negative status quo is created
Sascha van Schendel
Website: Sascha van Schendel
Transparency requirements in Big Data practices in the law enforcement domain
The increased use of Big Data analytics to extract information and patterns from large datasets, and construct predictions, contributes to the importance of data and the authoritative role of data in decision making. Especially in sectors such as that of law enforcement, Big Data analytics can impact the way processes work and decisions are made. In the law enforcement sector, decisions have a very serious impact on the human rights of suspects or other citizens in the case at hand. In the course of the general policing task, fundamental rights of individuals or groups can be impacted as well by the use of Big Data analytics. A specific issue is the opacity of these processes towards impacted individuals and the general audience, creating a lack of awareness as well as issues with regard to the execution of human rights, such as the right to an effective remedy.
The research targets specific practices of Big Data analytics and analyzes the relevant safeguards and requirements under the frameworks of criminal law and data protection legislation, both on the EU level and Dutch level, with specific attention to transparency requirements.
Website: Zuno Verghese
Origins and evolution of the European ICT standards organization, the European Telecommunications Standards Institute (ETSI)
- Prof. Panos Delimatsis, (TILEC)
- Dr. Stephanie Bijlmakers (TILEC)
Zuno's study is on the institutional changes at ETSI since its inception in late 1980s, particularly the ones in response to legal and statutory reforms, and perceived regulatory challenges. The study is undertaken within Prof. Delimatsis' research project on the origins, and evolution of rule-making (standard-setting) by private and hybrid bodies in goods/ manufacturing, taking into account exogenous shocks such as crisis events. [The ERC-funded 'The Resilience and Evolution of Economic Activism and the Role of Law' (REVEAL) project]
External PhD candidates
Algorithmic Transparency as protection against automated data Processing under the relevant legal frameworks
Major research question and the research framework:
What are the transparency needs engendered by data-driven decision-making practices, whether this ‘transparency desiderata’ is properly addressed in the current EU data protection regime, and to what extent IP rights stand as an impediment?
The study proceeds with the unfolding and elaborating of the major research question through sub-questions under the below framework.
- A legal framework of transparency which goes beyond the conventional understanding –of certain access rights and disclosure requirements- to ensure the intelligibility of algorithmic processes and their possible discriminatory and privacy invasive outcome.
- Whether the EU data protection regime is compatible with the extent, forms and mechanisms of the transparency desiderata prescribed within the study.
- Taking into account Recital 51 of the GDPR -which provides that transparency allowances of the data protection regime should not adversely affect the rights and freedoms of others- to what extent IP rights stand as an impediment for the transparency framework.
Website: Claudia Quelle
Personal data processing. Is the risk-based approach of the General Data Protection Regulation compatible with the aim to achieve fundamental rights protection?
This research project concerns the risk-based approach of the General Data Protection Regulation, and in particular its relation to the objective to protect fundamental rights. The risk-based approach is understood as a starting point in compliance and enforcement practices which entails that the applicable legal obligations are or should be regarded as more or less stringent, in accordance with the level of risk posed by the processing operation to the rights and freedoms at stake. The focus is not only on the letter of the law, but also on the underlying duty to prevent adverse effects on the individuals concerned. The DPIA and the prior consultation together play a pivotal role in the articulation, assessment and subsequent mitigation of risk.
The risk-based approach can be seen as a meaningful supplement or alternative to user empowerment, embodied in data protection law through consent and data subject rights. This is because the onus of bringing about proper rights protection is placed first and foremost on controllers and the supervisory authorities which are to hold them to account. It is also a flexible instrument, able to cope with societal and technological change.
However, its suitability as a regulatory instrument to bring about the protection of fundamental rights can be questioned. I am researching a number of facets to this main concern. Will the data protection impact assessment be taken seriously by controllers – and what would that require? If low risk situations are neglected, can we still speak of full-fledged fundamental rights protection? Lastly, can we speak of such protection if its content and scope is determined, first and foremost, by the controller and its supervisory authority, rather than by the (ideally: empowered) data subjects concerned?