Past TILT Clinics
TILT IP clinic with Crossyn Automotive
On Friday, the 4th of May 2018, the students participating in the TILT IP clinic with Crossyn Automotive presented the results of their 2-months long research on intellectual property law in the era of connected cars.
Crossyn is a Tilburg-based startup that developed an advanced analytics platform that collects, analyses, and enriches vehicle sensor data. The insights from these data can be used to create personalised data driven mobility services, while making sure the driver remains in control of their data.
Automotive industry is currently facing disruptive changes posed by big data and connectivity, summed up as smart mobility, which is at the core of Crossyn’s business. In such competitive and innovative environment having a comprehensive intellectual property (IP) portfolio is paramount, especially for a startup. Thus, the students of the TILT clinic were tasked with advising Crossyn on an appropriate IP framework that could be applied to their products and services.
To do this the students, under supervision of their mentors from Tilburg University and Crossyn, conducted a fact-finding exercise and several interviews with Crossyn staff, in order to understand Crossyn’s business objectives and potential IP assets, and performed normative research on applicable legislation and relevant case-law.
Based on that they first identified Crossyn’s products and services that could benefit from IP protection and then proposed to Crossyn the areas of IP law that are pertinent to their IP assets, including database rights, patents, copyright, trademarks, trade secrets, and license agreements, and addressed possible courses Crossyn could follow with their IP strategy.
TILT Clinic: Intervention in Flavus case to support safeguards against over-blocking
Three students of Tilburg University, under auspices
of TILT lecturers, prepared a third-party intervention before the European
Court of Human Rights in the OOO Flavus against Russia and
4 other applications. The decision of the Court will set important
limits for the safeguards against state over-blocking online. Therefore, the
intervention concerns mostly due process requirements, and the availability of
effective safeguards against collateral over-blocking.
The brief was prepared by three Tilburg University students from Law and Technology track (Bojana Kostić, Martin Borgioli) and Human Rights track (Monika Hanych) under the supervision of TILT assist. prof. Martin Husovec and lecturer John Waterson. In the submission, they addressed mostly due process requirements and the availability of effective safeguards against collateral over-blocking.
The intervention suggests that the Court recognizes that states are not completely at liberty to design blocking schemes and that each delegation of enforcement has to be accompanied by a number of due process and remedial safeguards. Also, the legal framework shall respect the quality of law when a blocking order is issued and emphasizes that any blocking provision should be clearly prescribed by law.
Moreover, the intervention reiterate that states should not absolve itself of an obligation to provide for an effective remedy against over-blocking by simply delegating the implementation of its measures to private parties. Finally, the owner of the blocked content should have right to have access to the court, procedural equality of arms and efficient legal remedies available.
TILT-TU Delft & Tideway Clinic
Clinic topic: Augmented Reality in subsea
construction activities. Augmented Reality (AR) is a novel technology
defined as the expansion of physical reality by adding layers of
computer-generated information to the real environment. These
layers can be added in various ways. Virtual Reality (VR) is not the same as AR. VR
submerges the user completely into a virtual environment by closing him / her
off completely from physical reality. AR is like sun glasses; the user still
sees his / her environment, but this environment is enriched with digital
layers. Both VR and AR technologies are growing rapidly, but AR is expected to
take over VR’s market share soon.
The current TILT clinic will focus on one of the research questions in a joint research with Delft University of Technology and Tideway Offshore Solutions. The objective of this joint research is to assess the added value of using AR during subsea construction activities. This is done by developing a real-time model with an AR user interface, which eventually will be used by multiple people onboard an offshore construction vessel. Subsea construction experts from the field have a main concern regarding this technology. This concern will be analyzed in the TILT clinic and is described in the assignment, below.
Tilburg University students (Jaime Geer, Yusuf Muzak, Lisette Gotink and Kirill Khotulev) will work on this topic 4 weeks 2 days a week starting the week of September 11, 2017.
TILT Clinic in cooperation with Higher School of Economics (HSE) of Moscow
Amicus Brief before the ECtHR in Kharitonov v. Russia (in collaboration with HSE)
The pending case Vladimir Vladimirovich Kharitonov v. Russia is considered of a utter importance for the future of the information society, and the place of freedom of expression of many individuals in it. This is the reason why a law clinic has been set up to intervene as Amicus Curiae in this case. It is important that the European Court of Human Rights receives a full picture of the problem before it makes its important decision that, without doubt, will set a human rights standard for the freedom of expression online.
The aim of the clinic is to aid the Court through a third party submission in several ways. As friends of the Court, the clinic‘s participants will offer a brief comparative research of “balancing of interests“ involved in the blocking of hosting services cases touching upon the issues of freedom of expression, taking into consideration not only the ECtHR jurisprudence in similar cases (see, e.g., Ahmet Yıldırım v. Turkey (no. 3111/10, ECHR 2012), but also other relevant international material (see, e.g., the UN Joint declaration on freedom of expression and the Internet of June 1st, 2011). Second, the participants will suggest possible human rights limits against the indiscriminate blocking of access to a website that only contains lawful contents, in the context of Art. 10 of the European Convention of Human Rights.
The clinic is a joint collaboration between selected students from the Master in Law and Technology of Tilburg University and the Higher School of Economics of Moscow.
Clinic Topic: The
upcoming General Data Protection Regulation imposes, as opposed to the current
Data Protection Directive, many obligations for ‘processors’ (as defined in
Art. 4 (8) GDPR), such as providers of IT-services. If processors do not meet
such obligations, this is sanctioned in the GDPR with very high fines (i.e.
fines up to EUR 20.000.000 or 4 % of the total worldwide annual turnover of the
undertaking). Under the Directive obligations and sanctions were mainly
directed towards ‘controllers’ (as defined in Art. 4(7) GDPR). This change
towards more responsibility for processors will have consequences for
obligations and liabilities of such processors. This might create the need for
them to adapt existing clauses in general terms and conditions and data
processing agreements regarding obligations and liabilities in relation to
privacy and data protection in order to mitigate their exposure
TILT Clinic Mirror Room – We are data
The development of the experiment will take place in April. During one month (from April 20 to May 4, 2017) five (5) students will work on the practical assignment, commissioned by the TILT in collaboration with the WE ARE DATA – Mirror Room project. The students will spend the working days (21 - 24 - 25 April, 1 and 4 May) at the TILT’s premises, in room M273. The clinic shall be concluded with a written report to be addressed to the project’s coordinators and an oral presentation at the TILTing Perspectives Conference 2017. Students will receive input and feedback primary from the Clinic’s two academic supervisors.
TILT Clinic with Privacy International
I. About Privacy International
Privacy International is a non-profit, nongovernmental organization based in London dedicated to defending the right to privacy around the world. Established in 1990, Privacy International undertakes research and investigations into state and corporate surveillance with a focus on the technologies that enable these practices. We have litigated or intervened in cases implicating the right to privacy in the courts of the United States, the United Kingdom (“UK”), and Europe, including the European Court of Human Rights (“ECtHR”) and the Court of Justice of the European Union. To ensure universal respect for the right to privacy, Privacy International advocates for strong national, regional and international laws that protect this right. We also strengthen the capacity of partner organizations in developing countries to do the same.
II. Government Hacking and Surveillance
As part of our work into state surveillance, Privacy International has focused on the issue of government hacking and proposes a TILT Clinic on this topic. The first sub-section below presents a brief explainer on hacking. The second sub-section describes Privacy International’s project to develop a set of recommendations governing government hacking for surveillance purposes. The third and final sub-section outlines the potential project addressing government hacking.
A. A Brief Explainer on Hacking
Hacking is the act of breaking the security of and gaining unauthorised access to a system.
System is used in the broadest sense to refer both to any combination of hardware and software or a component thereof. The most obvious systems of target are desktop computers, laptops, tablets and mobile phones. They may also include the proliferating number of physical devices making up the “Internet of Things” – cars, TVs, refrigerators, utility meters, baby monitors – which generate, collect and exchange data. Target systems can also include network infrastructure itself, such as the routers that direct network traffic or the computers that control network security.
III. TILT Clinic Project
Privacy International is currently in the process of formalizing the hacking recommendations and presenting them as a vehicle for advocacy. As part of this process, we would like to select several case study countries and analyze their hacking law and practice. We have already undertaken a fairly exhaustive analysis of the relevant law and practice in the UK, but seek a better understanding of government hacking for surveillance in several other European Countries. Accordingly, we propose that the TILT clinic produce a memo considering this issue in three countries: Germany, Italy and the Netherlands.
Factually, the memo should seek, for example, to elucidate:
- Which government authorities hack?
- For what purposes do each of these authorities hack (e.g. law enforcement)?
- What hacking techniques do each of the agencies employ?
Legally, the memo should seek to explain the current legal landscape – e.g., relevant laws, regulations, policies and jurisprudence – governing hacking, including, for example:
is the applicable authorization process?
o E.g. Is there a warrant regime?
§ E.g. Do warrant applications describe the method/extent of the proposed hacking operation?
are, if any, applicable safeguards with respect to the privacy intrusion?
o E.g. What is done with any irrelevant information that is accessed and/or seized as part of a hacking operation?
are, if any, applicable safeguards with respect to security?
o E.g. Must the government assess the security implications for the targeted device and for communications systems more generally?
- What judicial challenges have been made to government hacking?
The legal analysis should also take into account any ongoing developments in the legal landscape, such as draft legislation that is currently pending.
Privacy International seeks to produce a report or similar advocacy vehicle to explain the hacking recommendations, which would include an analysis of several case study countries. We anticipate that the work produced by the TILT clinic could be incorporated into this advocacy output.
 According to the Internet Security Glossary, which is produced by the Internet Engineering Task Force (“IETF”), a body that develops internet standards, one definition of “hack” is “[t]o do some kind of mischief, especially to play a prank on, or penetrate a system.” The Glossary defines “cracker”, which it describes as a synonym for “hacker”, as “[s]omeone who tries to break the security of, and gain unauthorized access to, someone else’s system, often with malicious intent.” IETF, Internet Security Glossary, Version 2, Aug. 2007, https://tools.ietf.org/html/rfc4949. According to the Jargon File, a glossary of computer programming terms, one definition of “hacker” is “[a] malicious meddler who tries to discover sensitive information by poking around.” The Jargon File clarifies however that the “correct term for this sense is cracker” and defines “cracker” as “[o]ne who breaks security on a system” and “cracking” as “[t]he act of breaking into a computer system.” Eric S. Raymond, ed., The On-Line Hacker Jargon File, version 4.4.8, 1 Oct. 2004, http://www.catb.org/~esr/jargon/.
TILT Clinic with Zepcam
What are the legal implications of incorporating facial recognition (and other biometric) capabilities into body-worn camera technologies designed for use by law enforcement, transport, and public safety personnel.
Clinic Dates: 28 October to 25 November 2016
Zepcam company profile:
Zepcam is a Dutch technology company specialized in body worn video and mobile video systems for professional use. Zepcam develops products and solutions for clients in public safety, public transport, fire departments and the industry.
The company offers integrated high-end solutions that cover the complete technical chain: field device, back-end and network solution, client applications and video management system integrations for command & control rooms. This integrated approach results in significant better quality, ease of implementation and high operational reliability.
The video systems of Zepcam are used for recording and live streaming of video, audio and location via 2G, 3G, 4G and Wi-Fi. Zepcam products are used for video evidence, reduction of aggression, lone worker situations, improving situational awareness and remote assistance of field engineers.
Zepcam is a recognised pioneer and leader in its markets. Its products and solutions are being sold to clients in over 30 countries, including police forces of Germany, The Netherlands and Switzerland.
Clinic Overview and application instructions:
TILT is proud to present a new TILT Clinic in cooperation with Zepcam, a market leading Dutch mobile video company based nearby in Zaltbommel. During one month (from October 28 to November 25, 2016) four (4) students will work on a practical assignment, commissioned by Zepcam. The students will spend one day at Zepcam’s offices at the beginning of the clinic, followed by an average of two days a week at TILT, concluding with written and oral reports to company executives and the TILT community. Students will receive input and feedback from supervisors with academic as well as practical business perspectives, although the primary feedback will be from the Clinic’s two academic supervisors.
Application to the TILT/Zepcam Clinic is open to any (international and domestic) Master students at Tilburg Law School. Part of the clinic assignment will be targeted at understanding the domestic legal regulation of body-worn camera use and deployment, with a specific focus on incorporating facial recognition and other biometric technologies, in a small set of countries (ideally two or three), including the Netherlands. Because of the need to include an analysis of Dutch law in the project, we plan to select at least one student with native fluency in Dutch and with some expertise in Dutch law. Other selected students will have fluency and background expertise in the language and relevant law of another European country (with some preference for German, English, Italian, Polish, Czech, or Slovenian).
The TILT/Zepcam Clinic will run from 28 October to 25 November 2016. The specific working days will include one Friday at Zepcam in the first week (e.g. 28 October) as well as two days a week at TILT in each of the four weeks (specific days are negotiable, and to be decided based on student and supervisor availability).
Applications, including a Letter of Motivation, CV/resume, and grade list (transcript), must be submitted by email to Dr. Bryce C. Newell at firstname.lastname@example.org. Letters of motivation should include a statement identifying which legal jurisdiction(s) the applicant is most interested in researching, and what level of legal research experience the applicant has with the law of the identified jurisdiction(s). Complete application materials must be received on or by September 23, 2016. TILT, in coordination with Zepcam, will select up to four (4) students to participate in the Clinic. Students will be notified about participation on (or before) October 10. There is no financial remuneration for participation in the TILT/Zepcam Clinic. Travel expenses to Zepcam’s offices in Zaltbommel will be reimbursed if students do not have a free OV‐chipcard.
Participation in the TILT/Zepcam Clinic is reserved for the best students and will be a valuable addition to your CV. Clinic organizers reserve the right to select fewer than four students, at their discretion, should the applications not meet the desired criteria.
The TILT/Zepcam Clinic assignment will entail:
Conducting research into the legal and political implications of incorporating facial recognition (and other biometric) capabilities into body-worn camera technologies designed for use by law enforcement, transport, and public safety personnel in The Netherlands and one or two additional countries (to be determined by the clinic supervisors, taking the interests/expertise of accepted students into consideration); as well as possibly some broader legal research into how body-worn cameras are regulated in these same jurisdictions;
Presenting early findings to Clinic supervisors halfway through the Clinic, to receive and incorporate feedback and questions into the final research report;
Drafting a final report, based on the research conducted, outlining the legal analysis and other research findings applicable in each country studied;
Presenting the completed research and findings to supervisors at Zepcam and TILT.
TILT Clinic Open Data
From the end of October until January 2017 TILT is organizing a Law Clinic commissioned by the Municipality of Eindhoven. More and more data are collected in the public space e.g. measuring air and temperature, but also traffic flows and the flow of people. These data collected in the public space are, according to the Eindhoven Municipality, available to everyone and owned by everyone. Therefore, the Eindhoven Municipality wants to assess whether it is allowed to make regulations valid for the digital daily environment. This question will be answered by the participants in the Law Clinic.
Clinic in cooperation with Bits of Freedom
TILT gladly presents the next TILT Clinic in cooperation with Bits of
During one month, four students will work on a practical assignment, commissioned by Bits of Freedom. The students will spend one day a week at TILT and one day a week on the premises of Bits of Freedom, at the address of Bickersgracht 208, Amsterdam. This will allow for students to become supervised and guided both from an academic as well as an in-house legal & civil rights perspective. The TILT Clinic will be in English, though knowledge of Dutch law is required.
Bits of Freedom:
Bits of Freedom is the leading Dutch digital rights organization, focusing on privacy and communications freedom in the digital age. Bits of Freedom strives to influence legislation and self-regulation, on a national and a European level. Bits of Freedom is one of the founders and a member of European Digital Rights (EDRi).
About the assignment:
The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive (Directive) and will apply as of May 25, 2018. Although the Directive contained a provision on automated decision making (Art. 15), it did not address the issues associated with profiling. The GDPR now does contain a definition on profiling (Art. 4(4)) and the GDPR does, to some extent, apply to profiling (recital 72).
The rights and obligations provided for in Article 22 GDPR, however, apply only to fully automated decisions (e.g. profiling-based), which produce “legal effects” or “similarly significantly affects” the data subject. Legal effects are not defined; therefore it will be difficult for the concerned individual to prove legal effects, unless he/she has a contract with the controller. However, a "contract between the data subject and a data controller" is an exception to the right to object to profiling. The term "similarly significantly affects" is even more vague. In practice, it will often be difficult for concerned individuals to prove these requirements.
Furthermore, Articles 22 (b) and 23 of the GDPR allow the EU and Member States
to restrict the scope of application of the rights and obligations provided for
in Article 22 GDPR. This could weaken harmonization and may bring legal
uncertainty if Member States adopt different rules.
Another issue is that it is not clear whether the GDPR sufficiently addresses the key issues associated with profiling (e.g. manipulating the individual's (economic) decisions and behaviour, categorizing individuals, sorting and discriminating among individuals, and other unfair effects), and whether it is actually the appropriate legal framework for addressing these issues. Koops has suggested that profiling and protection against automated decision making could also be addressed in other legal instruments, such as consumer protection law (unfair trade practices) or non-discrimination law, or, for the public sector, in administrative procedure law. 
Bits of Freedom would like students to explore how the GDPR addresses the key
issues related to online profiling by private parties and whether other legal
instruments could play a role in this field. This could be explored by
answering the following two questions:
What automated data processing activities fall within (or outside) the definition of “profiling”, and what profiling activities fall within (or outside) the scope of the provision concerning automated decision making? Does this leave any regulatory gaps?
How do other legal instruments (under Dutch law), such as anti-discrimination law and consumer law, address the key issues related to profiling?
The students could, for example, decide to create two groups of two students which answers one of these questions.
A brief written report
A presentation of the main findings and possible recommendations
A blog post (max. 1.200 words) for a general audience
The Law Clinic will be held from 19 September until 15 October 2016.
The exact dates for the Clinic are the following:
- 22nd of September
- 29th of September
- 6th of October
- 13th of October
We suggest that up to two students at the same time spend time at our office,
given the limited amount of space we have. Of course, all students are welcome
on the day of the presentation.
Application is open to Master students in Law and Technology of Tilburg University. TILT will select 4 students on the basis of Letter of Motivation, CV and grade list, to be submitted by email to Ms. K. La Fors, e-mail: K.LaFors@tilburguniversity.edu, ultimately by 31th of August. Out of these applications, the TILT-BoF Clinic is reserved for the best 4 students. For the selected students this clinic will surely be a valuable addition to their CV.
 B.J. Koops (2014), ‘The trouble with European data protection law’, International Data Privacy Law, doi:10.1093/idpl/ipu023.
TILT clinic in cooperation with Stanford University
Third party Intervention Submissions by EISi
The European Information Society Institute
Four master students successfully prepared submissions for third-party interventions by the European Information Society Institute (EISi) before the ECtHR
On 19 February 2016, the European Information Society Institute, a think-tank, officially filed its third party intervention before the European Court of Human Rights in the Satamedia case. The decision of the Grand Chamber will be very important for the future of data journalism in Europe.
The brief for the intervention was prepared by four excellent students of Tilburg Law School (Cora Arts, Diana van Wanrooij) and Stanford Law School (Laurel Elizabeth Mills, Eric Dunn) as a part of a Legal Clinic under supervision of professors from Tilburg University (Martin Husovec and Karolina La Fors) and Stanford University (Phil Malone and Daphne Keller).
The submission addresses the following issues:
- the impact that this decision may have on technologies that help journalists use data to impart new, useful information to the public
- the need to balance the rights of freedom of expression and privacy in a way that leaves space for journalists to innovate using these technologies, and
- the ways in which this Court’s existing precedents can be recalibrated to account for these important interests.
Satakunnan Markkinapörssi Oy and Satamed App No. 931/13
TILT Clinic in cooperation with Privacy Company
From 14 February - 15 March 2016, 4 students worked on a practical assignment, commissioned by Privacy Company
Privacy Company is a specialized organization and platform of experts focusing on privacy and data protection issues in a variety of domains. “Privacy Company distinguishes itself by its strong customer focus, quality and cost. Privacy Company believes in a practical and customer centric approach. Besides curbing the legal risks and threats fine Privacy Company sees opportunities to use qualitative data to improve processes, services or products. The team Privacy Company has extensive experience with privacy issues in a broad sense and consists of professionals with business, technical, organizational and legal skills.”
On January 1st 2016 the duty to notify data breaches under the Dutch Data Protection Act came into force. The duty to notify rests upon the data controller and extends to both the Data Protection Authority and the data subject. Failure to notify either the data subject or DPA could result in a fine of 810.000 Euro or 10% of the annual net turnover. All the more reason for companies to implement a data breach procedure.
Given this background, the Netherlands interestingly seems to be the breeding ground for the future European Data Protection Regulation (expected in 2016), that will also include a data breach notification duty.
The Privacy Company wanted students to comprehensively explore data breach procedures that are already implemented in other countries to answer the following questions:
- What is a data security breach that has or is likely to have serious adverse consequences for the protection of personal data? More specifically this question can also relate to another one:
- What should the contractual arrangements with data (sub)processors look like if companies want to limit their liability?
TILT Clinic in cooperation with ING
The TILT Clinic in cooperation with ING started on the 8th of October and ended on the 8th of November.
The students worked on the following assignment: How can ING ensure that the most important information regarding data processing is actually read and understood by their customers?
Information obligations are
very important in both the Data Protection Directive and the proposed Data
Protection Regulation. Information obligations do not stand alone, but relate
closely to other concepts of data protection legislation such as accountability
and informed consent. Even though the importance of providing proper
information is highly acknowledged, one of the major problems with information
obligations is the lack of an obligation for consumers to actually read the
provided information. Even though literature and the proposed Regulation offer
some suggestions on how to increase chances of consumers actually reading
privacy policies, ING still feels we are in need of innovative solutions to get
such important information across to their customers.
TILT Clinic in cooperation with Delta Lloyd (Ohra)
The TILT Clinic in cooperation with Delta Lloyd (Ohra) started on the 10th of September and ended on the 2nd of October 2015.
The students worked on the following assignment: Ohra is piloting a new, innovative, car-insurance product for people in the age category from 18 up till and including 28. By measuring certain driving habits a risk-score will be calculated. The higher (= the better) this score the more discount the insured driver can gain up till a discount of 35% on the monthly insurance premium. The pilot project is running under the working title “Pay How You Drive”(PHYD). The assignment concerns the review of the PHYD insurance policy conditions, with specific focus on the privacy aspects. The students had to give recommendations regarding the privacy aspects of the policy conditions and on how to make the policy conditions both client-friendly and legally correct and according the law.
TILT Clinic in cooperation with ASML
ASML is one of the world's leading
providers of advanced technology systems for the semiconductor industry. The
company offers lithography systems, mainly for manufacturing chips. This was
the first TILT Clinic in cooperation with a multinational corporation. This
clinic took place in April – June 2015.
During this clinic the students worked on the following
assignment: Assist in chartering the global compliance landscape (new
developments, focus areas) for high tech, business-to-business companies. The
legal areas covered include privacy, anti-bribery, safety and insider trading.
The project consisted of first prioritizing the main topics relevant to the business of ASML and training by ASML in-house Compliance counsel. Subsequently, the students embarked on an investigation of the most relevant new and expected developments on the identified topics, with special attention to the jurisdictions where ASML’s main customers are located (Asia & the US). The investigation also included a sector bench-mark. The assignment resulted in a brief report, and a presentation to senior management with key findings and advice.
In cooperation with LOUWERS IP|TECHNOLOGY ADVOCATEN
The first TILT Clinic was in cooperation with LOUWERS IP|TECHNOLOGY ADVOCATEN, an IP and Technology boutique firm based in Eindhoven.
clinic took place in November and December 2014. The assignment entailed the following: (How)
do the five most popular health monitoring wearables comply with current and
proposed data protection regulations and (how) can this be improved? During the
research the students analyzed and compared the general terms and conditions
and privacy policies of the five most popular wearables in view of existing and
proposed EU privacy regulations.
The students presented the
results of their research at an international conference and published their
results in a paper.
Read more about the experience the students had, in this interview.