Participant Insights: ESR Xengie Doan Reveals the Top Highlights of CPDP 2023 Conference

I attended CPDP 2023 and found two events very interesting and pertinent to my thesis topic regarding user-centered digital collective consent for genetic data sharing in the EU.

First, I attended a workshop on Wednesday about the Trustworthy (re)use of health data endorsed by the EHDS organized by The European Institute for Innovation through Health Data  ( i~HD).

Maria Christofidou from i~HD presented about consent the types of consent that were growing in the field, though they did point out that the EHDS does not endorse a specific type of consent, but instead suggested other legal bases for processing data. This was especially interesting to me as I am working on another model of consent, collective consent, which might be at odds with the EDHS as it currently stands. However, the speaker was unsure if consent would be replaced by other legal bases or if it would still continue to be used, but also have other legal bases as stated by the EDHS.

Then, the second speaker presented issues with data quality to make the data reusable. It was a manifold issue with only a few aspects that could currently be objectively measured, such as uniqueness (lack of duplication) while concepts like trustworthiness or representativeness were much more conceptual and difficult to be measured with current tools.

The workshop then proceeded to certification measures from the i~HD and a lively conversation with people working in complex multinational health data-sharing efforts who were unsure about the usefulness of the EDHS for facilitating easier data sharing, as it seemed to only add EU certifications on top of specific national requirements (which were sometimes at odds).

Another very interesting panel was the Privacy Engineering for Transparency and Accountability organized by TU Berlin on Thursday. This panel was full of great speakers, talks, and questions so I would highly recommend watching the recording, as this will only summarize a small portion of the panel. Transparency-enhancing technology was presented by Elias Grunewald from TU Berlin called TILT. This is a tool to scan policies for relevant transparency requirements in a machine-readable format for developers to use, which could then be translated to related privacy icons, dashboards, plugins, and more. These are interesting for my research because I am interested in enhancing transparency in digital collective consent tools that can adapt to both institutional governance and developer needs as well as user needs. Thus such a flexible system enabling different interfaces is very relevant.

Some other very interesting speakers spoke about the new offerings for privacy technology including Privado, and adversarial transparency to investigate a company’s actual practices when they are obscured (e.g. Meta).


16th Computers, Privacy & Data Protection – CPDP Conference in Brussels

From 24– 26 May 2023 the 16th International Conference “Computers, Privacy & Data Protection – CPDP” took place in Brussels, Belgium, offering cutting-edge discussions in legal, regulatory, academic, and technological development in privacy and data protection. LeADS was present in panels and activities during the three days of the Conference.

Prof. Paul De Hert, one of LeADS supervisors, gave the Conference’s opening speech, introducing the new activities and the main topics discussed in 2023, such as the EDPB elections and the future of data protection in Europe in the face of recent EU Regulations.

Following the introduction, LeADS collaborator, Arianna Rossi of the SnT University of Luxembourg was one of the speakers at the panel “Measuring dark patterns and their harms: A multidisciplinary, Antecipatory Perspective”, organized by one of LeADS beneficiary Interdisciplinary Centre for Security, Reliability, and Trust (SnT), University of Luxembourg (LU), exploring the harms posed by dark patterns – such as the cookie banners – and how to address them. Arianna was also a workshop facilitator at the workshop “Personalised Privacy; How can we leverage personalisation for better privacy protection?” organized by Maastricht University, Law and Tech Lab.

On the second day of the Conference, LeADS ESR Barbara Lazarotto was a panelist at a panel on “The Underuse of Personal Data, Its Opportunity, Costs, and EU Policies” organized by the University of Turin, which focused on how the underuse of personal data can pose risks to society, such as hindering technological development of health research.

Other LeADS ESRs Fatma Dogan, Soumia El Mestari, Onntje Henrichs, Xengie Doan, and Aizhan Abdrassulova also attended the Conference, where they had the opportunity to join in interesting discussions on their research topics.

Op-Ed: “Business-to-government data sharing on the Data Act: between a rock and a hard place” by Barbara Lazarotto

This Op-Ed was originally published on the EU Law Live Blog and can be accessed here


The Data Act proposal is the latest Regulation of the European Data Strategy to have been proposed in February 2022, with the main objective of removing the obstacles to the circulation of data and creating value from it through business-to-consumers, business-to-business and business-to-government data sharing. The Proposal has gained attention due to its innovative proposition, which aims to address complex and different concerns related to the data economy depending on the area of regulation. The Act addresses the market dominance within the field of IoT products, cloud and edge computing and aims to advance the European data economy through data reuse, including the public sector. Yet, the trajectory of the Data Act proposal has been a bumpy ride with a lot of back and forth between pushing for more sharing of data and furthering restrictions on data access, mostly influenced by stakeholder positions when it comes to business-to-government data sharing. In this Op-ed, I will further explore the road of the Proposal so far and how the modifications throughout the legislative process still support the industry position, and what this means for the future of business-to-government data sharing in Europe.

A wrestle between public sector access and industry interests

Before reaching the Council, the Data Act Proposal was mostly focused on data access by consumers and further sharing of data for the purposes of enhancing market competition. Chapter V, fully dedicated to business-to-government data sharing, was heavily influenced by public health management during the COVID-19 pandemic, in which access to privately held data by the public sector was considered essential. However, the use of private data is not only advantageous in exceptional circumstances but can also be essential to support the public sector in policymaking, a hypothesis which was not fully addressed by the Data Act proposal.

Yet, when the Czech Presidency took over the rotating presidency of the EU Council from 1 July to the end of 2022, it took a pro-public sector approach by broadening the scope of the business-to-government data sharing beyond the original proposal, pushing it forward the circumstances of data access for the purposes of enacting public tasks. Prague pushed for stronger enactment of mandatory data-sharing regulation, although the text significantly reduced the scope of business-to-government data sharing to only the European Commission and the EU Agencies whereas before it applied to all EU institutions. Empowering clauses were enhanced, which allowed the public sector to challenge requests for compensation by organisations holding data. One of the main additions was the further specification of tasks in the public interest provided by law that might justify the request for privately held data, such as local transport, city planning and infrastructural services. This opened an avenue of possibilities for the use of private data for public purposes such as the development of smart cities.


Following the end of the Czech rotating presidency, Sweden took over in January 2023, and contrary to the previous Presidency, it turned to the industry segment by proposing the reduction of the scope of the act to all data processed via systems subjected to Intellectual Property rights or specific know-how of the data holder. Additionally, the possibility for data holders to deny the sharing of data based on any trade secret was introduced, strengthening the business position considerably. When it comes to business-to-government data sharing, the scope of data was restricted only to non-personal data, a request that was present in the EDPB-EDPS Join Opinion 02/2022 on the Data Act.

Once the Proposal reached the Parliament for the trilogues, business-to-government data-sharing regulation took a considerable step back again, following the industry organisations’ joint statement expressing the sector’s concern with the protection of trade secrets. Some hypotheses on the use of private data by governments for the fulfilment of tasks in the public interest were removed from Recital 57, although in my opinion the removal does not impact the interpretation of article 15(b) of the proposal. Most recently, a common position was reached by Coreper which has highlighted again the necessity to ‘fine-tune’ the terms of business-to-government data sharing regulation. (for more information, see the Council press release here)

Between a rock and a hard place

Following this retrospective analysis, it is possible to observe that the main objective of the Data Act is to empower consumers by giving them access to data generated by ‘smart devices’ and that the business-to-government data-sharing provisions are not the focus of the Regulation, in spite of the pro-public sector approach by the Czech Presidency. The European Parliament strengthened the industry pleas, by enhancing trade secrets protection and restricting the possibilities of data access by governments.

Therefore, one question remains. Given the abovementioned trajectory, what is the future of business-to-government data sharing in the EU?

The Data Act is a horizontal proposal which aims to propose basic data-sharing rules for all sectors, leaving room for a specific regulatory framework for specific sectors. A specific regulatory framework would need to fully address the challenges faced by the public sector when accessing privately held data due to its peculiarities and its public interest purpose. A specific regulation would be essential to coordinate how already existing regulations (e.g., General Data Protection Regulation 2016/679, Data Governance Act Regulation 2022/868, Data Base Directive 96/9/EC), Member States’ legislation (such as the French loi n° 2016-1321 du 7 octobre 2016) and future proposed regulations such as the Data Act will co-exist. Additionally, a specific regulatory framework would have to face challenges, such as how to involve the private sector in public matters without causing a ‘corporatisation’ of the public sphere while protecting public values such as transparency of administration and the interest accessing certain types of data for public purposes.

So far, I still cannot see the end of the tunnel. Due to the backseat position of business-to-government data sharing in the proposal, it is safe to affirm that the future of B2G does not depend greatly on the Data Act. At the same time, the regulatory measures brought by the proposal are too restricted to alter the status quo of business-to-government data-sharing agreements that are already taking place, and they definitely do not address the issues faced by the public sector when settling agreements, such as power imbalances, unfair contractual clauses, and restrictions on the use of data. Thus, there is only hope that a Regulation that addresses these points is in the Commission’s pipeline.

Barbara Lazarotto is a PhD researcher at the Vrije Universiteit Brussel, a member of the Law, Science, Technology and Society Research Group (LSTS) and a Marie Curie Action Fellow at the LeADS Project.

ESRs Fatma Doğan at seminar for young researchers and PhD students


ESRs Fatma Doğan participated in the seminar for young researchers and PhD students titled: “Current Challenges in Medical Law”. The seminar took place in Göttingen, between 3-4 May 2023. Fatma presented her study named “Re-use, Secondary use or further use of health Data: A dilemma placed in between legislations” on ‘Current Challenges related to Data & Research’ panel.

Fatma started her presentation with a quote from EU Commission Communication on data re-use from 2020. The commission states that: “The value of data lies in its use and re-use. Currently, there is not enough data available for innovative re-use, including for the development of artificial intelligence.” Her main research question was, how can we interpret the re-use of health d ata under current EU legislation. While seeking the answer to this question her research is divided into three parts. In the first part, she examined GDPR and it’s provisions about ‘further use’ as it is the main legal instrument. Secondly, Data Governance Act(DGA) and its provisions about ‘re-use’ and thirdly, the Proposal of European Health Data Space(EHDS) and its ‘secondary use’ provisions were examined. Her findings point out that both DGA and EHDS don’t offer a detailed explanation of what terms could entail. Moreover, all three of the legislations will be regulating an intersecting ground, thus, their differences have a possibility to create discrepancies. Her study sought to discuss the similarities and differences between the referred legislation in terms of the mentioned concepts and make sense of their interplay.

The seminar was full of enlightening presentations and interesting keynote speeches. Fatma also received valuable feedback and thought provoking questions after her presentation.

ESRs present their research at Institut cybersécurité de l’Occitanie workshop


On the 19th of April 2023, the workshop Journée scientifique du Défi Clef at the Institut cybersécurité de l’Occitanie at The Laboratory for Analysis and Architecture of Systems (LAAS-CNRS) took place in Toulouse, France.

The workshop was divided into three sessions the first Session focused on thesis presentations, Session 2 focused on presentations on the topic of cybersecurity and Session 3 was entered on material, logical and systemic security. Prof. Jessica Eynard, one of the supervisors of the LeADS Project, and Giorgia Macilotti one of LeADS collaborators presented their research in Session 2 the topic Sécurité(s) et identité(s) numérique(s).

Early Stage Researchers Cristian Lepore, Barbara Lazarotto and Louis Sahi also participated in the workshop on a poster session, where they presented the development of their research.


ESRs Fatma Dogan and Soumia El Mestari at Privacy Symposium 2023

ESRs Fatma Dogan and Soumia El Mestari attended the annual Privacy Symposium took place in Venice between 17-21 April. ESRs presented their paper which they have witten with Dr. Maria Botes from Centre for Medical Ethics and Law of Stellenbosch University.

Their paper titled “Technical and Legal Aspects Relating to the (Re-Use of Health Data when Repurposing Machine Learning Models in the EU” will be published in the conference book. In the study, they discussed technologies such as re-purposing machine learning models under EU data protection laws. The original point was that technologies like Al and loT are data greedy by their nature hence they need more datasets constanty. Machine learning technologies can reuse the existing machine learning models, also known as “knowledge transfer for other tasks”. However, this solution when examined under a legal lens becomes ambiguous because there is no exact equivalent of this term in current EU data protection laws. Even so, when this technology is used in health data tasks, the practice becomes even more complex. because health data qualifies as sensitive data which attracts stricter rules regarding its processing.

In the paper, they examined this topic from both a legal and a technical point of view. Their research considers the use of repurposing machine learning models and their application within the legal context of the secondary use and re-use of personal data. Their legal analysis includes the General Data Protection Regulation, Data Governance Act, and European Health Data Space proposal. The ESRs received questions and supportive feedback from the participants and also attended the
other enriching panels of the conference.

ESRs Fatma Dogan and Barbara Lazarotto at BILETA 2023


On April 13th 2023, ESRs Fatma Dogan and Barbara Lazarotto participated in the 38th Annual BILETA – British and Irish Law Education and Technology Association Conference. The Conference came back to The Netherlands after 22 years and had as a topic Cyberlaw: Finally getting its Act(s) together? held in Amsterdam Law and Technology Institute and online. (for more information consult the program of the conference). Fatma and Bárbara both presented their research at the Data Governance Panel, exploring the interaction between different EU Regulations.

Barbara presented her research titled The Right to Data Portability: An Holistic Analysis of GDPR, DMA and the Data Actin which she explored the interactions and overlaps when it comes to the right to data portability in the three Regulations and possible implications to data subjects’ rights. Barbara won the European Journal of Law and Technology best paper award with her paper.


Fatma presented her research titled Re-Use or Secondary Use: A Comparison between Data Governance Act and European Health Data Space, where she explored the re-use or secondary use of health data, making an analysis of the Data Governance Act and the European Health Data Space.


Both researchers received great questions and feedback from the participants which will enrich their research for future purposes.

Participation of ESR Aizhan Abdrassulova in two conferences in April 2023

Early Stage Researcher Aizhan Abdrassulova presented her research at III International Forum on Medical Law, which was held on April 6-7, 2023 in Ekaterinburg.  Her article’s title is «Some Aspects of medical ethics and Confidentiality in European Law». Aizhan outlined the basic principles of European medical ethics and its main directions of development. Participation in the conference was remote, materials will be published on the website and in print in June 2023.

Also on April 11-13, Aizhan was present offline at the 33rd Madrid International Conference on “Law, Education, Marketing and Management” (LEMM-23).

Aizhan’s topic “Data ownership: civil law aspect” is closely related to the topic of her dissertation. All papers of LEMM-23 will be published in the printed conference proceedings with a valid International ISBN number.

Each Paper will be assigned a unique Digital Object Identifier(DOI) from CROSSREF and the Proceedings of the Conference will be archived in DiRPUB’s Digital Library. Aizhan won the nomination for “Oral Best Paper Certificate”.

LeADS and LiderLab Workshop on ethical and legal issues in technology

The VALKYRIES Project– funded from the European Union´s Horizon 2020 research and innovation programme, focused on analyzing, improving and developing infrastructures, protocols, and prompt data exchange standardisation and harmonisation tactics to increase effectiveness and interoperability in cross-frontier and cross-sector emergency situations, conducted its third ethical legal workshop titled “Dealing With Ethical Legal Issues Technology Development: The Current Approaches Adopted In Ongoing Projects” on March 3, 2023.

The workshop consisted of presentations by persons involved in various projects such as the VALKYRIES, 5GSOSIA, RESCUER, LEADS and FACILITATE, these presentations focused on the ethical and legal issues encountered and combatted during the course of their respective projects.

On behalf of the LeADS Project, Prof. G. Comandé introduced the legality attentive data scientists project and discussed how the LeADS Project is aimed at bridging the gap between data science and law by training early-stage researchers who are involved in the project with technical prowess as well as legal expertise. Further, he mentioned that this has been made possible by the various partnerships with companies and government agencies that the LeADS Project has carved out for its early-stage researchers to create a balance between theoretical studies and practical implementations across sectors.

Prof. Paul De Hert and ESR Barbara Lazarotto at the Norface Governance Online Lecture Series

On 01 March 2023, Prof. Paul de Hert and ESR Barbara Lazarotto participated in the third NORFACE GOVERNANCE Online Lecture Series at the University of Luxembourg. They were joined by Prof. Jean-Bernard Auby, Emeritus Professor of Public Law, Sciences Po Paris – Former Director of “Mutations de l’Action Publique et du Droit Public” («Changes in Governance and Public Law»), Former Deputy Director of the Oxford Institute of European and Comparative Law. The online lecture series was a part of the dissemination practices for the governance program.

The lecture was titled Should the state be smart?“, and approached the concept of “smartness” as a buzzword that is sold by private companies to governments, which often adopt technology to micromanage individuals’ lives, confusing it with administrative effectiveness. The lecture explored possible alternative paradigms for governments for the future and their relationship with technology.