This paper critically examines the Data Protection Impact Assessment (DPIA) frameworks under the European Union’s (EU) General Data Protection Regulation (GDPR) and Turkey’s Personal Data Protection Law (KVKK), with a particular focus on mitigating the risks posed by artificial intelligence (AI) technologies. It identifies significant gaps and challenges within each framework, especially regarding AI-specific risks such as data inference, re-identification and algorithmic bias. By analysing the regulatory landscapes and enforcement practices in key jurisdictions including Germany, France and Ireland, the paper draws lessons that could strengthen KVKK’s ability to address emerging AI-related challenges. The study adopts a comparative approach, detailing the similarities and differences between GDPR and KVKK in their application of DPIAs, their approaches to cross-border data transfers and their regulatory strategies for automated decision-making systems. The research highlights practical challenges faced by organisations, including balancing innovation with compliance, managing cross-border data flows and conducting effective risk assessments for high-risk data processing activities involving AI. Key findings include the need for Turkey’s KVKK to develop explicit AI-focused regulatory guidance, introduce mandatory DPIAs for high-risk activities and enhance transparency and accountability mechanisms. The paper also identifies best practices such as adopting privacy by design and default, leveraging technical measures such as federated learning and differential privacy, and engaging proactively with supervisory authorities to align with global standards. The paper concludes with actionable recommendations for policy makers and practitioners to harmonise KVKK with GDPR, improve cross-border data protection and foster trust in AI systems while maintaining innovation. These insights aim to provide a roadmap for building a robust data protection frame",
"topics": [
"gdpr_compliance",
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 1.0,
"venue": "",
"language": "en"
},
{
"id": "openaire:electronics12244973",
"title": "Privacy-First Paradigm for Dynamic Consent Management Systems: Empowering Data Subjects through Decentralized Data Controllers and Privacy-Preserving Techniques",
"authors": [
"Muhammad Irfan Khalid",
"Mansoor Ahmed",
"Markus Helfert",
"Jungsuk Kim"
],
"date": "2023-12-12",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3390/electronics12244973",
"pdfUrl": "https://www.mdpi.com/2079-9292/12/24/4973/pdf?version=1702369881",
"doi": "10.3390/electronics12244973",
"abstract": "This paper explicitly focuses on utilizing blockchain technology in dynamic consent management systems with privacy considerations. While blockchain offers improved security, the potential impact on entities’ privacy must be considered. Through a critical investigation of available contributions to the present state of the art of blockchain-based dynamic consent management systems, we highlight the limitations of plaintext storage and the processing of subject data/consent on the blockchain, which can compromise privacy. We stress the significance of keeping encrypted subject data/consent on the blockchain and sharing it in encrypted form with data controllers and requesters to guarantee privacy and security. Our proposed model demonstrates the usefulness of privacy-preserving techniques, underscoring the decentralization of the abstract entity data controller to enhance subject data/consent privacy. Additionally, we suggest the integration of privacy-enhancing technologies such as secure multi-party computation, homomorphic encryption, and differential privacy with blockchain to accomplish both security and privacy, aligning with the data sharing practices outlined in the General Data Protection Regulation (GDPR) in Europe.",
"topics": [
"gdpr_compliance",
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 1.0,
"venue": "Electronics",
"language": "en"
},
{
"id": "openaire:10.62019/abbdm.v4i4.277",
"title": "An insightful Machine Learning based Privacy-Preserving Technique for Federated Learning",
"authors": [
"Ammar Ahmed",
"M. Aetsam Javed",
"Junaid Nasir Qureshi",
"Hamayun Khan",
"Hoor Fatima Yousaf"
],
"date": "2024-12-31",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.62019/abbdm.v4i4.277",
"pdfUrl": "",
"doi": "10.62019/abbdm.v4i4.277",
"abstract": "Federated Learning has emerged as a promising paradigm for collaborative machine learning while preserving data privacy. Federated Learning is a technique that enables a large number of users to jointly learn a shared machine learning model, managed by a centralized server while training data remains on user devices. In recent years, along with the blooming of Machine Learning (ML)-based applications and services, ensuring data privacy and security has become a critical obligation. ML-based service providers are not only confronted with difficulties in collecting and managing data across heterogeneous sources but also challenges of complying with rigorous data protection regulations such as the General Data Protection Regulation (GDPR) Federated Learning is very important to reduce data privacy risks. Federated Learning is a scheme in which several consumers work collectively to unravel machine learning problems, with a dominant collector synchronizing the procedure. This paper reviews recent advancements in privacy-preserving techniques for federated learning from a machine-learning perspective. This paper investigates the potential of Federated Learning for privacy-preserving machine learning in domains like healthcare, finance and IOT, where data privacy is paramount. We explore existing techniques to enhance privacy, including differential privacy, secure aggregation, homomorphic encryption, federated learning with encrypted, meta-learning, machine learning, privacy-preserving techniques, blockchain technology, decentralized learning, federated averaging, data privacy, searchable encryption and zero-knowledge proofs. This paper concludes with future research directions to address ongoing challenges & further enhance the effectiveness & scalability of privacy-preserving federated learning.",
"topics": [
"privacy_engineering",
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 1.0,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.69849/revistaft/fa10202511232302",
"title": "TÉCNICAS PARA ANONIMIZAR DADOS SENSÍVEIS EM SISTEMAS DE INFORMAÇÃO",
"authors": [
"Conrado Perini Fracacio",
"Felipe Diniz Dallilo"
],
"date": "2025-11-23",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.69849/revistaft/fa10202511232302",
"pdfUrl": "",
"doi": "10.69849/revistaft/fa10202511232302",
"abstract": "An investigation of data privacy models focusing on anonymization techniques such as Generalization, Pseudonymization, Suppression, and Perturbation. It details formal models like k-Anonymity, l-Diversity, and t-Closeness, which emerged sequentially to mitigate vulnerabilities and protect Quasi-Identifiers (QIs) and sensitive attributes against linkage and inference attacks. Differential Privacy is highlighted as the \"Gold Standard,\" offering formal guarantees through noise injection. For empirical validation, the study uses a set of 100,000 synthetic data points with categorized attributes. The application of Hierarchical Generalization (on Date of Birth and Salary) and Total Suppression resulted in robust metrics: k=70 and l=5/l=6, indicating a high level of protection by balancing analytical utility and re-identification risk mitigation , in compliance with LGPD and GDPR. ",
"topics": [
"data_anonymization",
"linkability_tracking",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Re-identification"
],
"relevanceScore": 1.0,
"venue": "Revista ft",
"language": "en"
},
{
"id": "openaire:50|datacite____::4fd234c06e27d9540aa349f24e9cebe2",
"title": "Privacy by Design in Data Engineering: A Technical Framework",
"authors": [
"Vivekananda Reddy Chittireddy"
],
"date": "2025-09-08",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.17079848",
"pdfUrl": "",
"doi": "10.5281/zenodo.17079848",
"abstract": "Privacy by Design represents a transformative evolution in data engineering practice, fundamentally shifting from reactive compliance measures to proactive privacy integration throughout organizational data lifecycles. Modern data protection strategies encompass anonymization techniques including k-anonymity and l-diversity, pseudonymization processes, and differential privacy mechanisms that deliver mathematically sound privacy assurances. Contemporary cryptographic implementations leverage homomorphic encryption and secure multi-party computation to enable collaborative analytics while preserving data confidentiality. Privacy-preserving computing frameworks facilitate federated learning and distributed machine learning across organizational boundaries without centralizing sensitive information. Real-world applications demonstrate successful implementations across healthcare systems utilizing privacy-preserving record linkage, financial institutions employing collaborative fraud detection, and retail companies deploying privacy-aware recommendation systems. Global regulatory frameworks, particularly GDPR's explicit mandate for \"data protection by design and by default,\" have transformed Privacy by Design from voluntary best practice to legal requirement. Privacy impact assessments have become standard organizational procedures, influencing architectural decisions that embed privacy safeguards throughout data lifecycles. Advanced privacy-preserving technologies enable novel forms of data collaboration previously impossible without compromising privacy guarantees. Quantum-resistant privacy methods and artificial intelligence-specific privacy challenges represent emerging frontiers requiring specialized defense mechanisms. Comprehensive technology selection frameworks guide organizations in matching specific requirements with appropriate privacy-preserving technologies while understanding performance trade-offs and implementation challenges.",
"topics": [
"data_anonymization",
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 1.0,
"venue": "",
"language": "en"
},
{
"id": "doaj:8d3fab343a704e4c996c7c2c1016a186",
"title": "A Formal Model for Integrating Consent Management Into MLOps",
"authors": [
"Neda Peyrone",
"Duangdao Wichadakul"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/10701457/",
"pdfUrl": "",
"doi": "10.1109/access.2024.3471773",
"abstract": "In the artificial intelligence (AI) era, data has become increasingly essential for learning and analysis. AI enables automated decision-making that may lead to violation of the General Data Protection Regulation (GDPR). The GDPR is the data protection law within the European Union (EU) that allows individuals (‘data subjects’) to control their personal data. According to the law, automated decision-making can be permitted where data subjects give explicit consent. Therefore, consent management (CM) has become an essential software component for managing data subjects’ data lifecycle and their consent. Bringing machine learning (ML) into production needs machine learning operations (MLOps). MLOps is a set of processes for delivering ML artifacts reliably and efficiently. However, current MLOps frameworks neglect the integration of CM into their processes, leading to the risk of GDPR violations. This research proposes a formal model for integrating CM into MLOps that takes upfront privacy by design (PbD). Finally, we provided a mapping from the formal model to a class diagram as guidelines to integrate CM into MLOps and demonstrated how to apply the proposed class diagram to existing ML developments, such as machine unlearning, in conjunction with the Purchase dataset.",
"topics": [
"gdpr_compliance",
"llm_privacy_attacks",
"privacy_engineering"
],
"painPointTracks": [
"AI Training PII",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 1.0,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "doaj:eb3f769df41f4b67a3e30089b386a854",
"title": "Protection of Children's Personal Data under the General Data Protection Regulation (GDPR) of the European Union and its Absence in Iranian Law",
"authors": [
"Khadijeh Shirvani",
"Mohammad Isaei Tafreshi"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://mtlj.usc.ac.ir/article_221928_dd097aabdb30f263af29211b11d7828d.pdf?lang=en",
"pdfUrl": "",
"doi": "10.22133/mtlj.2025.493734.1405",
"abstract": "In today's digital era, where the internet and digital technologies play an integral role in children's lives, safeguarding their data has become critical. The General Data Protection Regulation (GDPR) of the European Union stands as one of the most comprehensive legal frameworks addressing this concern. It mandates parental consent for data processing, promotes the use of simple language for children's understanding, and upholds the right to data deletion. Additionally, the GDPR enforces strict limitations on processing children's data and ensures specific rights to them. However, Iran's legal system still lacks a structured and comprehensive regulatory framework for protecting children's data. Although initiatives like the \"Personal Data Protection and Support Plan\" have been introduced, they fail to explicitly prioritize children's data protection. The rapid growth of online platforms and services targeting children has raised serious concerns about privacy and data security. Social media, educational applications, and gaming platforms often collect and process children's data without adequate safeguards, exposing them to potential risks such as identity theft, unauthorized profiling, and targeted advertising. The GDPR has sought to address these concerns by introducing stringent measures that hold data controllers accountable for the lawful and transparent processing of children's data. Conversely, Iran’s legal framework remains underdeveloped in this area, lacking clear guidelines and enforcement mechanisms to ensure children’s data privacy.1. Introduction\r\nChildren are increasingly engaged in digital environments, making their data vulnerable to misuse and exploitation. The internet has revolutionized access to information, communication, and entertainment, allowing children to interact in virtual spaces that were previously inaccessible. However, this increased connectivity has also led to new challenges concerning privacy, security, and digital rights. With the expansion of digital technologies, children’s data has become a valuable commodity for companies and organizations that seek to analyze user behavior, target advertisements, and develop consumer profiles. This commercialization of data has raised ethical and legal concerns, particularly regarding the extent to which children's information should be collected, stored, and processed.\r\nWhile digital platforms provide numerous benefits, such as educational resources and social networking opportunities, they also expose children to potential risks. Cyberbullying, identity theft, and exploitation are just some of the dangers that children face in the online world. The lack of legal literacy among children, coupled with their limited understanding of privacy policies, makes them particularly vulnerable to data misuse. Consequently, there is an urgent need for governments and regulatory bodies to implement policies that protect children from these threats and ensure their digital rights are safeguarded.\r\nThe GDPR was introduced to address these challenges by establishing a legal framework that prioritizes the protection of children's data. By requiring companies to obtain parental consent before processing children's data, the GDPR aims to reduce unauthorized data collection and provide greater transparency in how data is used. Furthermore, the regulation emphasizes the need for child-friendly privacy policies that are easy to understand and accessible to younger audiences. These measures ensure that children and their guardians can make informed decisions about their digital presence and the data they share online.\r\nDespite the advancements brought by the GDPR, many countries, including Iran, have yet to implement comparable regulations. Iran's current legal framework on data protection is fragmented and lacks specific provisions that address children's online privacy. While some legislative efforts have been made, such as the proposed \"Personal Data Protection and Support Plan,\" they fail to comprehensively address children's digital rights. This gap in regulation leaves Iranian children exposed to potential data exploitation without adequate legal recourse.\r\nThe primary objective of this study is to compare GDPR's child data protection mechanisms with Iran's current legal framework and to highlight the gaps that necessitate legal reforms. By analyzing both legal systems, this research aims to provide insights into the challenges and opportunities associated with protecting children's online privacy in Iran. Additionally, the study explores the broader socio-cultural implications of implementing stricter data protection policies and the potential impact on businesses, education systems, and digital governance.\r\nWith the proliferation of digital technologies, children's data is often collected, processed, and stored without their informed consent. The absence of comprehensive regulations in Iran leaves children susceptible to online threats, including cyberbullying, unauthorized data sharing, and surveillance. Given these challenges, the study aims to provide a comparative legal analysis that will assist policymakers in formulating effective data protection strategies tailored to children's needs. By drawing lessons from the GDPR, Iran can develop a robust legal framework that prioritizes children's digital rights and ensures that their data remains secure in an increasingly connected world.\r\n \r\n2. Methodology\r\nThis study employs a comparative legal analysis method, examining the GDPR’s provisions on children's data protection alongside Iranian laws. Data is gathered from legislative documents, legal analyses, and international reports on children's digital privacy. The study also incorporates case studies and expert opinions to identify key areas where Iran's legal system requires improvement. The analysis further explores the socio-cultural implications of adopting stricter data protection policies in Iran.\r\nA qualitative research approach is utilized, involving document analysis and expert interviews to assess the effectiveness of existing legal frameworks. Furthermore, international best practices are reviewed to propose policy recommendations that align with global standards. By adopting a multidisciplinary perspective, the study aims to bridge the legal and technological gaps in child data protection.\r\n \r\n3. Results and Discussion\r\nThe study identifies several key differences between GDPR and Iranian laws regarding children's data protection:\r\nAge of Consent: The GDPR sets the digital age of consent at 16, allowing member states to reduce it to 13. Iran, however, follows Islamic legal age definitions (9 years for girls, 15 for boys), which significantly undermines children's ability to make informed privacy decisions. The discrepancy between the legal age of consent in Iran and international norms exposes Iranian children to potential data exploitation.\r\nTransparency and Language: The GDPR mandates that digital service providers use child-friendly, simple language in privacy policies. Iranian regulations lack explicit provisions requiring clear and understandable communication with children. Without accessible privacy policies, children in Iran are less likely to understand their digital rights and responsibilities.\r\nMarketing and Data Use Restrictions: GDPR imposes strict limits on the use of children's data for marketing and profiling, whereas Iranian laws do not explicitly prohibit data exploitation for commercial purposes. As a result, children in Iran may be targeted by advertisers and data brokers without adequate legal protections.\r\nRight to Data Deletion: Under the GDPR, children have the right to request data deletion, an essential safeguard against long-term privacy risks. Iran's legal system lacks explicit guarantees for such rights, leaving children's digital footprints unprotected. The absence of a \"right to be forgotten\" provision in Iran further complicates efforts to safeguard children's online privacy.\r\nThe findings highlight the need for urgent reforms in Iran’s legal framework to align with global best practices. Implementing child-specific data protection measures can reduce the risk of cyber exploitation and unauthorized data processing. Additionally, integrating privacy education into school curricula can empower children and parents to navigate digital environments safely.\r\nA comprehensive policy shift is required to ensure that Iran adopts child-centric data protection laws. Legal reforms should be accompanied by technological solutions, such as age-verification mechanisms and parental control tools, to enhance the safety of children’s online experiences. Moreover, collaboration between government agencies, educational institutions, and the private sector is essential to developing an effective child data protection ecosystem.\r\n \r\n4. Conclusions and Future Research\r\nThe study concludes that Iran must establish a legal framework similar to the GDPR to ensure children's online safety. Key recommendations include:\r\nRaising the legal age of consent for data processing to 18 to align with international child protection standards.\r\nMandating the use of clear and comprehensible language in privacy policies for children to ensure transparency and informed decision-making.\r\nIntroducing strict regulations limiting the commercial use of children's data and prohibiting targeted advertising practices that exploit minors.\r\nRecognizing and enforcing children's right to data deletion to protect them from potential digital harm.\r\nImplementing digital literacy programs to educate children and parents about online privacy risks and responsible internet use.\r\nEstablishing an independent regulatory body dedicated to monitoring and enforcing child data protection laws.\r\nEncouraging private sector compliance with ethical data handling practices through incentives and penalties.\r\nPromoting cross-sectoral collaboration between government agencies, tech companies, and advocacy groups to ensure a holistic approach to child data protection.\r\nConducting periodic assessments and revisions of child data protection policies to keep pace with technological advancements and emerging threats.\r\nEnhancing international cooperation to adopt best practices from global data protection frameworks and ensure seamless integration into Iran’s legal landscape.\r\nBy adopting these measures, Iran can create a safer digital landscape for children, ensuring their fundamental right to privacy is protected in the evolving digital age. Addressing legislative gaps and fostering a culture of data privacy awareness will ultimately empower children to navigate the digital world securely and responsibly.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 1.0,
"venue": "حقوق فناوریهای نوین",
"language": "en"
},
{
"id": "openaire:10.47857/irjms.2025.v06i01.02025",
"title": "GDPR Safeguards for Facial Recognition Technology: A Critical Analysis",
"authors": [
"Peter I Gasiokwu",
"Ufuoma Garvin Oyibodoro",
"Michael O Ifeanyi Nwabuoku"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.47857/irjms.2025.v06i01.02025",
"pdfUrl": "",
"doi": "10.47857/irjms.2025.v06i01.02025",
"abstract": "The application of Face Recognition Technology (FRT) in various sectors has raised significant concerns regarding privacy and data protection, especially in the context of the General Data Protection Regulation (GDPR) 2018 (EU) 2016/679. This article critically evaluates the procedural safeguards mandated by the GDPR for the deployment of FRT. Adopting a doctrinal approach, it examines the adequacy of existing regulations in addressing the unique challenges posed by FRT, such as the risks of mass surveillance, data breaches, and biased algorithms. Through a comprehensive analysis of the GDPR’s provisions, including legal justification for processing, data minimization, and the rights of data subjects, this study identifies gaps and proposes enhancements to guarantee robust protection of individual rights. The findings underscore the need for stricter enforcement mechanisms and the development of specific guidelines tailored to the nuances of FRT.",
"topics": [
"gdpr_compliance",
"biometric_surveillance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 1.0,
"venue": "International Research Journal of Multidisciplinary Scope",
"language": "en"
},
{
"id": "s2:856295bed23b241037a1dfc1f59745276f114882",
"title": "Comparative Analysis of Passkeys (FIDO2 Authentication) on Android and iOS for GDPR Compliance in Biometric Data Protection",
"authors": [
"Albert Carroll",
"Shahram Latifi"
],
"date": "2025-10-13",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/856295bed23b241037a1dfc1f59745276f114882",
"pdfUrl": "",
"doi": "10.3390/electronics14204018",
"abstract": "Biometric authentication, such as facial recognition and fingerprint scanning, is now standard on mobile devices, offering secure and convenient access. However, the processing of biometric data is tightly regulated under the European Union’s General Data Protection Regulation (GDPR), where such data qualifies as “special category” personal data when used for uniquely identifying individuals. Compliance requires meeting strict conditions, including explicit consent and data protection by design. Passkeys, the modern name for FIDO2-based authentication credentials developed by the FIDO Alliance, enable passwordless login using public key cryptography. Its “match-on-device” architecture stores biometric data locally in secure hardware (e.g., Android’s Trusted Execution Environment, Apple’s Secure Enclave), potentially reducing the regulatory obligations associated with cloud-based biometric processing. This paper examines how Passkeys are implemented on Android and iOS platforms and their differences in architecture, API access, and hardware design, and how those differences affect compliance with the GDPR. Through a comparative analysis, we evaluate the extent to which each platform supports local processing, data minimization, and user control—key principles under GDPR. We find that while both platforms implement strong local protections, differences in developer access, trust models, and biometric isolation can influence the effectiveness and regulatory exposure of Passkeys deployment. These differences have direct implications for privacy risk, legal compliance, and implementation choices by app developers and service providers. Our findings highlight the need for platform-aware design and regulatory interpretation in the deployment of biometric authentication technologies. This work can help inform stakeholders, policymakers, and legal experts in drafting robust privacy and ethical policies—not only in the realm of biometrics but across AI technologies more broadly. By understanding platform-level implications, future frameworks can better align technical design with regulatory compliance and ethical standards.",
"topics": [
"gdpr_compliance",
"biometric_surveillance",
"privacy_engineering"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 1.0,
"venue": "Electronics",
"language": "en"
},
{
"id": "s2:0d2cddb2c8e42b2b7961a622a9a09e6f49450857",
"title": "Approaches for Anonymization Methods in IoT Preservation Privacy",
"authors": [
"Manos Vasilakis",
"Marios Vardalachakis",
"Manolis G. Tampouratzis"
],
"date": "2025-06-04",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/0d2cddb2c8e42b2b7961a622a9a09e6f49450857",
"pdfUrl": "",
"doi": "10.1109/EEITE65381.2025.11166166",
"abstract": "This study investigates the importance and need for anonymization methods to maintain privacy in Internet of Things (IoT) settings. Analyzing the benefits, drawbacks and applications of various anonymization methods, such as Homomorphic Encryption, Differential Privacy (DP), Pseudonymization and Data Masking for IoT applications, including healthcare and smart cities, by comparing to show how effectively they maintain data value while ensuring robust privacy protection. The collection and analysis of large amounts of personal data pose a high potential for overall privacy issues. In addition, real-life scenarios show that anonymization methods have been used successfully to protect user identities while promoting data-driven decision-making. Another perspective of the study elaborates on how these techniques will allow someone to stay within the ambit of privacy laws such as the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) and remain capable, on the part of IoT participants, of mitigating privacy risks while maintaining their responsibilities. The results of our study help support developers, authorities, and businesses by realizing the importance of carefully choosing anonymization methods based on particular use cases of IoT applications.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 1.0,
"venue": "2025 6th International Conference in Electronic Engineering & Information Technology (EEITE)",
"language": "en"
},
{
"id": "s2:3f615c78e0336332708414737d3811ea6338a486",
"title": "Privacy Preservation in IoT: Anonymization Methods and Best Practices",
"authors": [
"Marios Vardalachakis",
"Manolis G. Tampouratzis"
],
"date": "2024-11-20",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/3f615c78e0336332708414737d3811ea6338a486",
"pdfUrl": "",
"doi": "10.1109/CIEES62939.2024.10811203",
"abstract": "The Internet of Things (IoT) offers the most intense technological attempt, allowing objects to collect and exchange vast amounts of information efficiently. While this interconnectivity has various advantages, it also brings severe risks to each individual or organization regarding privacy. As the population of connected devices increases, so does the opportunity to abuse sensitive information, which needs reinforced privacy strategies. Risk masking has become one of the most effective strategies for data leaks. This study will examine various anonymization methods, such as homomorphic encryption, data masking, aggregation methods, pseudonymization, and differential privacy, that could be implemented with IoT data. Looking at each method using its performance, pros, and cons offers a comprehensive view of how various methods might be used to protect the user's privacy without compromising the data's utility. In addition to the introduction of multiple methods for anonymization, this study also highlights the privacy preservation methods in IoT environments based on the best practices described. It stresses the importance of determining the value of data, acquiring user acceptance, and following the law, particularly the CCPA and the GDPR. Moreover, it also discusses the importance of building initial privacy in the industry guided by businesses, developers, and users who are shaping the privacy industry’s initial norms. Given the problem and solution for ensuring privacy in IoT, this study aims to provide theoretical depth with some practical examples. Powerful anonymization practices can help stakeholders gain more trust from users, increasing the ethical expansion of IoT (in a privacy-focused direction) and good business practices.",
"topics": [
"data_anonymization",
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 1.0,
"venue": "2024 5th International Conference on Communications, Information, Electronic and Energy Systems (CIEES)",
"language": "en"
},
{
"id": "s2:f741b2335beac0a36fba848509ce297b22322ca0",
"title": "Autononym: Multimodal Anonymization of Health Data using Named Entity Recognition and Structured Medical Data Processing",
"authors": [
"Hamdi Yalin Yalic",
"Murat Dörterler",
"Alaettin Uçan",
"A. Yiğit",
"Adem Ali Yılmaz"
],
"date": "2025-10-26",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/f741b2335beac0a36fba848509ce297b22322ca0",
"pdfUrl": "",
"doi": "10.1109/TIPTEKNO68206.2025.11270116",
"abstract": "This paper presents Autononym, an AI-powered software platform capable of robustly and scalably anonymizing health data across several formats, including unstructured free-text documents, tabular datasets, and medical images in both DICOM and standard RGB formats. Autononym ensures compliance with privacy requirements such as KVKK and GDPR by using a few-shot Named Entity Recognition model for textual data. Tabular data anonymization applies formal privacy models such as k-anonymity, l-diversity, and t-closeness to generalize or suppress quasi-identifiers while preserving analytical utility. For medical imaging, DICOM files are processed through an in-house metadata scrubbing module, whereas RGB images go through optical character recognition-based detection and removal of burned-in text. The platform features a user-friendly web-based interface that facilitates both real-time and batch anonymization, designed for healthcare researchers and institutions. Technical evaluations confirm that the software is compatible with multiple input formats (csv, txt, DICOM) and has high accuracy in data anonymization. Integrated reporting modules enable the validation and auditing of data. Autononym empowers privacy-conscious health data sharing by integrating multimodal anonymization into a singular AI-driven framework. This ensures that medical research is secure and compliant.",
"topics": [
"data_anonymization",
"pii_entity_types",
"linkability_tracking",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Re-identification"
],
"relevanceScore": 1.0,
"venue": "Medical Technologies National Conference",
"language": "en"
},
{
"id": "openaire:oai:HAL:hal-01994667v1",
"title": "What is Fair Data Processing ?",
"authors": [
"Nguyen, Benjamin"
],
"date": "2017-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:HAL:hal-01994667v1",
"pdfUrl": "",
"doi": "",
"abstract": "Current data protection laws in France closely scrutinize personal data processing. Indeed, in the case of such a process many constraints apply: data collection must be limited, retention limits are imposed, and more generally, the processing must be fair. Conversely, such constraint do not exist if the data is anonymous (i.e. it is not possible or at least very difficult and costly to link a data item to a real individual)-again this can be viewed as fairness, since anonymous data is by definition harmless for the individuals concerned. However, data anonymization is still an open problem. Many state of the art anonymization techniques used in statistics (such as pseudonymization, or k-anonymization) cannot be mathematically proven to have any formal guarantees. Other techniques, such as differential privacy, although able to provide these guarantees, are on the contrary difficult to use in practice, and difficult to understand by the general public. Another field investigated is cryptographic techniques, which could fully enable private data processing, such as fully homomorphic encryption. For the moment (and for a foreseeable future), these techniques are not efficient enough to be used on Big Data. Thus the question of fair data processing remains open: is anonymization a good road to follow? Shouldn't other aspects also be considered, such as the concepts promoted by the privacy field, such as openness, user control, auditability, etc? Finally, how should we design algorithms to run on Big Data be used in order to be fair?",
"topics": [
"data_anonymization",
"offline_local_processing",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 1.0,
"venue": "",
"language": "en"
},
{
"id": "hal:1672922",
"title": "The sharpening of EU Data Protection Law in the online environment by the CJEU",
"authors": [
"Meryem Marzouki"
],
"date": "2017-09-06",
"platform": "hal",
"sourceUrl": "https://shs.hal.science/halshs-01672922v1",
"pdfUrl": "",
"doi": "",
"abstract": "In less than eighteen months, the Court of Justice of the European Union has drastically sharpened the European Data Protection Law, and considerably upheld the two fundamental rights to privacy and to the protection of personal data, as set forth in Article 7 and Article 8, respectively, of the Charter of Fundamental Rights of the European Union. It mainly took the CJUE three landmark rulings to achieve this result: the invalidation of the European Data Retention Directive on 8 April 2014; the recognition of a so-called ‘Right to be forgotten’ on 13 May 2014; and the invalidation of the so-called ‘Safe Harbour’ decision on 6 October 2015 - whereby the European Commission’s acknowledged the compliance of a third country data protection scheme with the EU law, thus restricting the power of national supervisory authorities to examine it. After a brief reminder of these three cases and their circumstances, the proposed paper will analyse their consequences in the European Union as well as at the global level. These consequences are multifold: First of all, there rulings ruling have led to major revisions of the European data protection law and policy, as they occurred while the EU General Data Protection Regulation was still in discussion. They impacted, inter alia, the provisions on a ‘right to be forgotten’, and the ones related to decisions on third countries’ adequacy level. They also led to the replacement of the ‘Safe Harbour’ agreement by another one, the so-called ‘Privacy Shield’. Second, the invalidation of the Data Retention Directive revealed a number of contentions among Member States with regards to such legislation. Some of them, which have been reluctant to transpose this Directive in their national law, have expressed their satisfaction with the ruling. Others, which were instrumental in its adoption, soon started working on an alternative. Third, the rulings, which were issued only some months after Edward Snowden’s revelations on mass surveillance in the USA – as a matter of fact, these revelations were used as arguments by the plaintiff in the third case – revealed how much the CJUE is taking into account the global context and the public debate when it has to decide on cases related to the online domain. Fourth, in the case of the ‘Right to be forgotten’, the paper will show that this very controversial ruling, which actually sparked a heated debate in Europe as well as at the global level, not only is emblematic of the difficult balance of rights (here, the right to privacy and personal data protection vs. the right to freedom of expression), but also might well lead to serious issues from the rule of law perspective, as it empowers private actors – and, on top of this, US private actors – with the capacity to judge whether a given online content should be removed (or de-indexed) from the public domain.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"power_knowledge_asymmetry",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 1.0,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.21098/jcli.v3i3.271",
"title": "MANAGING INDONESIAN DATA BREACH NOTIFICATION IN THE FINANCIAL SERVICES SECTOR: A CASE FOR ONE-STOP NOTIFICATION MODEL",
"authors": [
"Muhammad Deckri Algamar",
"Abu Bakar Munir",
"Hendro"
],
"date": "2024-09-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.21098/jcli.v3i3.271",
"pdfUrl": "https://doi.org/10.21098/jcli.v3i3.271",
"doi": "10.21098/jcli.v3i3.271",
"abstract": "As a business of trust, the banking and financial services industry must protect its reputation to ensure consumer’s confidence. However, recent adoption of emerging internet communication technologies (ICT) have introduced new risks and challenges, such as safeguarding systems from cyberattacks and protecting consumer’s personal data. Cyberattacks, especially ransomware have shed new light on the importance of privacy and security throughout the banking and financial industry’s digitization efforts. Any organisation affected by cybersecurity attacks must face a twofold legal question. First, whether or not there has been a violation of the legal security requirements? Second, is to determine whether the attack triggers Data Breach Notification to the Data Protection Authority and/or Data Owners. This paper examines the complexity of maintaining security obligations under Indonesian Law (UU ITE, UU PDP, RPP PDP, and other relevant regulations) while also highlighting the common challenges in steering Data Breach Notification, with an enhanced perspective of the European General Data Protection Regulation (EU GDPR) practices. To address the challenges of patchwork data breach notification requirements in Indonesia, this paper proposes a proactive approach by Indonesia’s future Personal Data Protection Authority in creating a one-stop notification model to enable effective data breach incident management and notification.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.942,
"venue": "Journal of Central Banking Law and Institutions",
"language": "en"
},
{
"id": "openaire:10.59022/ijlp.322",
"title": "Methods and Tools for Personal Data Protection in Big Data: Analysis of Uzbekistan’s Legal Framework",
"authors": [
"Mamanazarov, Sardor"
],
"date": "2025-04-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.59022/ijlp.322",
"pdfUrl": "",
"doi": "10.59022/ijlp.322",
"abstract": "This study examines methods and tools for protecting personal data in the Big Data context, with a focus on Uzbekistan’s legal framework. The research analyzes anonymization, pseudonymization, privacy notices, privacy impact assessments, privacy by design, and ethical approaches to data protection. Through comparative analysis with international standards such as GDPR, the study identifies significant gaps in Uzbekistan’s “On Personal Data” law, which lacks specific provisions on modern data protection tools. Research findings reveal that while basic protections exist, Uzbekistan’s legislation requires enhancement to address Big Data challenges effectively. This paper proposes legislative amendments to include comprehensive anonymization guidelines, formal pseudonymization processes, and privacy impact assessment requirements. Additional recommendations include establishing personal data repositories, implementing privacy certification mechanisms, and developing national data ethics principles. These measures would strengthen Uzbekistan’s data protection framework while enabling innovation in the digital economy, balancing technological advancement with individual privacy rights.",
"topics": [
"data_anonymization",
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.942,
"venue": "International journal of law and policy",
"language": "en"
},
{
"id": "openaire:10.1109/meco66322.2025.11049196",
"title": "Structuring AI Risk Management Framework: EU AI Act FRIA, GDPR DPIA and ISO 42001/23894",
"authors": [
"Natalija Parlov",
"Blanka Mateša",
"Anamarija Mladinić"
],
"date": "2025-06-10",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/meco66322.2025.11049196",
"pdfUrl": "",
"doi": "10.1109/meco66322.2025.11049196",
"abstract": "The growing regulatory focus on trustworthy AI systems has accelerated the need for integrated approaches to AI risk management. This paper presents a structured framework that aligns the EU AI Act’s Fundamental Rights Impact Assessment (FRIA) and the GDPR’s Data Protection Impact Assessment (DPIA) with the risk management principles and processes of ISO/IEC 42001 and ISO/IEC 23894. The aim is to support organizations in addressing legal, ethical, privacy and operational risks through unified, standards-aligned approach.It is hypothesized that embedding FRIA and DPIA procedures within ISO-compliant risk management structures can streamline compliance, strengthen governance and promote accountability and transparency. The proposed framework outlines six core phases: governance, risk identification, risk assessment, integrated impact assessment, risk treatment and monitoring and review. A dynamic feedback mechanism enables continuous improvement and adaptation to emerging risks and evolving societal expectations.By structuring these components into a coherent framework, the research supports organizations in aligning regulatory obligations with international best practices, reducing redundancy and advancing responsible, resilient AI innovation.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.942,
"venue": "MECO",
"language": "en"
},
{
"id": "openaire:50|datacite____::222c3a112cb2362e0734e4c249351a5e",
"title": "OpenAIRE webinar - Amnesia: High-accuracy Data Anonymization",
"authors": [
"Terrovitis, Manolis"
],
"date": "2023-02-10",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.7636541",
"pdfUrl": "",
"doi": "10.5281/zenodo.7636541",
"abstract": "The webinar will introduce the concept of anonymization of research data, including direct identifiers and quasi-identifiers using Amnesia, which is a flexible data anonymization tool that transforms sensitive data to datasets where formal privacy guarantees hold.
Amnesia transforms original data to provide k-anonymity and km-anonymity. AGENDA Introduction to different anonymization techniques: k-anonymity and km-anonymity, Short demonstration of the tool. Recording also available - https://youtu.be/pgtLY1r9eeM",
"topics": [
"data_anonymization",
"enterprise_privacy_ops",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification",
"Solutions Market"
],
"relevanceScore": 0.942,
"venue": "",
"language": "en"
},
{
"id": "hal:2544320",
"title": "Personal data protection: are the GDPR objectives achieved amongst information and communication students?",
"authors": [
"Emmanuelle Chevry Pébayle",
"Hélène Hoblingre"
],
"date": "2020-04-21",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02544320v1",
"pdfUrl": "https://hal.science/hal-02544320/document",
"doi": "10.4000/proceedings.elpub.2020.15",
"abstract": "Since 2018, the General Data Protection Regulation (GDPR), European Union regulation, demands transparency from companies and imposes new restrictions on data transfers (Botchorishvili, 2017). The purpose of this article is to analyze the uses and representations of information and communication science students regarding the RGPD and to compare it with that of students in the education sciences. This article is in line with the research on the Privacy Paradox and brings new elements of explanation thanks to the confrontation between two populations of students. In this perspective, a questionnaire was sent out to information and communication students and education sciences students. 70 students provided answers to 32 questions. More than two-thirds of the respondents gave a correct definition of the GDPR. They also believed that personal data protection was a key matter. So much considered that individuals should know the reason behind data collection as well as its use. Information and Communication students are more numerous to be convinced than Education Sciences students that training individuals is necessary. Indeed, those studying information and communication are more prone, thanks to their curriculum, to understand the issues of personal data protection. Therefore, the students who a priori know the most are more aware of the need to improve their knowledge through training. In general students had a fairly comprehensive view of the risks when lacking data protection. However, students were very divided on data monetization : 15 believed it was legitimate while 23 had no opinion. Moreover, Information and Communication students are much more likely to think that monetizing data is legitimate (13 over 54) compared to 1 over 16 Education Science students.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.942,
"venue": "Proceedings of the ElPub Conference",
"language": "en"
},
{
"id": "https://openalex.org/W2899579542",
"title": "A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI",
"authors": [
"Sandra Wachter",
"Brent Mittelstadt"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.31228/osf.io/mu2kf",
"pdfUrl": "https://doi.org/10.7916/d8-g10s-ka92",
"doi": "https://doi.org/10.31228/osf.io/mu2kf",
"abstract": "Big Data analytics and artificial intelligence (AI) draw non-intuitive and unverifiable inferences and predictions about the behaviors, preferences, and private lives of individuals. These inferences draw on highly diverse and feature-rich data of unpredictable value, and create new opportunities for discriminatory, biased, and invasive decision-making. Concerns about algorithmic accountability are often actually concerns about the way in which these technologies draw privacy invasive and non-verifiable inferences about us that we cannot predict, understand, or refute.Data protection law is meant to protect people’s privacy, identity, reputation, and autonomy, but is currently failing to protect data subjects from the novel risks of inferential analytics. The broad concept of personal data in Europe could be interpreted to include inferences, predictions, and assumptions that refer to or impact on an individual. If seen as personal data, individuals are granted numerous rights under data protection law. However, the legal status of inferences is heavily disputed in legal scholarship, and marked by inconsistencies and contradictions within and between the views of the Article 29 Working Party and the European Court of Justice.As we show in this paper, individuals are granted little control and oversight over how their personal data is used to draw inferences about them. Compared to other types of personal data, inferences are effectively ‘economy class’ personal data in the General Data Protection Regulation (GDPR). Data subjects’ rights to know about (Art 13-15), rectify (Art 16), delete (Art 17), object to (Art 21), or port (Art 20) personal data are significantly curtailed when it comes to inferences, often requiring a greater balance with controller’s interests (e.g. trade secrets, intellectual property) than would otherwise be the case. Similarly, the GDPR provides insufficient protection against sensitive inferences (Art 9) or remedies to challenge inferences or important decisions based on them (Art 22(3)).This situation is not accidental. In standing jurisprudence the European Court of Justice (ECJ; Bavarian Lager, YS. and M. and S., and Nowak) and the Advocate General (AG; YS. and M. and S. and Nowak) have consistently restricted the remit of data protection law to assessing the legitimacy of input personal data undergoing processing, and to rectify, block, or erase it. Critically, the ECJ has likewise made clear that data protection law is not intended to ensure the accuracy of decisions and decision-making processes involving personal data, or to make these processes fully transparent.Conflict looms on the horizon in Europe that will further weaken the protection afforded to data subjects against inferences. Current policy proposals addressing privacy protection (the ePrivacy Regulation and the EU Digital Content Directive) fail to close the GDPR’s accountability gaps concerning inferences. At the same time, the GDPR and Europe’s new Copyright Directive aim to facilitate data mining, knowledge discovery, and Big Data analytics by limiting data subjects’ rights over personal data. And lastly, the new Trades Secrets Directive provides extensive protection of commercial interests attached to the outputs of these processes (e.g. models, algorithms and inferences).In this paper we argue that a new data protection right, the ‘right to reasonable inferences’, is needed to help close the accountability gap currently posed ‘high risk inferences’ , meaning inferences that are privacy invasive or reputation damaging and have low verifiability in the sense of being predictive or opinion-based. In cases where algorithms draw ‘high risk inferences’ about individuals, this right would require ex-ante justification to be given by the data controller to establish whether an inference is reasonable. This disclosure would address (1) why certain data is a relevant basis to draw inferences; (2) why these inferences are relevant for the chosen processing purpose or type of automated decision; and (3) whether the data and methods used to draw the inferences are accurate and statistically reliable. The ex-ante justification is bolstered by an additional ex-post mechanism enabling unreasonable inferences to be challenged. A right to reasonable inferences must, however, be reconciled with EU jurisprudence and counterbalanced with IP and trade secrets law as well as freedom of expression and Article 16 of the EU Charter of Fundamental Rights: the freedom to conduct a business.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.942,
"venue": "",
"language": "en"
},
{
"id": "s2:8ae0724142387e739c45c08de25ff06ab37494e6",
"title": "The Digital Personal Data Protection Bill 2022 in Contrast with the EU General Data Protection Regulation: A Comparative Analysis",
"authors": [
"A. -"
],
"date": "2023-04-21",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/8ae0724142387e739c45c08de25ff06ab37494e6",
"pdfUrl": "https://doi.org/10.36948/ijfmr.2023.v05i02.2534",
"doi": "10.36948/ijfmr.2023.v05i02.2534",
"abstract": "The European Union’s General Data Protection Regulation (GDPR) is considered to be the most comprehensive & strong privacy and data protection law in the world, which doesn’t only regulate within the territory of EU but also has an extraterritorial effect. GDPR has influenced privacy & data protection legislation of many nations. India is ready with the draft Digital Personal Data Protection Bill, 2022 (DPDP Bill) which is the latest in a series of draft legislations presented and removed since mid-2018. In this article we discuss the key differences between the GDPR & DPDP Bill by analysing the different approaches and methods prescribed in both the legislations to understand their scope & applicability, concerned parties, classification of personal data, legal basis for data processing, children’s rights, reporting breach, cross-border data transfer, penalties, etc. In conclusion, we can say that the GDPR is relatively more detailed in its instructions, whereas the DPDP Bill establishes certain fundamental concepts. The DPDP Bill offers a glimpse of hope for balancing the interests of data subjects while acknowledging the practical challenges that businesses may encounter.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.942,
"venue": "International Journal For Multidisciplinary Research",
"language": "en"
},
{
"id": "s2:aba88ff9ae9dd6bfe3e136b6d88bf28dd05fcf4f",
"title": "Enterprise-Scale PII De-Identification with Microsoft Presidio Anonymizer: Architecture, Use Cases, and Best Practices",
"authors": [
"Saurabh Atri"
],
"date": "2025",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/aba88ff9ae9dd6bfe3e136b6d88bf28dd05fcf4f",
"pdfUrl": "",
"doi": "10.63282/3050-9416.ijaibdcms-v6i4p120",
"abstract": "Stricter privacy regulations and the rapid adoption of AI and analytics have increased the need for robust, repeatable mechanisms to detect and de-identify personally identifiable information (PII) across heterogeneous data sources. Microsoft Presidio is an open-source framework that provides context-aware PII detection and anonymization for text, images, and other modalities. This paper presents a practical architecture and implementation blueprint for enterprise-scale PII de-identification using the Presidio Anonymizer. We describe patterns for anonymizing production logs and telemetry, constructing privacy-preserving datasets for machine learning and large language models (LLMs), enabling safe data sharing with vendors, supporting non-production environments, meeting regulatory requirements (GDPR, HIPAA, PCI, and others), protecting data sent to LLMs and SaaS tools, and redacting PII in documents and images. For each use case, we outline threat models, design decisions, operator choices, and integration patterns with modern data and AI stacks. We also discuss operational considerations such as performance, extensibility, reversibility, and governance, making this a reusable reference for large organizations and a concrete demonstration of technical leadership in privacy-by-design systems.",
"topics": [
"data_anonymization",
"nlp_ner_tools",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.942,
"venue": "International Journal of AI, BigData, Computational and Management Studies",
"language": "en"
},
{
"id": "s2:87bf6cdcae3b146261ab992a8ea9ab9b6ad18a99",
"title": "Exploring Deep Learning Approaches for Real-Time Anonymization and Privacy Preservation in Unstructured Data",
"authors": [
"Jorge Miño-Ayala",
"Denys A. Flores",
"Pablo del Hierro",
"Gabriela Suntaxi"
],
"date": "2025-06-18",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/87bf6cdcae3b146261ab992a8ea9ab9b6ad18a99",
"pdfUrl": "",
"doi": "10.1109/ICEDEG65568.2025.11081525",
"abstract": "In an era dominated by Big Data, safeguarding privacy across unstructured data such as text, image, and audio datasets presents unique complexities which can be solved using AI-powered anonymization techniques. In this survey, we explore state-of-the-art approaches for text processing such as Named Entity Recognition (NER) systems, underpinned by deep learning architectures like Recurrent Neural Networks (RNNs) (e.g., LSTMs, GRUs) and Transformer Models. For image and audio, our study explores specific methods for object recognition and redaction techniques, acknowledging the intricate specific challenges of these data types. We also scrutinize real-time anonymization approaches, including masking, token substitution, and random perturbation, aiming to minimize latency while preserving the inherent value of data. Conversely, beyond anonymization, our study explores the integration of cryptographic safeguards, including homomorphic encryption and differential privacy to strengthen personal data repositories against re-identification queries. Finally, this survey also identifies privacy-preserving access control, which is a crucial requirement for real-time anonymization mechanisms so that unauthorized access to heterogenous data sources can be effectively mitigated. Our contribution is to identify key areas for future research regarding the application of both advanced deep learning approaches, and anonymization techniques in order to facilitate the processing of unstructured data for preserving user privacy while ensuring acceptable real-time performance.",
"topics": [
"data_anonymization",
"pii_entity_types",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.942,
"venue": "International Conference on eDemocracy & eGovernment",
"language": "en"
},
{
"id": "doaj:6360166f147d48968d66e052a9a37d50",
"title": "Impact of EU Laws on AI Adoption in Smart Grids: A Review of Regulatory Barriers, Technological Challenges, and Stakeholder Benefits",
"authors": [
"Bo Nørregaard Jørgensen",
"Saraswathy Shamini Gunasekaran",
"Zheng Grace Ma"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/1996-1073/18/12/3002",
"pdfUrl": "",
"doi": "10.3390/en18123002",
"abstract": "This scoping review examines the evolving landscape of European Union (EU) legislation, as it pertains to the implementation of artificial intelligence (AI) in smart grid systems. By outlining the current regulatory landscape, including the General Data Protection Regulation (GDPR), the EU Artificial Intelligence Act, the EU Data Act, the EU Data Governance Act, the ePrivacy framework, the Network and Information Systems (NIS2) Directive, the EU Cyber Resilience Act, the EU Network Code on Cybersecurity for the electricity sector, and the EU Cybersecurity Act, it highlights both constraints and opportunities for stakeholders, including energy utilities, technology providers, and end-users. The analysis delves into regulatory barriers such as data protection requirements, algorithmic transparency mandates, and liability concerns that can limit the scope and scale of AI deployment. Technological challenges are also addressed, ranging from the integration of distributed energy resources and real-time data processing to cybersecurity and standardization issues. Despite these challenges, this review emphasizes how compliance with EU laws may ultimately boost consumer trust, promote ethical AI usage, and streamline the roll-out of robust, scalable smart grid solutions. The paper further explores stakeholder benefits, including enhanced grid stability, cost reductions through automation, and improved sustainability targets aligned with the EU’s broader energy and climate strategies. By synthesizing these findings, the review offers insights into policy gaps, technological enablers, and collaborative frameworks critical for accelerating AI-driven innovation in the energy sector, helping stakeholders navigate a complex regulatory environment while reaping its potential rewards.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance",
"power_knowledge_asymmetry",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.912,
"venue": "Energies",
"language": "en"
},
{
"id": "doaj:1956d9e851ed4e00ac3f29e3be3a9972",
"title": "De-Identification of Facial Features in Magnetic Resonance Images: Software Development Using Deep Learning Technology",
"authors": [
"Jeong, Yeon Uk",
"Yoo, Soyoung",
"Kim, Young-Hak",
"Shim, Woo Hyun"
],
"date": "2020",
"platform": "doaj",
"sourceUrl": "http://www.jmir.org/2020/12/e22739/",
"pdfUrl": "",
"doi": "10.2196/22739",
"abstract": "BackgroundHigh-resolution medical images that include facial regions can be used to recognize the subject’s face when reconstructing 3-dimensional (3D)-rendered images from 2-dimensional (2D) sequential images, which might constitute a risk of infringement of personal information when sharing data. According to the Health Insurance Portability and Accountability Act (HIPAA) privacy rules, full-face photographic images and any comparable image are direct identifiers and considered as protected health information. Moreover, the General Data Protection Regulation (GDPR) categorizes facial images as biometric data and stipulates that special restrictions should be placed on the processing of biometric data.\n ObjectiveThis study aimed to develop software that can remove the header information from Digital Imaging and Communications in Medicine (DICOM) format files and facial features (eyes, nose, and ears) at the 2D sliced-image level to anonymize personal information in medical images.\n MethodsA total of 240 cranial magnetic resonance (MR) images were used to train the deep learning model (144, 48, and 48 for the training, validation, and test sets, respectively, from the Alzheimer's Disease Neuroimaging Initiative [ADNI] database). To overcome the small sample size problem, we used a data augmentation technique to create 576 images per epoch. We used attention-gated U-net for the basic structure of our deep learning model. To validate the performance of the software, we adapted an external test set comprising 100 cranial MR images from the Open Access Series of Imaging Studies (OASIS) database.\n ResultsThe facial features (eyes, nose, and ears) were successfully detected and anonymized in both test sets (48 from ADNI and 100 from OASIS). Each result was manually validated in both the 2D image plane and the 3D-rendered images. Furthermore, the ADNI test set was verified using Microsoft Azure's face recognition artificial intelligence service. By adding a user interface, we developed and distributed (via GitHub) software named “Deface program” for medical images as an open-source project.\n ConclusionsWe developed deep learning–based software for the anonymization of MR images that distorts the eyes, nose, and ears to prevent facial identification of the subject in reconstructed 3D images. It could be used to share medical big data for secondary research while making both data providers and recipients compliant with the relevant privacy regulations.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"sector_healthcare",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement",
"Health & Genomic PII"
],
"relevanceScore": 0.912,
"venue": "Journal of Medical Internet Research",
"language": "en"
},
{
"id": "europepmc:41737477",
"title": "Federated learning for teacher data privacy protection: a study in the context of the PIPL.",
"authors": [
"Chen S",
"Qi XZ",
"Han XH",
"Fan ZC",
"Wang LL."
],
"date": "2026-02-09",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3389/fdata.2026.1681382",
"pdfUrl": "https://europepmc.org/articles/PMC12926099?pdf=render",
"doi": "10.3389/fdata.2026.1681382",
"abstract": "Background
The Personal Information Protection Law (PIPL) in China imposes strict requirements on personal data handling, particularly in educational contexts where teacher data privacy is critical. Traditional centralized machine learning approaches pose significant risks of data breaches and non-compliance. Federated Learning (FL) offers a promising decentralized alternative by enabling collaborative model training without sharing raw data.Methods
This study combines quantitative simulations and qualitative compliance analysis to evaluate FL frameworks under PIPL principles, with a focus on Differential Privacy as the primary empirically validated mechanism for noise addition and privacy guarantee. Other techniques, such as Secure Multi-Party Computation (SMC), are analyzed theoretically for their alignment with PIPL requirements like data minimization, anonymization, and encrypted transmission.Results
Experimental simulations demonstrate that FL effectively reduces data breach risks compared to centralized methods. It achieves principle-level compliance with PIPL through local data processing, differential privacy mechanisms, and secure aggregation, leading to improved privacy preservation while maintaining model performance.Conclusion
FL conceptually supports teacher data privacy protection under the PIPL framework. This study proposes a tailored compliance framework that integrates FL with privacy-enhancing technologies, offering theoretical foundations and practical recommendations for educational institutions and technology implementers to deploy privacy-preserving machine learning solutions.",
"topics": [
"privacy_engineering",
"data_anonymization",
"offline_local_processing",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.912,
"venue": "Frontiers in big data",
"language": "de"
},
{
"id": "europepmc:PPR1074910",
"title": "Advancing Trustworthy AI in the Cloud Era: From Generative Models to Privacy-Preserving MLOps",
"authors": [
"Dave E",
"Adeola F",
"Noel D."
],
"date": "2025-08-29",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202508.2202.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202508.2202.v1",
"doi": "10.20944/preprints202508.2202.v1",
"abstract": "The accelerated adoption of artificial intelligence (AI) in cloud-based environments has transformed how organizations build, deploy, and scale intelligent systems. Among the most disruptive innovations are generative models, whose ability to synthesize text, images, code, and domain-specific insights is reshaping industries from healthcare and finance to education and creative media. However, as generative AI becomes more deeply embedded in cloud-native ecosystems, concerns over trust, fairness, interpretability, and data governance have intensified. Biases in model outputs, lack of transparency in decision-making, and uncertainties around intellectual property raise critical ethical and legal questions that directly affect user trust and regulatory compliance.To address these challenges, the principles of trustworthy AI—fairness, accountability, transparency, robustness, and respect for privacy—must be systematically integrated into the cloud AI lifecycle. This requires reimagining machine learning operations (MLOps) as more than a framework for automation and deployment, evolving it into a governance-driven infrastructure that enforces compliance and embeds safeguards against bias, model drift, and security vulnerabilities. Privacy-preserving techniques such as federated learning, differential privacy, homomorphic encryption, and secure multi-party computation are gaining prominence as essential enablers of responsible AI, allowing organizations to train and deploy models at scale without compromising sensitive data.In parallel, explainable AI (XAI) and human-in-the-loop oversight play a crucial role in ensuring accountability and transparency, while cloud providers are increasingly tasked with aligning technical architectures to emerging regulations such as the EU AI Act, NIST AI Risk Management Framework, and other global standards. The convergence of these technological, regulatory, and ethical considerations is paving the way for privacy-preserving MLOps pipe",
"topics": [
"ai_governance",
"privacy_engineering",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.912,
"venue": "",
"language": "de"
},
{
"id": "arxiv:2007.13086",
"title": "Anonymizing Machine Learning Models",
"authors": [
"Abigail Goldsteen",
"Gilad Ezov",
"Ron Shmelkin",
"Micha Moffie",
"Ariel Farkash"
],
"date": "2020-07-26",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2007.13086v3",
"pdfUrl": "https://arxiv.org/pdf/2007.13086v3",
"doi": "10.1007/978-3-030-93944-1_8",
"abstract": "There is a known tension between the need to analyze personal data to drive business and privacy concerns. Many data protection regulations, including the EU General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), set out strict restrictions and obligations on the collection and processing of personal data. Moreover, machine learning models themselves can be used to derive personal information, as demonstrated by recent membership and attribute inference attacks. Anonymized data, however, is exempt from the obligations set out in these regulations. It is therefore desirable to be able to create models that are anonymized, thus also exempting them from those obligations, in addition to providing better protection against attacks. Learning on anonymized data typically results in significant degradation in accuracy. In this work, we propose a method that is able to achieve better model accuracy by using the knowledge encoded within the trained model, and guiding our anonymization process to minimize the impact on the model's accuracy, a process we call accuracy-guided anonymization. We demonstrate that by focusing on the model's accuracy rather than generic information loss measures, our method outperforms state of the art k-anonymity methods in terms of the achieved utility, in particular with high values of k and large numbers of quasi-identifiers. We also demonstrate that our approach has a similar, and sometimes even better ability to prevent membership inference attacks as approaches based on differential privacy, while averting some of their drawbacks such as complexity, performance overhead and model-specific implementations. This makes model-guided anonymization a legitimate substitute for such methods and a practical approach to creating privacy-preserving models.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.912,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.71097/ijsat.v15.i2.7553",
"title": "Privacy-Preserving Data Pipelines for Financial Fraud Analytics",
"authors": [
"Ravi Kiran Alluri"
],
"date": "2024-06-08",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.71097/ijsat.v15.i2.7553",
"pdfUrl": "",
"doi": "10.71097/ijsat.v15.i2.7553",
"abstract": "Financial fraud is a problem of increasing complexity as fraudulent activities move with the digital transformation, the rise of real-time payments, and the rapid growth of online financial services. To combat these threats, companies utilize advanced analytics and machine learning models that can identify anomalous patterns within vast amounts of transactional and behavioral data. However, the financial data, including personally identifiable information (PII) and transactional histories, is sensitive and raises serious privacy concerns. Those risks are compounded by robust regulatory environments, such as GDPR, CCPA, and data localization laws globally, which can bind organizations to exacting requirements for collecting, sharing, and processing customer data. Consequently, the demand for secure data pipelines that do not violate privacy in fraud analytics is higher than ever. In this paper, we present a general framework for constructing privacy-preserving data pipelines in the context of financial fraud detection systems. This architecture is designed to maintain data privacy, security, and regulatory compliance at all phases of the pipeline, from data ingestion and transformation to machine learning model training and real-time fraud alert generation. Our solution consolidates several essential privacy-enhancing technologies (PETs), including differential privacy, homomorphic encryption, federated learning, and secure multi-party computation, which enables collective analytics rather than sharing raw or sensitive data with unauthorized entities.",
"topics": [
"privacy_engineering",
"data_anonymization",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.912,
"venue": "",
"language": "en"
},
{
"id": "openaire:sym13081490",
"title": "Challenges and Open Problems of Legal Document Anonymization",
"authors": [
"Gergely Márk Csányi",
"Dániel Nagy",
"Renátó Vági",
"János Pál Vadász",
"Tamás Orosz"
],
"date": "2021-08-13",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3390/sym13081490",
"pdfUrl": "https://www.mdpi.com/2073-8994/13/8/1490/pdf?version=1628853455",
"doi": "10.3390/sym13081490",
"abstract": "Data sharing is a central aspect of judicial systems. The openly accessible documents can make the judiciary system more transparent. On the other hand, the published legal documents can contain much sensitive information about the involved persons or companies. For this reason, the anonymization of these documents is obligatory to prevent privacy breaches. General Data Protection Regulation (GDPR) and other modern privacy-protecting regulations have strict definitions of private data containing direct and indirect identifiers. In legal documents, there is a wide range of attributes regarding the involved parties. Moreover, legal documents can contain additional information about the relations between the involved parties and rare events. Hence, the personal data can be represented by a sparse matrix of these attributes. The application of Named Entity Recognition methods is essential for a fair anonymization process but is not enough. Machine learning-based methods should be used together with anonymization models, such as differential privacy, to reduce re-identification risk. On the other hand, the information content (utility) of the text should be preserved. This paper aims to summarize and highlight the open and symmetrical problems from the fields of structured and unstructured text anonymization. The possible methods for anonymizing legal documents discussed and illustrated by case studies from the Hungarian legal practice.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"sector_legal",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.912,
"venue": "Symmetry",
"language": "en"
},
{
"id": "openaire:10.1109/ichi64645.2025.00077",
"title": "Privacy in Italian Clinical Reports: A NLP-Based Anonymization Approach",
"authors": [
"Tobia Giovanni Paolo",
"Patarnello Stefano",
"Masciocchi Carlotta",
"Nero Camilla",
"Passarotti Marco Carlo",
"Moretti Giovanni",
"Marchetti Antonio",
"Arcuri Giovanni",
"Lilli Livia"
],
"date": "2025-06-18",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/ichi64645.2025.00077",
"pdfUrl": "http://xplorestaging.ieee.org/ielx8/11081517/11081519/11081543.pdf?arnumber=11081543",
"doi": "10.1109/ichi64645.2025.00077",
"abstract": "The sharing of data is of significant importance for the advancement of scientific and technological knowledge. However, legislation such as the General Data Protection Regulation (GDPR) in Europe and the Health Insurance Portability and Accountability Act (HIPAA) in the United States implies significant restrictions on the dissemination of personal data within the healthcare sector. This has led to the development of reliable and automated methods for the anonymization of clinical documents, becoming a key area of research.This study presents a Natural Language Processing (NLP) approach to anonymize Italian clinical reports, focusing on protecting patient privacy by identifying and masking personally identifiable information. The research employs BERT-based Named Entity Recognition models, fine-tuning them on the healthcare-specific domain. The dataset, consisting of 1000 discharge letters from the Gemelli Hospital of Rome and 100 synthetically generated reports, was annotated to include critical protected health information (PHI) categories. The study compares different tagging schemes and loss functions, addressing class imbalance. The results demonstrate that a pre-trained model designed to recognize personal identifiable information in general texts can be effectively adapted and specialized to detect PHI in clinical reports in order to anonymize them.This work underscores the challenges of handling unbalanced datasets, the over-representation of non-PHI tokens, and interclass ambiguities. This research contributes to the development of a novel transformer-based model specialized in Italian clinical text, providing a framework for clinical text anonymization, ensuring compliance with privacy standards like GDPR while preserving the utility of data for research.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"sector_healthcare",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Health & Genomic PII"
],
"relevanceScore": 0.912,
"venue": "2025 IEEE 13th International Conference on Healthcare Informatics (ICHI)",
"language": "en"
},
{
"id": "openaire:10.26483/ijarcs.v16i3.7261",
"title": "ARTIFICIAL INTELLIGENCE IN STUDENT PRIVACY AND DATA SECURITY",
"authors": [
"Ambar Dutta"
],
"date": "2025-06-20",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.26483/ijarcs.v16i3.7261",
"pdfUrl": "",
"doi": "10.26483/ijarcs.v16i3.7261",
"abstract": "The rapid digitization of education has revolutionized data management practices, yet it concurrently escalates risks to student data privacy and security. This paper examines the dual role of Artificial Intelligence (AI) in both exacerbating and mitigating these challenges. While AI-driven tools such as learning analytics and biometric systems enhance educational outcomes, they introduce vulnerabilities like adversarial data manipulation, over-collection of sensitive information, and algorithmic bias. Traditional security models, reliant on rule-based systems and manual oversight, prove inadequate against evolving cyber threats, underscoring the need for adaptive solutions. AI-based approaches—including federated learning, differential privacy, and anomaly detection—offer proactive mechanisms to safeguard data through decentralized training, noise-injected anonymization, and real-time threat detection. However, these technologies face implementation barriers such as high computational costs, regulatory conflicts, and ethical dilemmas. Regulatory frameworks like GDPR, FERPA, and COPPA further complicate compliance, as divergent mandates on data retention, consent, and transparency challenge global institutions. Through a comparative analysis of AI and traditional models, this study advocates for hybrid frameworks that integrate AI’s scalability with human oversight to balance innovation and accountability. Case studies highlight AI’s efficacy in reducing breaches (e.g., 75% fewer FERPA violations via automated redaction tools) but also expose risks like biased facial recognition systems. The paper concludes with strategic recommendations: prioritizing ethical AI governance, fostering regulatory harmonization, and investing in infrastructure to democratize access. By addressing these imperatives, educational stakeholders can harness AI’s potential while upholding the trust and privacy essential to equitable learning environments",
"topics": [
"data_anonymization",
"sector_education",
"biometric_surveillance",
"ai_governance",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Children & Education PII",
"Enforcement"
],
"relevanceScore": 0.912,
"venue": "International Journal of Advanced Research in Computer Science",
"language": "en"
},
{
"id": "https://openalex.org/W4405169132",
"title": "Data privacy in the era of AI: Navigating regulatory landscapes for global businesses",
"authors": [
"Geraldine O. Mbah"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.30574/ijsra.2024.13.2.2396",
"pdfUrl": "https://ijsra.net/sites/default/files/IJSRA-2024-2396.pdf",
"doi": "https://doi.org/10.30574/ijsra.2024.13.2.2396",
"abstract": "The convergence of artificial intelligence (AI) and data privacy has created a pivotal challenge for global businesses navigating complex regulatory landscapes. As AI systems increasingly depend on vast datasets to deliver insights and drive innovation, concerns about data protection, algorithmic transparency, and compliance with privacy laws have intensified. The global regulatory environment, encompassing frameworks such as the European Union’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA), and China’s Personal Information Protection Law (PIPL), presents a fragmented legal landscape that requires careful navigation. This paper examines the multifaceted challenges businesses face in aligning AI adoption with regulatory compliance while maintaining ethical standards. Key concerns include managing cross-border data transfers, ensuring data minimization, addressing algorithmic biases, and safeguarding consumer rights in automated decision-making processes. Furthermore, the need for global harmonization of privacy standards is emphasized, given the inconsistencies in regulations across jurisdictions. Actionable insights are provided for businesses to adapt and thrive in this regulatory environment. These include the implementation of privacy-by-design in AI systems, the adoption of advanced data protection technologies like federated learning and differential privacy, and leveraging AI to enhance compliance processes, such as automated data audits and real-time breach detection. The paper also advocates for collaborative efforts among governments, industry stakeholders, and regulators to establish a cohesive framework for AI and data privacy. By strategically addressing these challenges, businesses can build trust with consumers, mitigate legal risks, and unlock AI’s transformative potential in a privacy-centric era.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"data_anonymization",
"data_breach_incident"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.912,
"venue": "International Journal of Science and Research Archive",
"language": "en"
},
{
"id": "hal:2553978",
"title": "European Union Data Privacy Law Developments",
"authors": [
"W. Gregory Voss"
],
"date": "2014-12",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02553978v1",
"pdfUrl": "https://hal.science/hal-02553978/document",
"doi": "",
"abstract": "This article explores recent developments in European Union data privacy and data protection law, through an analysis of European Union advisory guidance, independent administrative agency enforcement action, case law, and legislative reform in the areas of digital technologies, the internet, telecommunications and personal data. In the first case, Article 29 Working Party guidance on anonymization techniques – so important in the field of big data – is discussed and distinguished from pseudonymization. Next, Google privacy policy enforcement action by various EU Member State data protection agencies (inter alia, France, Germany, Italy, the Netherlands and Spain) is chronicled, with lessons being drawn for businesses regarding privacy policies and data protection compliance generally. Thirdly, European Union Court of Justice joined cases Digital Rights Ir. Ltd. V. Minister for Comm. Marine & Natural Res., invalidating the EU Data Retention Directive, which was applicable to providers of publicly available electronic communications services and public communications networks, such as ISPs and telecom operators, is analyzed and the WP29 reaction to the decision is discussed. The Data Retention Directive decision and recent legislative action on the proposed EU General Data Protection Regulation (GDPR) highlight the importance in Europe of the protection of individuals’ fundamental rights to privacy and freedom of expression in the internet and telecommunications context. Finally, this article discusses recent developments regarding the GDPR, while the revelations of U.S. NSA mass surveillance programs continued to preoccupy European lawmakers.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.912,
"venue": "Business Lawyer",
"language": "en"
},
{
"id": "europepmc:PPR1066555",
"title": "An Efficient Collusion-Resistant and Drop-Proof Federated Learning Security Aggregation Scheme Based on RLWE",
"authors": [
"Zhang X",
"Zhou T",
"Ke W",
"Guo Z",
"Yang X."
],
"date": "2025-08-12",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-7093115/v1",
"pdfUrl": "https://doi.org/10.21203/rs.3.rs-7093115/v1",
"doi": "10.21203/rs.3.rs-7093115/v1",
"abstract": "Abstract Federated learning, as a distributed machine learning paradigm, is of great value in protecting data privacy, but the existing FL scheme based on homomorphic encryption and differential privacy cannot take into account the properties of high efficiency, high accuracy, anti-collusion and so on. In this paper, we propose an efficient federated learning privacy preservation scheme (RLFL) based on ring-on-band error learning (RLWE), which realises an efficient federated learning framework with anti-collusion attack and anti-client dropout by fusing RLWE cryptographic properties with secure multi-party computation techniques, and the specific innovations include: 1. Introducing high-bit encoding technology to reduce noise impact to a negligible level, achieving a 3.13% accuracy improvement over traditional LWE schemes on the MNIST dataset;2. Designing a secure aggregation protocol by utilising the additive homomorphism of Shamir's Secret Sharing (SS), combined with the \\((t,k)\\) threshold mechanism to ensure that the honest-square gradient cannot be recovered when up to \\(t-1\\) malicious clients collude, where \\(k\\) is the number of participating clients; 3. Improving the communication efficiency with the help of the combination of RLWE and Number Theoretic Transformation (NTT), using coefficient coding to improve the communication efficiency, the communication overhead is only 26.7% of the original scheme in 10,000 + client scenarios, and the training speed is improved by 2.3 times compared with the FLDP scheme. The experimental results show that the accuracy of RLFL on MNIST, FMNIST, CIFAR-10, and SVHN datasets reaches up to 91.45%, 79.56%, 70.04%, and 57.04%, respectively, which is a 3.13%, 3.45%, 2.81%, and 2.87% enhancement compared with the FLDP scheme, respectively. In the 500-client scenario, the total training time of RLFL is 700.71 seconds, which is 47% lower than that of FLDP (1320.54 seconds), and the communication overhead is only",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.9,
"venue": "",
"language": "de"
},
{
"id": "openaire:10.51788/tsul.lr.5.1./tcyn1311",
"title": "De-identification and anonymization: legal and technical approaches",
"authors": [
"Sardor Mamanazarov"
],
"date": "2024-04-05",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.51788/tsul.lr.5.1./tcyn1311",
"pdfUrl": "https://legalreport.tsul.uz/index.php/journal/article/download/175/81",
"doi": "10.51788/tsul.lr.5.1./tcyn1311",
"abstract": "\"This study analyzes legal and technical approaches to data de-identification and anonymization, motivated by the need to develop balanced standards that preserve privacy without stifling beneficial data uses. Doctrinal and technical literature review methods examine provisions in major data protection laws worldwide, including the EU's GDPR, US HIPAA, and emerging frameworks in China, India, and Uzbekistan, alongside mathematical models like differential privacy and k-anonymity. The legal analysis reveals common themes like flexible research exemptions for anonymized data and calibrating standards based on sensitivity, but also gaps such as ambiguities around pseudonymization. The technical review highlights the strengths and weaknesses of encryption, perturbation, generalization, and federation techniques, emphasizing the need to complement mathematical methods with governance controls. Key findings include the importance of allowing contextual optimization, providing detailed regulatory guidance, and addressing re-identification incentives. Recommendations are provided for advancing Uzbekistan's data protection laws and practices based on international experiences, such as enabling public oversight, conducting localized impact assessments, and promoting privacy-enhancing technologies. The study concludes that to anonymize data in a way that enables research while also protecting people's rights, we need a comprehensive approach that includes laws, organizational rules, technical safeguards, ethical decision-making, and public input. All of these parts working together is important for successful data anonymization.\"",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.9,
"venue": "Tsul legal report",
"language": "en"
},
{
"id": "s2:1fb2bc57e0fd2772907be15d4514a68fb81384d9",
"title": "(r, k, ε)-Anonymization: Privacy-Preserving Data Publishing Algorithm Based on Multi-Dimensional Outlier Detection, k-Anonymity, and ε-Differential Privacy",
"authors": [
"Burak Cem Kara",
"Can Eyupoglu",
"Oktay Karakuş"
],
"date": "2025",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/1fb2bc57e0fd2772907be15d4514a68fb81384d9",
"pdfUrl": "",
"doi": "10.1109/ACCESS.2025.3559410",
"abstract": "In recent years, there has been a tremendous rise in both the volume and variety of big data, providing enormous potential benefits to businesses that seek to utilize consumer experiences for research or commercial purposes. The general data protection regulation (GDPR) implementation, on the other hand, has introduced extensive control over the use of individuals’ personal information and placed many limits. Data anonymization technologies have become an important solution for businesses trying to generate value from data while adhering to GDPR limitations. To address these challenges, researchers have developed various methods, including k-anonymity and $\\varepsilon $ -differential privacy, offering solutions for both industry and academia. However, protecting individuals’ privacy against diverse attack attempts presents significant challenges for anonymization models that rely solely on a single technique, highlighting the need for more adaptable and hybrid approaches. In this study, a new hybrid anonymization algorithm called (r, k, $\\varepsilon $ )-anonymization has been proposed, which combines k-anonymity and $\\varepsilon $ -differential privacy models in a consistent framework and provides stronger privacy guarantees compared to existing privacy-preserving models. The proposed algorithm is capable of overcoming well-known shortcomings of the k-anonymity and $\\varepsilon $ -differential privacy models, and it has been confirmed by extensive tests on real-world datasets. The proposed (r, k, $\\varepsilon $ )-anonymization algorithm outperforms k-anonymity and $\\varepsilon $ -differential privacy in terms of the average error rate measure, achieving data utility increases of 31.74% and 26.99%, respectively.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.9,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "https://openalex.org/W4300071243",
"title": "Slave to the Algorithm? Why a 'right to an explanation' is probably not the remedy you are looking for",
"authors": [
"Lilian Edwards",
"Michael Veale"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.31228/osf.io/97upg",
"pdfUrl": "https://doi.org/10.31228/osf.io/97upg",
"doi": "https://doi.org/10.31228/osf.io/97upg",
"abstract": "Cite as Lilian Edwards and Michael Veale, 'Slave to the Algorithm? Why a 'right to an explanation' is probably not the remedy you are looking for' (2017) 16 Duke Law and Technology Review 18–84. (First posted on SSRN 24 May 2017)Algorithms, particularly machine learning (ML) algorithms, are increasingly important to individuals’ lives, but have caused a range of concerns revolving mainly around unfairness, discrimination and opacity. Transparency in the form of a “right to an explanation” has emerged as a compellingly attractive remedy since it intuitively promises to “open the black box” to promote challenge, redress, and hopefully heightened accountability. Amidst the general furore over algorithmic bias we describe, any remedy in a storm has looked attractive.However, we argue that a right to an explanation in the EU General Data Protection Regulation (GDPR) is unlikely to present a complete remedy to algorithmic harms, particularly in some of the core “algorithmic war stories” that have shaped recent attitudes in this domain. Firstly, the law is restrictive, unclear, or even paradoxical concerning when any explanation-related right can be triggered. Secondly, even navigating this, the legal conception of explanations as “meaningful information about the logic of processing” may not be provided by the kind of ML “explanations” computer scientists have developed, partially in response. ML explanations are restricted both by the type of explanation sought, the dimensionality of the domain and the type of user seeking an explanation. However, “subject-centric\" explanations (SCEs) focussing on particular regions of a model around a query show promise for interactive exploration, as do explanation systems based on learning a model from outside rather than taking it apart (pedagogical vs decompositional explanations ) in dodging developers' worries of IP or trade secrets disclosure.Based on our analysis, we fear that the search for a “right to an explanation” in the GDPR may be at best distracting, and at worst nurture a new kind of “transparency fallacy.” But all is not lost. We argue that other parts of the GDPR related (i) to the right to erasure (\"right to be forgotten\") and the right to data portability; and (ii) to privacy by design, Data Protection Impact Assessments and certification and privacy seals, may have the seeds we can use to make algorithms more responsible, explicable, and human-centred.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.9,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2787263245",
"title": "Internet of Things and Blockchain: Legal Issues and Privacy. The Challenge for a Privacy Standard",
"authors": [
"Nicola Fabiano"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/ithings-greencom-cpscom-smartdata.2017.112",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/ithings-greencom-cpscom-smartdata.2017.112",
"abstract": "The IoT is innovative and important phenomenon prone to several services ad applications, but it should consider the legal issues related to the data protection law. However, should be taken into account the legal issues related to the data protection and privacy law. Technological solutions are welcome, but it is necessary, before developing applications, to consider the risks which we cannot dismiss. Personal data is a value. In this context is fundamental to evaluate the legal issues and prevent them, adopting in each project the privacy by design approach. Regarding the privacy and security risks, there are some issues with potential consequences for data security and liability. The IoT system allows us to transfer data on the Internet, including personal data. In this context, it is important to consider the new European General Data Protection Regulation (GDPR) - already in force from 24 May 2016 - that will be applicable on 25 May 2018. The GDPR introduces Data Protection Impact Assessment (DPIA), data breach notification and very hard administrative fines in respect of infringements of the Regulation. A correct law analysis allows evaluating risks preventing the wrong use of personal data. The IoT ecosystem is evolving quickly, developing several applications in different sectors. The main topics for the last time are Big Data and the blockchain. People are paying attention to the latest one because of its potential concrete use for services and applications, increasing the security measures to guarantee a secure system. However, it is equally important to analyse the legal issues related to them. Everyone has the right to the protection of personal data concerning him or her. In this context, we cannot dismiss to guarantee an adequate protection of personal data designing any application. The contribution describes the main legal issues related to privacy and data protection especially regarding the blockchain, focusing on the Privacy by Design approach, according to the GDPR. Furthermore, I resolutely believe that is possible to develop a worldwide privacy standard framework that organisations can use for their data protection activities.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.9,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2743557948",
"title": "The Internet of Things ecosystem: The blockchain and privacy issues. The challenge for a global privacy standard",
"authors": [
"Nicola Fabiano"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/iotgc.2017.8008970",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/iotgc.2017.8008970",
"abstract": "The IoT is innovative and important phenomenon prone to several services and applications, but it should consider the legal issues related to the data protection law. However, should be taken into account the legal issues related to the data protection and privacy law. Technological solutions are welcome, but it is necessary, before developing applications, to consider the risks which we cannot dismiss. Personal data is a value. In this context it is fundamental to evaluate the legal issues and prevent them, adopting in each project the privacy by design approach. Regarding the privacy and security risks, there are some issues with potential consequences for data and liability. The IoT system allows us to transfer data on the Internet, including personal data. In this context, it is important to consider the new European General Data Protection Regulation (GDPR) that will be in force on 25 May 2018. The GDPR introduces Data Protection Impact Assessment (DPIA), data breach notification and very hard administrative fines in respect of infringements of the Regulation. A correct law analysis allows evaluating risks preventing the wrong use of personal data. The contribution describes the main legal issues related to privacy and data protection focusing on the Privacy by Design approach, according to the GDPR. Furthermore, I resolutely believe that is possible to develop a global privacy standard framework that organisations can use for their data protection activities.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.9,
"venue": "",
"language": "en"
},
{
"id": "s2:0307de463f6cb52ab25a15ae5b750764a7be566a",
"title": "The Role of De-identification in AI-Powered Zero Trust Architectures for Data Privacy Compliance",
"authors": [
"Mukul Mangla"
],
"date": "2023-05-28",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/0307de463f6cb52ab25a15ae5b750764a7be566a",
"pdfUrl": "",
"doi": "10.56127/ijst.v2i2.2310",
"abstract": "The fast adoption of the artificial intelligence (AI) in the enterprise setting has been the main factor that has changed the way companies handle, process, and protect sensitive information. However, the new acceleration has brought new risks that are related to privacy, compliance, and cybersecurity. The established perimeter-based security models have become less effective to mitigate the advanced cyber threats and insider risks, therefore, leading to the rise of Zero Trust Architectures (ZTA) as a security paradigm. Meanwhile, strict regulatory policies like the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA) emphasize de-identification as a key tool of safety of sensitive data. Anonymization, pseudonymization, and differential privacy are collectively referred to as de-identification, which is a crucial element in supporting secure data processing without affecting analytical utility. In this paper, the author analyzes how de-identification can be used in AI-based Zero Trust systems as a tool to reach the compliance with international data privacy laws. Based on a review of retrieved literature and industry publications, as well as regulatory standards, the paper presents a conceptual framework of incorporating de-identification methods into ZTA settings to reduce risks of data leakage, adversarial attacks, and non-observance. The results show that de-identification does not just enhance the compliance but also enhances AI-based monitoring and detection functions in Zero Trust ecosystems. This work provides a new viewpoint in developing resilient, compliance-oriented, and ethically based data security architectures by merging the privacy engineering with AI-enabled ZTA",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.9,
"venue": "International Journal for Sciences and Technology",
"language": "en"
},
{
"id": "s2:01c01b5f6759eb4879df940f21868209bb2250a7",
"title": "GDPR Compliance Challenges in Blockchain-Based Systems",
"authors": [
"D. Kumar"
],
"date": "2024-07-07",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/01c01b5f6759eb4879df940f21868209bb2250a7",
"pdfUrl": "",
"doi": "10.63345/sjaibt.v1.i3.104",
"abstract": "Blockchain’s decentralization, transparency, and tamper‐resistance are celebrated properties for auditability and trust, yet they collide with core data protection duties under the EU General Data Protection Regulation (GDPR). This manuscript analyzes the principal compliance challenges that arise when blockchain processes personal data and proposes a practical, design-oriented framework to address them. First, we synthesize legal and regulatory positions on what counts as “personal data,” the difference between anonymization and pseudonymization, and the implications of the right to erasure, data protection by design and by default, allocation of controller/processor roles, and international data transfers. We then map these requirements to blockchain architectures (public permissionless, public permissioned, and private permissioned) and data patterns (on-chain, off-chain, hybrid). Building on recent guidance from the European Data Protection Board (EDPB) and national authorities, we outline concrete technical and governance controls—off-chain storage and on-chain commitments, keyed hashing, encryption/key-revocation strategies, chameleon-hash/redactable-ledger designs, selective-disclosure credentials/zero-knowledge proofs, and robust consortium governance—to reduce risk and improve demonstrable compliance. Applying a six-step assessment methodology to three realistic use cases (NFT profile registry, supply-chain provenance, and consortium KYC), we show that while no single pattern fully reconciles immutability with erasure, practicable combinations can align processing with GDPR’s principles of minimization, purpose limitation, storage limitation, and accountability. The paper concludes with a prioritized checklist for engineering “compliance-by-design” blockchains, and delineates scope and limitations for practitioners and researchers.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.9,
"venue": "Scientific Journal of Artificial Intelligence and Blockchain Technologies",
"language": "en"
},
{
"id": "https://openalex.org/W3010191818",
"title": "Resolución contractual y destino de los datos y contenidos generados por los usuarios de servicios digitales = Ttermination of contract and destination of data and content generated by users of digital services",
"authors": [
"Sergio Cámara Lapuente"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.20318/cdt.2020.5226",
"pdfUrl": "https://e-revistas.uc3m.es/index.php/CDT/article/download/5226/3704",
"doi": "https://doi.org/10.20318/cdt.2020.5226",
"abstract": "Resumen: Durante el uso de los contenidos y servicios digitales puestos a disposición del consumidor por los distintos proveedores, los usuarios facilitan y crean gran cantidad de datos. El tratamiento legal del control sobre el destino de estos datos se bifurca en la actualidad en dos normas: por una parte, si se trata de datos personales, se aplicará el Reglamento (UE) General de Protección de Datos de 2016 (RGPD); por otra parte, respecto a contenidos generados por los usuarios que no sean datos personales, las reglas de la reciente Directiva (UE) 2019/770, de 20 de mayo de 2019 sobre contratos de suministro de contenidos y servicios digitales (DCSD) será de aplicación tras su transposición.Este ensayo analiza la intersección de las normas sobre protección de datos personales con las normas sobre la defensa contractual del consumidor al tiempo de la extinción de este tipo de contratos por vía de resolución. Para ello compara los rasgos de los derechos de supresión, olvido y portabilidad del Reglamento con los nuevos derechos de impedir el uso de los datos y de recuperarlos establecidos en la Directiva y concluye críticamente acerca del escaso impacto que estos últimos pueden llegar a tener debido a su reducido ámbito de aplicación, las escasas facultades y las excesivas excepciones incorporadas finalmente en uno de los preceptos centrales de la Directiva 2019/770.Palabras clave: contenidos digitales, servicios digitales, resolución, contrato de suministro, datos personales, portabilidad, derecho al olvido, derecho de supresión, Directiva (UE) 2019/770, Reglamento General de Protección de Datos, conformidad, contenidos generados por los usuarios, consumidor.Abstract: During the use of digital content and services made available to the consumer by different traders and platforms, users provide and create large amounts of data. The legal treatment of control over the destination of these data currently splits into two pieces of legislation: on the one hand, in the case of personal data, the 2016 (EU) General Data Protection Regulation (GDPR) will apply; on the other hand, in the case of user-generated content other than personal data, the rules of the recent Directive (EU) 2019/770 of 20 May 2019 on contracts for the supply of digital content and services (DCSD) will apply after transposition in Member States.This paper analyses the intersection of the rules on personal data protection with the rules on the contractual protection of the consumer at the time of the extinction of this type of contract by means of termination. To this end, it compares the features of the rights to erasure, to be forgotten and to portability of the Regulation with the new rights to prevent further use of data and to retrieve them established in the Directive, and critically concludes that the latter may have little impact due to their reduced scope of application, the limited powers and the excessive exceptions finally incorporated in one of the central articles of Directive 2019/770.Keywords: digital contents, digital services, termination, contract of supply, personal data, portability, right to erasure, right to be forgotten, Directive (EU) 2019/770, General Data Protection Regulation, conformity, user generated contents, consumer.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.9,
"venue": "CUADERNOS DE DERECHO TRANSNACIONAL",
"language": "es"
},
{
"id": "openaire:oai:oda.oslomet.no:11250/3206147",
"title": "Analyzing Data Anonymization techniques, challenges and AI Integration",
"authors": [
"Nimalmohan, Madhushan"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:oda.oslomet.no:11250/3206147",
"pdfUrl": "",
"doi": "",
"abstract": "In the current digital landscape, data anonymization plays a pivotal role in safe- guarding personal information while enabling modern innovations, particularly within fields like healthcare and artificial intelligence (AI). This master’s thesis ex- plores data anonymization by examining three critical problem statements of the differences between anonymization, pseudonymization, and de-identification and their impact on data privacy regulations, the challenge of anonymizing patient data to ensure non-identifiability while maintaining research utility and the integration of AI in anonymization processes without increasing re-identification risks. The research is structured through a comprehensive literature review of 30 peer-reviewed academic papers, followed by analysis of anonymization tech- niques. Results indicate that while traditional techniques like k-anonymity and pseudonymization are prevalent, they often fall short in maintaining data util- ity when faced with modern data complexity. Similarly, AI-driven methods, in- cluding AI-assisted differential privacy and GAN-based synthetic data generation, offer promising results but also introduce risks, such as model inversion. Hybrid approaches that combine AI techniques with established anonymization methods are identified as the most effective in achieving a balance between privacy and data usability. The findings highlight the importance of specific anonymization strategies, especially in healthcare, where data accuracy is crucial for patient safety. This thesis is both academic and practical by proposing adaptive frameworks that align with regulatory standards, such as the GDPR, while facilitating safe data utilization in research and AI applications.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.9,
"venue": "",
"language": "en"
},
{
"id": "hal:3793307",
"title": "TRANSATLANTIC DATA TRANSFER COMPLIANCE (28 B.U. J. SCI. & TECH. L. 158 (2022))",
"authors": [
"W. Gregory Voss"
],
"date": "2022-09-15",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-03793307v1",
"pdfUrl": "https://hal.science/hal-03793307/document",
"doi": "",
"abstract": "Data play a central role in the economy today. Nonetheless, the main trading partner of the United States-the European Union-places restrictions on crossborder transfers of personal data exported from the European Union. Destination countries must benefit from a decision by the European Commission that their data protection practice is \"adequate\" to import data, or transfer tools must be used to further protect those data. The United States does not benefit from such a decision and an arrangement that previously allowed data to continue to flow to the United States-the Privacy Shield-was invalidated by the Court of Justice of the European Union in 2020 in a case that is known as Schrems II. This study focuses on EU-U.S. personal data transfers. It provides a holistic view of the legal parameters involved in transatlantic data transfer compliance post-Schrems II, relevant developments past and future, and potential compliance actions, supplemented with relevant guidance and an analysis of enforcement actions. Such compliance is considered the most difficult task of privacy professionals today. The aim is to give a fuller understanding in this context of the EU General Data Protection Regulation (GDPR), which sets out the crossborder data transfer restriction, with a view to potential pathways to navigate those challenges. Following the Introduction, this study dives into both the cross-border transfer restriction contained in the GDPR, and into the Schrems II ruling. EU-U.S. negotiations to try to build a replacement for the Privacy Shield are discussed. A new 2021 version of the standard contractual clauses transfer tool, used to allow data exports, is analyzed. In addition, the requirement to respect the essence of fundamental rights and freedoms set out in the Schrems II judgment is explained. Supplemental measures to ensure data protection and to allow transfers to jurisdictions with problematic legislation, such as the United States (with its surveillance laws), are detailed. Furthermore, European Economic Area data protection enforcement action in the domain of cross-border transfers is studied, including a recent case relating to the use of the popular Google Analytics tracking cookies. Finally, lessons for compliance are drawn, prior to concluding remarks.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.9,
"venue": "Boston University Journal of Science & Technology Law",
"language": "en"
},
{
"id": "hal:5437043",
"title": "Privacy-Preserving Machine Learning Algorithms: A Survey",
"authors": [
"Selvarajah Mohanarajah",
"Patric Valente",
"Aurelio Medina",
"Thambithurai Sritharan"
],
"date": "2025-12-29",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05437043v1",
"pdfUrl": "",
"doi": "",
"abstract": "This survey reviews research on privacy-preserving mechanisms for machine learning (ML) algorithms. As ML technologies become more pervasive, the need for reliable, secure, and privacy-preserving models becomes critical. Numerous real-world incidents have shown that ML systems can leak private or sensitive information about individuals whose data was used for training or evaluation. Even when raw data is not directly exposed, trained models can be vulnerable to attacks that infer membership, attributes, or other hidden properties about the training data. The present study first outlines the main privacy threats in ML, including de-anonymization and linkage attacks, membership inference, attribute inference/model inversion, model extraction, and property inference attacks. We then review key families of privacy-preserving techniques such as k-anonymity and its variants, differential privacy and its relaxations, federated learning, cryptographic approaches (including secure multi-party computation and homomorphic encryption), and widely used tools and libraries that implement these ideas in practice. For each category, we highlight typical threat models, core ideas, and known limitations and trade-offs with model utility. Finally, we discuss open challenges and future research directions in privacy-preserving ML, including improving formal guarantees, understanding the impact of composition, defending against increasingly adaptive attacks, enhancing fairness and privacy together, and making privacy-preserving techniques more practical and usable in real-world deployments.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.9,
"venue": "Asian Journal of Probability and Statistics",
"language": "en"
},
{
"id": "https://openalex.org/W2746308549",
"title": "How much consumers value on-line privacy? Welfare assessment of new data protection regulation (GDPR)",
"authors": [
"Maciej Sobolewski",
"Michał Paliński"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "https://ideas.repec.org/p/war/wpaper/2017-17.html",
"pdfUrl": "",
"doi": "",
"abstract": "Our paper analyses upcoming personal data protection reform in the EU from the perspective of user preferences. Our aim is to estimate monetary valuation of the core instruments envisaged in the General Data Protection Regulation and assess potential welfare gain from this policy intervention. On methodological grounds, we utilize stated preference discrete choice experiment. Our final dataset consisted of 4390 choices made by 143 respondents. We used these data to estimate the mixed logit model. Our study for the first time analyses the broader spectrum of privacy control mechanisms and provides estimates of welfare gain from policy intervention in privacy domain. By taking this perspective we fill a gap in literature and provide insights into users’ preferences towards particular instruments, such as right to be forgotten, right to object profiling and personal data portability. The main finding from the analysis is that implementation of enhanced privacy control mechanisms will generate positive welfare effect. The size of estimated welfare gain from policy intervention of the same scope as GDPR amounts to 6.5 EUR per capita monthly. This result proves that there is a ‘demand’ for privacy reform driven by both concerns related to disclosing personal data as well as shortage of effective tools for privacy management.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.9,
"venue": "RePEc: Research Papers in Economics",
"language": "en"
},
{
"id": "openaire:10.36922/aih025120021",
"title": "Large language models-in-the-loop: Leveraging expert small artificial intelligence models for multilingual anonymization and de-identification of protected health information",
"authors": [
"Murat Gunay",
"Bunyamin Keles",
"Raife Hizlan"
],
"date": "2025-09-19",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.36922/aih025120021",
"pdfUrl": "",
"doi": "10.36922/aih025120021",
"abstract": "The rise of chronic diseases and pandemics, such as COVID-19 has emphasized the need for effective patient data processing while ensuring privacy through anonymization and de-identification of protected health information. Anonymized data facilitates research without compromising patient confidentiality. This paper introduces expert small artificial intelligence (AI) models developed using the large language model (LLM)-in-the-loop methodology to meet the demand for domain-specific de-identification of named entity recognition (NER) models. These models overcome the privacy risks associated with LLMs used through application programming interfaces by eliminating the need to transmit or store sensitive data. More importantly, they consistently outperform LLMs in de-identification tasks, offering superior performance and reliability. Our de-identification NER models, developed in eight languages—English, German, Italian, French, Romanian, Turkish, Spanish, and Arabic—achieved F1-macro score averages of 0.931, 0.960, 0.955, 0.937, 0.930, 0.963, 0.957, and 0.922, respectively. These results establish our de-identification NER models as the most accurate healthcare anonymization solutions, surpassing existing small models and even general-purpose LLMs, such as GPT-4o. While Part I of this series introduced the LLM-in-the-loop methodology for biomedical document translation, this second paper showcases its success in developing cost-effective expert small NER models in de-identification tasks. Our findings lay the groundwork for future healthcare AI innovations, including biomedical entity and relation extraction, demonstrating the value of specialized models for domain-specific challenges.",
"topics": [
"data_anonymization",
"sector_healthcare",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.883,
"venue": "Artificial Intelligence in Health",
"language": "en"
},
{
"id": "https://openalex.org/W2803336194",
"title": "Blockchain and Privacy Protection in the Case of the European General Data Protection Regulation (GDPR): A Delphi Study",
"authors": [
"Simon Schwerin"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.31585/jbba-1-1-(4)2018",
"pdfUrl": "https://jbba.scholasticahq.com/article/3554.pdf",
"doi": "https://doi.org/10.31585/jbba-1-1-(4)2018",
"abstract": "The present work deals with the inter relationships of blockchain technology and the new European General Data Protection Regulation, that will be intact after May 28th, 2018. The regulation harmonises personal data protection across the European Union and aims to return the ownership of personal data to the individual. This thesis, therefore, addresses the question how this new technology that is characterised by decentralisation, immutability and truly digitised values will be affected by the strict privacy regulation and vice versa. The aim of this work is to clarify whether blockchains can comply with the new regulation on the one hand and to identify how blockchain could support its compliance, on the other hand. The questions are validated through an extensive literature review and are further investigated by using a Delphi study that asks a panel of 25 renowned experts to find opportunities, limitations and general suggestions about both topics. In addition, a framework is proposed to support the assessment of privacy and related risks of blockchains. As a result, it becomes apparent that blockchains can become more privacy friendly and comply with the regulation if an active dialogue between blockchain developers and regulatory authorities helps to strengthen their mutual understanding and work. With the support of this work and the blockchain Privacy Impact Assessment canvas a foundation for the necessary next steps is laid to overcome the challenges of defining a data controller or deleting personal data within a blockchain.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"sector_finance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Financial & Payment PII"
],
"relevanceScore": 0.883,
"venue": "The Journal of British Blockchain Association",
"language": "en"
},
{
"id": "arxiv:2507.04104",
"title": "Human-Centered Interactive Anonymization for Privacy-Preserving Machine Learning: A Case for Human-Guided k-Anonymity",
"authors": [
"Sri Harsha Gajavalli"
],
"date": "2025-07-05",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2507.04104v1",
"pdfUrl": "https://arxiv.org/pdf/2507.04104v1",
"doi": "",
"abstract": "Privacy-preserving machine learning (ML) seeks to balance data utility and privacy, especially as regulations like the GDPR mandate the anonymization of personal data for ML applications. Conventional anonymization approaches often reduce data utility due to indiscriminate generalization or suppression of data attributes. In this study, we propose an interactive approach that incorporates human input into the k-anonymization process, enabling domain experts to guide attribute preservation based on contextual importance. Using the UCI Adult dataset, we compare classification outcomes of interactive human-influenced anonymization with traditional, fully automated methods. Our results show that human input can enhance data utility in some cases, although results vary across tasks and settings. We discuss limitations of our approach and suggest potential areas for improved interactive frameworks in privacy-aware ML.",
"topics": [
"data_anonymization",
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.883,
"venue": "",
"language": "en"
},
{
"id": "doaj:02552889e78949599d16f926723b527c",
"title": "A Blockchain-Based Framework With Zero-Knowledge Proof Incorporated for Safeguarded Sharing of Genomic Data Through Health Record Systems",
"authors": [
"Nandini Krishappa",
"Girisha Gowdra Shivappa",
"Sharon Zachariah",
"Thanushree",
"Kavyashree I. Pattan",
"Arpita Paria",
"Savitha Hiremath",
"Revathi Vaithiyanathan"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://blockchainhealthcaretoday.com/index.php/journal/article/view/419/935",
"pdfUrl": "https://blockchainhealthcaretoday.com/index.php/journal/article/view/419/935",
"doi": "10.30953/bhty.v8.419",
"abstract": "Genomic data sharing remains a core problem in precision medicine because genomic data are highly sensitive and unchangeable. In this article, we propose a blockchain-based framework that utilizes zero-knowledge proofs (ZKPs), smart contracts, and off-chain storage to facilitate secure, privacy-preserving data sharing within health record systems. We implemented and evaluated a proof-of-concept prototype in Python on a simulated genomic dataset. The prototype uses a hybrid storage system where metadata is retained on a blockchain and encrypted data are placed in an emulated InterPlanetary File System (IPFS). Rule-based access is controlled using smart contracts, while privacy and security are achieved using ZKPs with interactive Schnorr protocol and elliptic curve cryptography (ECC). Empirical analysis using real-time testing over 100 iterations reported an average zero-knowledge proof with blockchain (ZKPB) query latency of 5.83 ms with a 90.00% accuracy, smart contract latency of under 0.01 ms with 90.00% accuracy, blockchain query time of 0.01 ms with 90.00% accuracy, and ECC latency of 8.72 ms with 90.00% accuracy. These empirical findings validate the effectiveness and privacy guarantees of the framework, which can be utilized in healthcare research, clinical genomics, and personalized medicine workflows. In the age of precision medicine, genomic data are becoming central to powering customized diagnosis and therapy. However, its permanent and sensitive nature raises concerns over privacy, misuse, and unauthorized exploitation. Legacy centralized architecture remains vulnerable to breaches, thus necessitating more resilient alternatives. Recent advances have turned towards blockchain for its decentralization and permanence but remain incomplete in terms of scalability and privacy. New research also combines federated learning, smart contracts, and consent mechanisms, but few attempt to adequately address the complexity of genomic data privacy, actual-world scalability, or data protection regulations compliance. We present Secure Chain, a decentralized, privacy-enhancing infrastructure for genomic data sharing with security. By drawing on blockchain, zero-knowledge proofs (ZKPs), off-chain storage (e.g. IPFS), and homomorphic encryption, the system provides confidentiality, verifiability, and scalability. The goal here is to compare this hybrid architecture’s performance on parameters such as security, computational cost, and query response time with full compliance with law (Health Insurance Portability and Accountability Act [HIPAA] and General Data Protection Regulation [GDPR]). By comparative outputs, the framework shall prove that combining ZKPs and blockchain provides an optimal trade-off between privacy and efficiency in making Secure Chain a feasible, practical solution for safe, regulation-compliant genomic data exchange.",
"topics": [
"privacy_engineering",
"gdpr_compliance",
"sector_healthcare"
],
"painPointTracks": [
"Enforcement",
"Health & Genomic PII",
"Solutions Market"
],
"relevanceScore": 0.854,
"venue": "Blockchain in Healthcare Today",
"language": "en"
},
{
"id": "doaj:e8c2dc7e677e4d8a8e0e136b9be41728",
"title": "Privacy-Preserving Data Mining Techniques in Big Data: Balancing Security and Usability",
"authors": [
"Azmi Shawkat Abdulbaqi",
"Adil M. Salman",
"Sagar B. Tambe"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "https://peninsula-press.ae/Journals/index.php/SHIFRA/article/view/13",
"pdfUrl": "",
"doi": "10.70470/shifra/2023/001",
"abstract": "The exponential growth of big data across industries presents both opportunities and challenges, particularly regarding the protection of sensitive information while maintaining data utility. The problem lies in balancing privacy preservation with the ability to extract meaningful insights from large datasets, which are often vulnerable to re-identification, breaches, and misuse. Current privacy-preserving data mining (PPDM) techniques, such as anonymization, differential privacy, and cryptographic methods, provide important solutions but introduce trade-offs in terms of data utility, computational performance, and compliance with privacy regulations. The objective of this study is to evaluate these PPDM methods, focusing on their effectiveness in safeguarding privacy while minimizing the impact on data accuracy and system performance. Additionally, the study seeks to assess the compliance of these methods with legal frameworks such as GDPR and HIPAA, which impose strict data protection requirements. By conducting an exhaustive analysis with regard to privacy-utility trade-offs, computation times, and communication complexities, this work attempts to outline the respective strengths and weaknesses of each method. Since these results can be elicited from the fact that indeed anonymization techniques contribute more to data utility by reducing the risk of re-identification, whereas differential privacy guarantees a high privacy at the cost of accuracy due to the introduction of noise in data through a privacy budget epsilon. Other cryptographic techniques, like homomorphic encryption and secure multiparty computation, are computationally expensive and hard to scale but offer strong security. In that respect, this work concludes that these techniques protect privacy with great efficiency; however, a number of privacy-data usability and performance trade-offs need to be performed. Future research should be focused on enhancing the scalability and efficiency of these methods toward fulfilling the needs of real-time big data analytics applications without loss of privacy.",
"topics": [
"data_anonymization",
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.854,
"venue": "Shifra",
"language": "en"
},
{
"id": "doaj:9f8c13523e424182a85f941f34ddf3d2",
"title": "GDPR-Compliant Academic Certification via Blockchain: Legal and Technical Validation of the GAVIN Project",
"authors": [
"Alvaro Gómez Vieites",
"Christian Delgado-von-Eitzen",
"Diego Estévez Garcia"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2076-3417/15/16/9191",
"pdfUrl": "https://www.preprints.org/frontend/manuscript/995f867d25c49b3bb9a8d899daeb84ba/download_pub",
"doi": "10.3390/app15169191",
"abstract": "For years, combining the immutability associated with blockchain technology with the European Union’s General Data Protection Regulation (GDPR) has been considered a practically unsolvable conflict due to the very nature of blockchain and the GDPR. This article presents the GAVIN project (GDPR-Compliant Blockchain-Based Architecture for Universal Learning, Education and Training Information Management), a pioneering initiative that overcomes this challenge through an innovative technical and legal approach to trusted digital academic certification. Developed by atlanTTic (University of Vigo) and funded by the European Union, GAVIN proposes a scalable architecture that combines off-chain storage, encrypted Hash-Based Message Authentication Code (HMAC) anonymization, access notarization, and blockchain-based access control. The legal validation of the working prototype under development demonstrates that blockchain decentralization is compatible with GDPR compliance. The model is presented as a replicable reference for institutions wishing to leverage distributed ledger technologies without compromising personal data protection. This paper details the legal design, technical architecture, and compliance mechanisms, offering a practical framework for implementing decentralized systems with privacy by design.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.854,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "pubmed:36995759",
"title": "Federated Machine Learning, Privacy-Enhancing Technologies, and Data Protection Laws in Medical Research: Scoping Review.",
"authors": [
"Brauneck, Alissa",
"Schmalhorst, Louisa",
"Kazemi Majdabadi, Mohammad Mahdi",
"Bakhtiari, Mohammad",
"Völker, Uwe",
"Baumbach, Jan",
"Baumbach, Linda",
"Buchholtz, Gabriele"
],
"date": "2023-03-30",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1145/3298981",
"pdfUrl": "https://www.jmir.org/2023/1/e41588/PDF",
"doi": "10.1145/3298981",
"abstract": "BACKGROUND: The collection, storage, and analysis of large data sets are relevant in many sectors. Especially in the medical field, the processing of patient data promises great progress in personalized health care. However, it is strictly regulated, such as by the General Data Protection Regulation (GDPR). These regulations mandate strict data security and data protection and, thus, create major challenges for collecting and using large data sets. Technologies such as federated learning (FL), especially paired with differential privacy (DP) and secure multiparty computation (SMPC), aim to solve these challenges. OBJECTIVE: This scoping review aimed to summarize the current discussion on the legal questions and concerns related to FL systems in medical research. We were particularly interested in whether and to what extent FL applications and training processes are compliant with the GDPR data protection law and whether the use of the aforementioned privacy-enhancing technologies (DP and SMPC) affects this legal compliance. We placed special emphasis on the consequences for medical research and development. METHODS: We performed a scoping review according to the PRISMA-ScR (Preferred Reporting Items for Systematic Reviews and Meta-Analyses extension for Scoping Reviews). We reviewed articles on Beck-Online, SSRN, ScienceDirect, arXiv, and Google Scholar published in German or English between 2016 and 2022. We examined 4 questions: whether local and global models are \"personal data\" as per the GDPR; what the \"roles\" as defined by the GDPR of various parties in FL are; who controls the data at various stages of the training process; and how, if at all, the use of privacy-enhancing technologies affects these findings. RESULTS: We identified and summarized the findings of 56 relevant publications on FL. Local and likely also global models constitute personal data according to the GDPR. FL strengthens data protection but is still vulnerable to a number of attacks and the",
"topics": [
"gdpr_compliance",
"data_anonymization",
"privacy_engineering",
"sector_legal"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.854,
"venue": "Journal of medical Internet research",
"language": "en"
},
{
"id": "arxiv:2106.02287",
"title": "Dutch Named Entity Recognition and De-identification Methods for the Human Resource Domain",
"authors": [
"Chaïm van Toledo",
"Friso van Dijk",
"Marco Spruit"
],
"date": "2021-06-04",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2106.02287v1",
"pdfUrl": "https://arxiv.org/pdf/2106.02287v1",
"doi": "10.5121/ijnlc.2020.9602",
"abstract": "The human resource (HR) domain contains various types of privacy-sensitive textual data, such as e-mail correspondence and performance appraisal. Doing research on these documents brings several challenges, one of them anonymisation. In this paper, we evaluate the current Dutch text de-identification methods for the HR domain in four steps. First, by updating one of these methods with the latest named entity recognition (NER) models. The result is that the NER model based on the CoNLL 2002 corpus in combination with the BERTje transformer give the best combination for suppressing persons (recall 0.94) and locations (recall 0.82). For suppressing gender, DEDUCE is performing best (recall 0.53). Second NER evaluation is based on both strict de-identification of entities (a person must be suppressed as a person) and third evaluation on a loose sense of de-identification (no matter what how a person is suppressed, as long it is suppressed). In the fourth and last step a new kind of NER dataset is tested for recognising job titles in texts.",
"topics": [
"nlp_ner_tools",
"pii_entity_types",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.854,
"venue": "",
"language": "en"
},
{
"id": "crossref:10.1093/idpl/ipag002",
"title": "Anonymization in healthcare AI under GDPR: measurable privacy protection and global implications",
"authors": [
"Jui Jen Peng",
"I-Chun Chen"
],
"date": "2026-02-19",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.1093/idpl/ipag002",
"pdfUrl": "https://academic.oup.com/idpl/advance-article-pdf/doi/10.1093/idpl/ipag002/66992045/ipag002.pdf",
"doi": "10.1093/idpl/ipag002",
"abstract": "Abstract\n Healthcare AI depends on high-dimensional, sensitive data from clinical records, imaging, genomics and wearables, creating heightened risks of identifiability that require rigorous anonymization. We present a practice-oriented approach to operationalize anonymization as measurable reductions in singling out, linkability, and inference under the General Data Protection Regulation (GDPR), aligned with the European Union Artificial Intelligence Act (EU AI Act). The synthesis integrates regulatory guidance (EDPB, ICO, CNIL) with international frameworks (OECD, NIST, WHO) and technical studies on privacy-enhancing technologies to define testable criteria. We develop an acceptance-tested methodology (validated against pre-defined success criteria) comprising test plans, context-calibrated thresholds and auditable evidence, supported by a dual documentation architecture linking Data Protection Impact Assessments (DPIAs) and AI Act technical files. Comparative analysis of GDPR, Health Insurance Portability and Accountability Act (HIPAA), Personal Information Protection Law (PIPL), and India’s Digital Personal Data Protection Act (DPDP Act) shows cross-border governance implications, and findings support a measurement-first strategy that reconciles privacy protection with data utility and fairness at scale.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.854,
"venue": "International Data Privacy Law",
"language": "en"
},
{
"id": "crossref:10.48161/qpj.v5n1a41",
"title": "Legal Compliance and Consumer Protection in the Digital Marketplace: GDPR-Driven Standards for E-Commerce Privacy Policies within the International Legal Framework",
"authors": [
"Madhulika Singh",
"Tatiana Suplicy Barbosa"
],
"date": "2026-02-13",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.48161/qpj.v5n1a41",
"pdfUrl": "https://polqubahan.com/pol/index.php/QPJ/article/download/41/15",
"doi": "10.48161/qpj.v5n1a41",
"abstract": "The foundation of European Union’s General Data Protection Regulation (GDPR), has played a pivotal role in regulating rapid digitalization of global commerce, bringing in the necessary model shift in digital data governance. The article explores in depth GDPR as a transnational regulatory instrument crucial in enforcing extraterritorial reach of its provisions. Further the Court of Justice of the European Union (CJEU) have through judicial activism and expansive interpretation defined corporate digital responsibility. The article highlights how transcontinental regulation, especially through the ‘Brussels Effect’, GDPR has transformed privacy into a competitive differentiator, through play in market dynamics rather than being enforced through stringent legislations. The article then moves to study the pressure of GDPR’s requirement for autonomous consumer consent and corporate dark patterns that slyly bypasses the regulatory hammer of data sovereignty. The celebrated cases against Meta and Amazon are analysed to illustrate the transition of privacy policies from symbolic disclosures to enforceable legal instruments. Furthermore, the article provides a comparative evaluation of India’s Digital Personal Data Protection (DPDP) Act, 2023, highlighting the normative convergence between the ‘rights-based’ European model and India’s ‘sovereignty-driven’ framework. The cross-national development on the regulation of privacy is emerging, though structural divergences regarding state exemptions and regulatory independence remain the persistent challenges. The article suggests a ‘highest common denominator’ compliance strategy and a shift toward ‘privacy by design’ to navigate this increasingly fragmented international legal landscape.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"privacy_engineering",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market",
"User Behavior / PII Communities"
],
"relevanceScore": 0.854,
"venue": "Qubahan Political Journal",
"language": "en"
},
{
"id": "openaire:10.37634/efp.2025.2.24",
"title": "Transformation of the personal data protection system under the influence of artificial intelligence technology development",
"authors": [
"Andrii KOLESNIKOV",
"Yaroslav CHAPELSKYI",
"Volodymyr BUDNYK",
"Yurii KOZHENOVSKYI"
],
"date": "2025-02-28",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.37634/efp.2025.2.24",
"pdfUrl": "",
"doi": "10.37634/efp.2025.2.24",
"abstract": "Introduction. The rapid development of artificial intelligence technologies creates new challenges in personal data protection. With the widespread implementation of AI systems across various sectors of society, there is an unprecedented increase in the collection and processing of personal data, significantly elevating privacy risks. According to IBM's Cost of a Data Breach Report 2023, AI-related incidents lead to a 37% increase in average breach costs, highlighting the growing significance of this issue. The purpose of the paper is to investigate current challenges and issues in personal data protection arising from the development and implementation of artificial intelligence technologies, with particular focus on the transformation of existing protection mechanisms and regulatory frameworks. Results. The research identifies several key challenges in personal data protection related to AI systems, particularly the \"black box\" problem where AI decision-making processes become opaque and difficult to understand. The study highlights ethical concerns regarding large-scale data processing by AI systems, which can lead to privacy violations and discrimination. Analysis of current legal frameworks, including GDPR and the EU AI Act, reveals the importance of comprehensive regulation at both international and national levels. The research emphasizes the need for technical and organizational measures, including data encryption, anonymization techniques, and access control systems. The study also identifies the crucial role of international cooperation in developing unified standards for personal data protection in AI systems. Conclusion. The effective protection of personal data in the age of artificial intelligence requires a comprehensive approach combining legal regulation, technical measures, and international cooperation. The implementation of the «privacy by design» principle and the development of control mechanisms for compliance with data protection requ",
"topics": [
"data_anonymization",
"privacy_engineering",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.854,
"venue": "",
"language": "en"
},
{
"id": "openaire:4239",
"title": "The General Data Protection Regulation in the Age of Surveillance Capitalism",
"authors": [
"Jane Andrew",
"Max Baker"
],
"date": "2019-06-18",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/s10551-019-04239-z",
"pdfUrl": "",
"doi": "10.1007/s10551-019-04239-z",
"abstract": "Clicks, comments, transactions, and physical movements are being increasingly recorded and analyzed by Big Data processors who use this information to trace the sentiment and activities of markets and voters. While the benefits of Big Data have received considerable attention, it is the potential social costs of practices associated with Big Data that are of interest to us in this paper. Prior research has investigated the impact of Big Data on individual privacy rights, however, there is also growing recognition of its capacity to be mobilized for surveillance purposes. Our paper delineates the underlying issues of privacy and surveillance and presents them as in tension with one another. We postulate that efforts at controlling Big Data may create a trade-off of risks rather than an overall improvement in data protection. We explore this idea in relation to the principles of the European Union’s General Data Protection Regulation (GDPR) as it arguably embodies the new ‘gold standard’ of cyber-laws. We posit that safeguards advocated by the law, anonymization and pseudonymization, while representing effective counter measures to privacy concerns, also incentivize the use, collection, and trade of behavioral and other forms of de-identified data. We consider the legal status of these ownerless forms of data, arguing that data protection techniques such as anonymization and pseudonymization raise significant concerns over the ownership of behavioral data and its potential use in the large-scale modification of activities and choices made both on and offline.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.854,
"venue": "Journal of Business Ethics",
"language": "en"
},
{
"id": "doaj:82879636ae1f470394b7db8940b84b59",
"title": "AnonymAI: An Approach with Differential Privacy and Intelligent Agents for the Automated Anonymization of Sensitive Data",
"authors": [
"Marcelo Nascimento Oliveira Soares",
"Leonardo Barbosa Oliveira",
"Antonio João Gonçalves Azambuja",
"Jean Phelipe de Oliveira Lima",
"Anderson Silva Soares"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/1999-5903/18/1/41",
"pdfUrl": "",
"doi": "10.3390/fi18010041",
"abstract": "Data governance for responsible AI systems remains challenged by the lack of automated tools that can apply robust privacy-preserving techniques without destroying analytical value. We propose AnonymAI, a novel methodological framework that integrates LLM-based intelligent agents, the mathematical guarantees of differential privacy, and an automated workflow to generate anonymized datasets for analytical applications. This framework produces data tables with formally verifiable privacy protection, dramatically reducing the need for manual classification and the risk of human error. Focusing on the protection of tabular data containing sensitive personal information, AnonymAI is designed as a generalized, replicable pipeline adaptable to different regulations (e.g., General Data Protection Regulation) and use-case scenarios. The novelty lies in combining the contextual classification capabilities of LLMs with the mathematical rigor of differential privacy, enabling an end-to-end pipeline from raw data to a protected, analysis-ready dataset. The efficiency and formal guarantees of this approach offer significant advantages over conventional anonymization methods, which are often manual, inconsistent, and lack the verifiable protections of differential privacy. Validation studies, covering both controlled experiments on four types of synthetic datasets and broader tests on 19 real-world public tables from various domains, confirmed the applicability of the framework, with the agent-based classifier achieving high overall accuracy in identifying confidential columns. The results demonstrate that the protected data maintains high value for statistical analysis and machine learning models, highlighting AnonymAI’s potential to advance responsible data sharing. This work paves the way for trustworthy and scalable data governance in AI through a rigorously engineered automated anonymization pipeline.",
"topics": [
"data_anonymization",
"enterprise_privacy_ops",
"gdpr_compliance",
"ai_governance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.854,
"venue": "Future Internet",
"language": "en"
},
{
"id": "hal:4971367",
"title": "Personal data protection: are GDPR objectives being achieved with students?",
"authors": [
"Hélène Hoblingre Klein",
"Emmanuelle Chevry Pébayle"
],
"date": "2024-11-01",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04971367v1",
"pdfUrl": "https://hal.science/hal-04971367/document",
"doi": "10.7459/es/420203",
"abstract": "This article looks at the effects of university education in a European context where the General Data Protection Regulation (GDPR) should be conducive to a heightened awareness of personal data and to the knowledge of the issues involved in collecting it. Through a quantitative and comparative analysis, we compared the knowledge, the representations and the practices of information science students with those of students from other disciplines. This comparison led us to different conclusions. Information-communication students are more familiar than others with the GDPR and the possibilities offered to them in terms of personal data control. However, across all disciplines, students have a tendency to accept the conditions under which their data is used without any reservation. A privacy paradox thus emerges, and university education seems powerless to counterbalance interface-induced conditioning and the effects of \"consent fatigue\".",
"topics": [
"gdpr_compliance",
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.854,
"venue": "Education and Society",
"language": "en"
},
{
"id": "openaire:10.2139/ssrn.3878867",
"title": "The Ethics of Facial Recognition Technologies, Surveillance and Accountability in an Age of Artificial Intelligence: A Comparative Analysis of USA, EU and UK Regulatory Frameworks",
"authors": [
"Denise Almeida",
"Konstantin Shmarko",
"Elizabeth Lomas"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2139/ssrn.3878867",
"pdfUrl": "https://link.springer.com/content/pdf/10.1007/s43681-021-00077-w.pdf",
"doi": "10.2139/ssrn.3878867",
"abstract": "AbstractThe rapid development of facial recognition technologies (FRT) has led to complex ethical choices in terms of balancing individual privacy rights versus delivering societal safety. Within this space, increasingly commonplace use of these technologies by law enforcement agencies has presented a particular lens for probing this complex landscape, its application, and the acceptable extent of citizen surveillance. This analysis focuses on the regulatory contexts and recent case law in the United States (USA), United Kingdom (UK), and European Union (EU) in terms of the use and misuse of FRT by law enforcement agencies. In the case of the USA, it is one of the main global regions in which the technology is being rapidly evolved, and yet, it has a patchwork of legislation with less emphasis on data protection and privacy. Within the context of the EU and the UK, there has been a critical focus on the development of accountability requirements particularly when considered in the context of the EU’s General Data Protection Regulation (GDPR) and the legal focus on Privacy by Design (PbD). However, globally, there is no standardised human rights framework and regulatory requirements that can be easily applied to FRT rollout. This article contains a discursive discussion considering the complexity of the ethical and regulatory dimensions at play in these spaces including considering data protection and human rights frameworks. It concludes that data protection impact assessments (DPIA) and human rights impact assessments together with greater transparency, regulation, audit and explanation of FRT use, and application in individual contexts would improve FRT deployments. In addition, it sets out ten critical questions which it suggests need to be answered for the successful development and deployment of FRT and AI more broadly. It is suggested that these should be answered by lawmakers, policy makers, AI developers, and adopters.The rapid proliferation of digital surveillance technologies has profoundly reshaped the balance between individual freedoms and national security. This study investigates how contemporary surveillance regimes, intensified by artificial intelligence and big data analytics, impact fundamental human rights—especially the right to privacy. Drawing upon the historical evolution of the right to privacy and post-9/11 legal transformations, the paper demonstrates how national security narratives have normalized mass surveillance under the guise of public safety. The legal frameworks of international human rights instruments, such as the European Convention on Human Rights (ECHR), the International Covenant on Civil and Political Rights (ICCPR), and the General Data Protection Regulation (GDPR), are evaluated in light of state and corporate surveillance practices. The analysis also focuses on the discriminatory potential of algorithmic decision-making and facial recognition technologies, which disproportionately affect marginalized communities. Through a normative and comparative approach, the study critically examines surveillance frameworks in the United States, the United Kingdom, Germany, and France, as well as key jurisprudence from the European Court of Human Rights and constitutional courts. The findings reveal a growing tension between technological capabilities and democratic principles. In response, the paper proposes a multi-dimensional policy approach based on four pillars: ensuring legality, legitimacy, and proportionality of surveillance measures; establishing robust independent oversight and transparency mechanisms; promoting digital rights education; and reforming international human rights law to address transnational and algorithmic threats. Ultimately, the study argues that preserving human dignity in the digital age requires a careful recalibration of security and liberty through law, ethics, and civic awareness.",
"topics": [
"power_knowledge_asymmetry",
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.854,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1145/3467956",
"title": "StarFL: Hybrid Federated Learning Architecture for Smart Urban Computing",
"authors": [
"Anbu Huang",
"Yang Liu",
"Tianjian Chen",
"Yongkai Zhou",
"Quan Sun",
"Hongfeng Chai",
"Qiang Yang"
],
"date": "2021-08-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/3467956",
"pdfUrl": "",
"doi": "10.1145/3467956",
"abstract": "From facial recognition to autonomous driving, Artificial Intelligence (AI) will transform the way we live and work over the next couple of decades. Existing AI approaches for urban computing suffer from various challenges, including dealing with synchronization and processing of vast amount of data generated from the edge devices, as well as the privacy and security of individual users, including their bio-metrics, locations, and itineraries. Traditional centralized-based approaches require data in each organization be uploaded to the central database, which may be prohibited by data protection acts, such as GDPR and CCPA. To decouple model training from the need to store the data in the cloud, a new training paradigm called Federated Learning (FL) is proposed. FL enables multiple devices to collaboratively learn a shared model while keeping the training data on devices locally, which can significantly mitigate privacy leakage risk. However, under urban computing scenarios, data are often communication-heavy, high-frequent, and asynchronized, posing new challenges to FL implementation. To handle these challenges, we propose a new hybrid federated learning architecture called StarFL. By combining with Trusted Execution Environment (TEE), Secure Multi-Party Computation (MPC), and (Beidou) satellites, StarFL enables safe key distribution, encryption, and decryption, and provides a verification mechanism for each participant to ensure the security of the local data. In addition, StarFL can provide accurate timestamp matching to facilitate synchronization of multiple clients. All these improvements make StarFL more applicable to the security-sensitive scenarios for the next generation of urban computing.",
"topics": [
"privacy_engineering",
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.854,
"venue": "ACM Transactions on Intelligent Systems and Technology",
"language": "en"
},
{
"id": "https://openalex.org/W4406778835",
"title": "Adaptive PII Mitigation Framework for Large Language Models",
"authors": [
"Shubhi Asthana",
"Ruchi Mahindru",
"Bing Zhang",
"Jorge Sanz‐Sánchez"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "http://arxiv.org/abs/2501.12465",
"pdfUrl": "https://arxiv.org/pdf/2501.12465",
"doi": "https://doi.org/10.48550/arxiv.2501.12465",
"abstract": "Artificial Intelligence (AI) faces growing challenges from evolving data protection laws and enforcement practices worldwide. Regulations like GDPR and CCPA impose strict compliance requirements on Machine Learning (ML) models, especially concerning personal data use. These laws grant individuals rights such as data correction and deletion, complicating the training and deployment of Large Language Models (LLMs) that rely on extensive datasets. Public data availability does not guarantee its lawful use for ML, amplifying these challenges. This paper introduces an adaptive system for mitigating risk of Personally Identifiable Information (PII) and Sensitive Personal Information (SPI) in LLMs. It dynamically aligns with diverse regulatory frameworks and integrates seamlessly into Governance, Risk, and Compliance (GRC) systems. The system uses advanced NLP techniques, context-aware analysis, and policy-driven masking to ensure regulatory compliance. Benchmarks highlight the system's effectiveness, with an F1 score of 0.95 for Passport Numbers, outperforming tools like Microsoft Presidio (0.33) and Amazon Comprehend (0.54). In human evaluations, the system achieved an average user trust score of 4.6/5, with participants acknowledging its accuracy and transparency. Observations demonstrate stricter anonymization under GDPR compared to CCPA, which permits pseudonymization and user opt-outs. These results validate the system as a scalable and robust solution for enterprise privacy compliance.",
"topics": [
"data_anonymization",
"nlp_ner_tools",
"enterprise_privacy_ops",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.854,
"venue": "arXiv (Cornell University)",
"language": "en"
},
{
"id": "openaire:50|od_____10594::10afe8e98cd3c14036bcc90db56a849b",
"title": "AI and The European Union's Approach to Data Protection: The Case of Chat GPT",
"authors": [
"AHKAMI, AMIRREZA#idabnull"
],
"date": "",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od_____10594::10afe8e98cd3c14036bcc90db56a849b",
"pdfUrl": "",
"doi": "",
"abstract": "Artificial Intelligence (AI) is advancing rapidly, with generative models like ChatGPT revolutionizing numerous industries. However, these advancements present significant challenges in adhering to data protection regulations such as the General Data Protection Regulation (GDPR) in the European Union (EU). This thesis examines the complex relationship between AI and data protection within the EU, using ChatGPT as a case study to analyze the impact of GDPR on AI technologies. The study explores the intricate dynamics between AI systems and data, focusing on the ethical, data collection and privacy issues inherent in AI-driven data utilization. It evaluates the implications of the GDPR framework on AI development, particularly in relation to provisions for user consent, data anonymization, and algorithmic transparency. Additionally, the research compares the EU’s approach to AI regulation assessing the impact on international collaboration and AI innovation. An aspect of this thesis is the examination of the January 2024 Garante della Privacy ruling, which underscores the necessity for stringent compliance mechanisms, transparency, and robust user consent procedures in AI operations. This ruling serves as a pivotal reference for future regulatory actions, highlighting the practical implications of GDPR enforcement on generative AI models like ChatGPT. Through a comprehensive analysis of ChatGPT’s GDPR compliance strategies and the associated challenges, this study provides insights for policymakers and AI developers. The findings advocate for a balanced regulatory approach that promotes innovation while safeguarding fundamental human rights. The thesis concludes with recommendations for enhancing transparency, user consent, and data privacy in AI systems, and suggests future research directions to address emerging challenges in the rapidly evolving field of AI.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.854,
"venue": "",
"language": "en"
},
{
"id": "ETid-1024",
"title": "GDPR Fine: Cosmote Mobile Telecommunications S.A. — Hellenic Data Protection Authority (HDPA) (Greece)",
"authors": [
"Hellenic Data Protection Authority (HDPA)"
],
"date": "2022-01-27",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1024",
"pdfUrl": "https://www.dpa.gr/sites/default/files/2022-01/4_2022%20anonym%20%282%29_0.pdf",
"doi": "",
"abstract": "Fine: €6,000,000 | Articles: Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 25 (1) GDPR, Art. 26 GDPR, Art. 28 GDPR, Art. 35 (7) GDPR | Insufficient technical and organisational measures to ensure information security | The Hellenic DPA has imposed a fine of EUR 6 million on Cosmote Mobile Telecommunications S.A.. Cosmote had reported a data breach to the DPA pursuant to Art. 33 GDPR. A hacker had penetrated the controller's systems and obtained and subsequently leaked data from Cosmote customers. The stolen data included sensitive information, from Cosmote subscribers such as age, gender and contract information. Nearly 10 million people were affected by the incident. \n\nFor this reason, the DPA found that Cosmote had failed to implement adequate technical and organizational measures to ensure the proper execution of the data anonymization process. In addition, Cosmote did not conduct a sufficient data protection impact assessment and did not properly inform data subjects about the processing of their data. \n\nFinally, the DPA found that Cosmote did not clearly regulate the allocation of roles in data processing with its subsidiary, OTE Group. \n\nIn calculating the fine, the DPA aggravatingly took into account the very long duration of the breaches (6 years), the large number of data subjects, as well as the fact that no pseudonymization measures of the data were implemented over a long period of time.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.854,
"venue": "GDPR DPA: Hellenic Data Protection Authority (HDPA)",
"language": "en"
},
{
"id": "europepmc:40408373",
"title": "Evaluating the effectiveness of data governance frameworks in ensuring security and privacy of healthcare data: A quantitative analysis of ISO standards, GDPR, and HIPAA in blockchain technology.",
"authors": [
"Ahmed A",
"Shahzad A",
"Naseem A",
"Ali S",
"Ahmad I."
],
"date": "2025-05-23",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1371/journal.pone.0324285",
"pdfUrl": "https://europepmc.org/articles/PMC12101661?pdf=render",
"doi": "10.1371/journal.pone.0324285",
"abstract": "Blockchain technology is widely used in almost every domain of life nowadays including healthcare sector. Although there are existing frameworks to govern healthcare data but they have certain limitations in effectiveness of data governance to ensure security and privacy. This study aimed to evaluate effectiveness of health care data governance frameworks, examining security and privacy concerns and limitations within the existing frameworks of ISO Standards, GDPR, and HIPAA. In this study quantitative research approach was followed. A sample of 250 participants from Islamabad, Lahore and Karachi based healthcare experts, IT specialist, blockchain research and developer, administrator was selected. The collected data was analyzed though frequencies and descriptive statistical tests with the help of SPSS. The results revealed un-satisfaction for data governance frameworks, i.e., ISO standards, GDPR, and HIPAA in terms of security concerns, i.e., data encryption, access controls, audit trails, interoperability and standards, smart contracts for compliance, data integrity, regulatory compliance monitoring and privacy concerns, i.e., consent management, anonymization and pseudonymization, data minimization. The participants agreed that there is a need of integration of reliable data governance framework in health care data management. Various personalized governance techniques, targeted security upgrades, and continuous improvement in the specific customized data governance framework has been presented based on the findings of the study. An implementation of blockchain-based systems is recommended in order to ensure and expand the security and privacy of healthcare data management.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "PLoS ONE",
"language": "en"
},
{
"id": "arxiv:1512.05110",
"title": "From t-closeness to differential privacy and vice versa in data anonymization",
"authors": [
"J. Domingo-Ferrer",
"J. Soria-Comas"
],
"date": "2015-12-16",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/1512.05110v2",
"pdfUrl": "https://arxiv.org/pdf/1512.05110v2",
"doi": "10.1016/j.knosys.2014.11.011",
"abstract": "k-Anonymity and ε-differential privacy are two mainstream privacy models, the former introduced to anonymize data sets and the latter to limit the knowledge gain that results from including one individual in the data set. Whereas basic k-anonymity only protects against identity disclosure, t-closeness was presented as an extension of k-anonymity that also protects against attribute disclosure. We show here that, if not quite equivalent, t-closeness and ε-differential privacy are strongly related to one another when it comes to anonymizing data sets. Specifically, k-anonymity for the quasi-identifiers combined with ε-differential privacy for the confidential attributes yields stochastic t-closeness (an extension of t-closeness), with t a function of k and ε. Conversely, t-closeness can yield ε- differential privacy when t = exp(ε/2) and the assumptions made by t-closeness about the prior and posterior views of the data hold",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "openaire:S0045790624008085",
"title": "MarvelHideDroid: Reliable on-the-fly data anonymization based on Android virtualization",
"authors": [
"Pagano F.",
"Verderame L.",
"Russo E.",
"Merlo A."
],
"date": "2024-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1016/j.compeleceng.2024.109882",
"pdfUrl": "https://doi.org/10.1016/j.compeleceng.2024.109882",
"doi": "10.1016/j.compeleceng.2024.109882",
"abstract": "Modern mobile applications harvest many user-generated events during execution using proper libraries called analytic libraries. The collection of such events allows the app developers to acquire helpful information to further improve the app. The same collected events are likewise an essential source of information for analytic library providers (e.g., Google and Meta) to understand users’ preferences. However, the user is not involved in this process. To counteract this problem, some proposals arose from legal (e.g., General Data Protection Regulation (GDPR)) and research perspectives. Concerning the latter point, some research efforts led to the definition of solutions for the Android ecosystem that allow one to limit the gathering of such data before the analytic libraries collect it or give the user control of the process. To this aim, HideDroid was the first proposal to allow the user to define different privacy levels for each app installed on the device by leveraging k-anonymity and differential privacy techniques. Subsequently, VirtualHideDroid extended HideDroid by taking advantage of the same approach to virtualized Android environments, in which an application (plugin) can run within another application (container). In this scenario, VirtualHideDroid anonymizes user event data running as the container app. However, according to standard threat models regarding virtualized Android environments, assuming that the container app is fully trusted is too optimistic in real deployments. For this reason, in this paper, we extend the work of the original VirtualHideDroid work by assuming that the same tool may be untrusted, i.e., controlled by an external attacker that has access to the container app, thereby having full access to the user data. To solve this problem, we define a new approach, named MarvelHideDroid, which gives reliable anonymization of event data in the Plugin app, even in the event of a malicious/compromised container. Moreover, and differently",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "Computers & Electrical Engineering",
"language": "en"
},
{
"id": "openaire:10.54660/.ijmrge.2020.1.2.64-67",
"title": "Synthetic Data Generation for Privacy Preservation in Financial Technologies",
"authors": [
"Adarsh Naidu"
],
"date": "2020-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.54660/.ijmrge.2020.1.2.64-67",
"pdfUrl": "",
"doi": "10.54660/.ijmrge.2020.1.2.64-67",
"abstract": "This research examines the utilization of Generative Adversarial Networks (GANs) to produce synthetic financial data that ensures privacy while adhering to stringent regulatory frameworks, such as the General Data Protection Regulation (GDPR) (European Union, 2016) [4] and the California Consumer Privacy Act (CCPA). Financial institutions handle extensive sensitive data, necessitating stringent privacy safeguards. Conventional anonymization techniques frequently reduce data utility, thereby limiting their effectiveness for machine learning, research, and analysis. Conversely, GANs offer an innovative alternative by generating realistic synthetic datasets that maintain the statistical properties of original data without containing personally identifiable information. This paper introduces a GAN-based framework designed specifically for financial data, enhanced with differential privacy (Dwork et al., 2006) [3] to provide robust privacy assurances. Through evaluation on real-world financial datasets, the framework demonstrates its capability to generate high-quality synthetic data applicable in areas such as fraud detection and customer segmentation. Findings suggest that this approach effectively maintains a balance between privacy and utility, presenting a scalable solution for financial institutions to leverage data while ensuring compliance with legal mandates. This study advances privacy-preserving data generation and delivers actionable insights for the financial sector.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.30574/wjaets.2025.15.3.0866",
"title": "AI-driven Anonymization Techniques for Personalized Services in Online Retail: Balancing Privacy and Personalization",
"authors": [
"null Chaitra Vatsavayi"
],
"date": "2025-06-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.30574/wjaets.2025.15.3.0866",
"pdfUrl": "",
"doi": "10.30574/wjaets.2025.15.3.0866",
"abstract": "This article explores AI-driven anonymization techniques that enable online retailers to provide personalized services while protecting customer privacy. The investigation begins by examining the \"personalization-privacy paradox,\" where consumers simultaneously desire customized experiences yet express concerns about data collection practices. A comprehensive literature review traces the evolution of privacy-preserving techniques in e-commerce and evaluates current anonymization methods, regulatory frameworks, and research gaps. The article then details four key anonymization methodologies: data masking, pseudonymization, differential privacy, and federated learning, highlighting their applications in retail contexts. An implementation framework follows, addressing privacy-first AI development, data governance structures, technical infrastructure requirements, and success metrics. Case studies demonstrate practical applications in personalized shopping experiences, customer behavior analysis, and real-time decision-making systems. Comparative analyses reveal how different approaches perform across various retail environments and product categories. The conclusion emphasizes that effective implementation requires balancing technical solutions with organizational governance while adapting to evolving privacy threats and consumer expectations.",
"topics": [
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"User Behavior / PII Communities"
],
"relevanceScore": 0.842,
"venue": "World Journal of Advanced Engineering Technology and Sciences",
"language": "en"
},
{
"id": "openaire:10.1145/3406601.3406627",
"title": "A Data Masking Guideline for Optimizing Insights and Privacy Under GDPR Compliance",
"authors": [
"Chitanut Tachepun",
"Sotarat Thammaboosadee"
],
"date": "2020-07-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/3406601.3406627",
"pdfUrl": "",
"doi": "10.1145/3406601.3406627",
"abstract": "The General Data Protection Regulation (GDPR) has been enforced since May 2019 and became a disruptive issue to every organization due to its severe penalties in the data breaches or use of personal data for illegal purposes, e.g., lack of the consent of data subject. Therefore, the data Pseudonymization and Anonymization are one of the employed techniques to protect and reduce the privacy risks from the data breach. Unfortunately, they also destroy the pattern of the data, which represents the fact that it could be analyzed or monetized to gain useful insights by data analytics or data science approaches. This paper focuses on optimizing the privacy and insight method that the data could be useful for analyzing and also compliance with the GDPR. This paper proposes the guideline consists of three techniques: tokenization, suppression, and generalization to protect personal data by calculating risk scores from two methods: data classification and data uniqueness. The criteria in the guideline are experimented to achieve the optimized classification performance in protected data compared with five original open data by analyzing with three data mining algorithms with the hyperparameter tuning process. The results show that the protected data by the proposed guideline can protect adequate information and achieve insignificant classification performance when compared to the unprotected data.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "International Conference on Advances in Information Technology",
"language": "en"
},
{
"id": "openaire:10.59224/bjlti.v3i1.100-116",
"title": "Identification and assessment of eligibility criteria for preparing the Personal Data Protection Impact Assessment (RIPD)",
"authors": [
"Rainier Garacis"
],
"date": "2025-06-21",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.59224/bjlti.v3i1.100-116",
"pdfUrl": "",
"doi": "10.59224/bjlti.v3i1.100-116",
"abstract": "This study aims to analyze the criteria that determine whether personal data processing requires the preparation of a Data Protection Impact Assessment (RIPD) and its relevance for compliance with the Brazilian General Data Protection Law (LGPD). The RIPD is an essential tool for assessing risks in personal data processing, enabling organizations to identify, measure, and mitigate potential impacts on privacy and security. With the exponential growth of data collection, storage, and processing in digital environments, understanding the legal and methodological requirements involved in its preparation is crucial. The research addresses the key quantitative and qualitative factors that determine the necessity of conducting a RIPD, as well as the practical challenges organizations face in identifying these elements. Additionally, the role of regulatory authorities, such as the Brazilian National Data Protection Authority (ANPD), in overseeing and requiring this document for certain data processing activities is discussed. The study also compares the eligibility criteria for the RIPD with international guidelines, such as those established by the European Union's General Data Protection Regulation (GDPR), aiming to understand similarities, differences, and potential challenges in adapting to the Brazilian context. Finally, the challenges and benefits of implementing the RIPD are analyzed, highlighting its importance in fostering a data protection culture and ensuring greater legal security for companies and institutions engaged in personal data processing.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "europepmc:41208421",
"title": "The global impact of the General Data Protection Regulation: implications, challenges, and future outlook in oncology clinical research sponsors.",
"authors": [
"Liu X",
"Lacombe D",
"Lejeune S."
],
"date": "2025-10-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.21037/cco-25-31",
"pdfUrl": "",
"doi": "10.21037/cco-25-31",
"abstract": "Oncology clinical trial involves processing of vast amounts of personal health data, including medical history, treatment, biomarker, genetic information, etc., much of which qualifies as special category data under the General Data Protection Regulation (GDPR). While it sought to harmonize the data protection standards across the European Union (EU), its implementation has a profound impact on the operational and regulatory practice for oncology clinical trial sponsors. Its interaction with the Clinical Trials Regulation (CTR), diverse national health data laws, and emerging data localization mandates has made privacy compliance in multi-country clinical trials exceptionally complex for both EU and non-EU sponsors. This narrative review examines how core GDPR principles and requirements play out in the context of oncology clinical trials in the EU, and where tensions arise with CTR obligations and real-world operations. We highlight recurrent challenges in practice, including the need to distinguish ethical consent from GDPR legal bases, to honour data subject rights without unblinding, and to ensure proportionate data collection as study endpoints evolve. Additional difficulties arise from managing biospecimen storage and secondary use, addressing long retention horizons, navigating Member State and intra‑state variations in ethics committee and data protection officer expectations, and overcoming localization barriers that hinder cross-border pooling of rare molecular-marker data. With the evolving complex privacy compliance landscape in EU and beyond, full compliance with all privacy requirements becomes unrealistic for the oncology clinical trial sponsors. Instead of seeking perfection in compliance, which is not the main mission for oncology clinical trials, sponsors should adopt a risk-based approach to prioritize the mitigation of the most significant risks. Drawing on the recurrent challenges identified in this narrative review, we propose such an approach ",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.842,
"venue": "Chinese clinical oncology",
"language": "en"
},
{
"id": "s2:28084b004889c6f8759a55bcce0ceb861480ca55",
"title": "Processing Data to Protect Data: Resolving the Breach Detection Paradox",
"authors": [
"A. Cormack"
],
"date": "2020-08-06",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/28084b004889c6f8759a55bcce0ceb861480ca55",
"pdfUrl": "https://doi.org/10.2966/scrip.170220.197",
"doi": "10.2966/scrip.170220.197",
"abstract": "Most privacy laws contain two obligations: that processing of personal data must be minimised, and that security breaches must be detected and mitigated as quickly as possible. These two requirements appear to conflict, since detecting breaches requires additional processing of logfiles and other personal data to determine what went wrong. Fortunately Europe’s General Data Protection Regulation (GDPR) – considered the strictest such law – recognises this paradox and suggests how both requirements can be satisfied. This paper assesses security breach detection in the light of the principles of purpose limitation and necessity, finding that properlyconducted breach detection should satisfy both principles. Indeed the same safeguards that are required by data protection law are essential in practice for breach detection to achieve its purpose. The increasing use of automated breach detection is then examined, finding opportunities to further strengthen these safeguards as well as those that might be required by the GDPR provisions on profiling and automated decision-making. Finally we consider how processing for breach detection relates to the context of providing and using on-line services concluding that, far from being paradoxical, it should be expected and welcomed by regulators and (2020) 17:2 SCRIPTed 197 198 all those whose data may be stored in networked computers.",
"topics": [
"gdpr_compliance",
"data_breach_incident"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "SCRIPTed: A Journal of Law, Technology & Society",
"language": "en"
},
{
"id": "hal:3475826",
"title": "Data Protection Issues for Smart Contracts",
"authors": [
"W. Gregory Voss"
],
"date": "2021-06-03",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-03248686v1",
"pdfUrl": "https://hal.science/hal-03248686/document",
"doi": "10.5040/9781509937059.ch-004",
"abstract": "Smart contracts offer promise for facilitating and streamlining transactions in many areas of business and government. However, they also may be subject to the provisions of relevant data protection laws, if personal data is processed. This Chapter focuses on the European Union’s General Data Protection Regulation (GDPR), as the most significant and influential data protection legislation at this time, given in part to its omnibus nature and extraterritorial scope. By their very nature, smart contracts raise difficulties for the classification of the various actors involved, which will have an impact on their responsibilities under the law and their potential liability for violations. Our analysis focuses primarily on the role of data controller in the context of blockchain technology, used in smart contracts. In doing so, the signification of the classification is highlighted in the context of the GDPR. Furthermore, certain rights granted to data subjects under the GDPR may be difficult to provide in the context of smart contracts, such as the right to rectification and the right to erasure (‘right to be forgotten’). This Chapter addresses such issues, together with relevant advisory guidance and recommendations, such as the use of encryption in order to make data nearly inaccessible in order to approach as nearly as possible the same result as erasure, and the storage of certain data off-chain. On the way, the important distinction between anonymised data and personal data is explained, together with its practical implications. Finally, the GDPR requirements of data minimisation, of data security (‘integrity and confidentiality’), and of privacy by design and by default must be respected, if that legislation applies. This means that data protection and privacy must be considered when smart contracts are designed. The book is available at https://www.bloomsbury.com/uk/smart-contracts-9781509937028/.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "hal:2001955",
"title": "Discussions on the Right to Data Portability from Legal Perspectives",
"authors": [
"Kaori Ishii"
],
"date": "2018-09-19",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-02001955v1",
"pdfUrl": "https://inria.hal.science/hal-02001955/document",
"doi": "10.1007/978-3-319-99605-9_26",
"abstract": "This study discusses the legal issues pertaining to data portability from the perspectives of both personal data protection and antitrust laws. Since legal challenges arise from the differences between antitrust law and data protection law, there is a need to define the legal position of data portability. My analysis is based on a review of these three topics: Is the right to data portability in the EU General Data Protection Regulation (GDPR) effective? (2) Should the right to data portability be legally regulated? and (3) Can the right be regulated from an antitrust perspective?What are indicated from the above discussions are: (1) the right to data portability in the GDPR is the first promising provision which has given rise to several issues—in particular the scope of the data, IT costs imposed on SMEs, and theoretical boundaries and enforcements based between data protection and antitrust laws—that warrant further examination; (2) if the controller-controller portability is called for, antitrust perspective broadly encompass the scope of data is preferred than data protection regulation; (3) combining data protection and antitrust perspectives into a single law would be difficult due to the differences of them; (4) when it comes to establish data portability scheme from antitrust perspective, data portability should be obliged depending on the kinds of platform.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "hal:5114619",
"title": "A Quantitative Approach to the GDPR’s Anonymization and Pseudonymization Tests",
"authors": [
"Nils Holzenberger",
"Winston Maxwell"
],
"date": "2025-06-16",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05114619v1",
"pdfUrl": "",
"doi": "10.2139/ssrn.5162461",
"abstract": "This article examines two tests from the European General Data Protection Regulation (GDPR): (1) the test for full anonymisation (the \"anonymisation test\"), and (2) the test for applying \"appropriate technical measures\" to protect personal data when full anonymisation is not achieved (the \"pseudonymisation test\"). Both tests depend on vague legal standards and have given rise to legal disputes and differing interpretations among data protection authorities and courts, including in the context of machine learning. Under the anonymisation test, data are sufficiently anonymised when they are immune from re-identification by an attacker using \"all means reasonably likely to be used\". Under the pseudonymisation test, technical measures to protect personal data that are not anonymised must be \"appropriate\" with regard to the risks of data loss. Here, we use methods from law and economics to transform these qualitative tests into quantitative tests: we take a risk-management approach and put forward a mathematical formalization of the GDPR's criteria, to supplement existing qualitative approaches. We chart different attack efforts and re-identification probabilities, and propose this as a methodology to help stakeholders discuss whether data are sufficiently anonymised to satisfy the GDPR anonymisation test, or alternatively, whether pseudonymisation efforts are \"appropriate\" under the GDPR. The resulting graphs can help stakeholders decide whether the anonymisation test is fulfilled, and discuss the use of Privacy-Enhancing Technologies necessary to pass the pseudonymisation test. We apply our proposed framework to several scenarios, applying the anonymisation test to a Large Language Model, and the pseudonymisation test to a database protected with differential privacy.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "hal:4216818",
"title": "Enhancing AI fairness through impact assessment in the European Union: a legal and computer science perspective",
"authors": [
"Alessandra Calvi",
"Dimitris Kotzinos"
],
"date": "2023-06-19",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04216818v1",
"pdfUrl": "",
"doi": "10.1145/3593013.3594076",
"abstract": "How to protect people from algorithmic harms? A promising solution, although in its infancy, is algorithmic impact assessment (AIA). AIAs are iterative processes used to investigate the possible short and long-term societal impacts of AI systems before their use, but with ongoing monitoring and periodic revisiting even after their implementation. When conducted in a participatory and trans-parent fashion, they could create bridges across the legal, social and computer science domains, promoting the accountability of the entity performing them as well as public scrutiny. They could enable to re-attach the societal and regulatory context to the mathematical- cal definition of fairness, thus expanding the formalistic approach thereto. Whilst the regulatory framework in the European Union currently lacks the obligation to perform such AIA, some other provisions are expected to play a role in AI development, leading the way towards more widespread adoption of AIA. These include the Data Protection Impact Assessment (DPIA) under the General Data Protection Regulation (GDPR), the risk assessment process under the Digital Services Act (DSA) and the Conformity Assessment (CA) foreseen under the AI Regulation proposal. In this paper, after briefly introducing the plurality of definitions of fairness in the legal, social and computer science domains, and ex- explaining to which extent the current and upcoming legal framework mandates the adoption of fairness metrics, we will illustrate how AIA could create bridges between all these disciplines, allowing us to build fairer AI solutions. We will then recognise the role of DPIA, DSA risk assessment and CA by discussing the contributions they can offer towards AIA but also identify the aspects lacking therein. We will then identify how these assessment provisions could aid the overall technical discussion of introducing and assessing fairness in AI-based models and processes",
"topics": [
"gdpr_compliance",
"ai_governance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "hal:5386310",
"title": "Fair play for individuals, foul play for groups? Auditing anonymization’s impact on ML fairness",
"authors": [
"Héber H. Arcolezi",
"Mina Alishahi",
"Adda-Akram Bendoukha",
"Nesrine Kaaniche"
],
"date": "2025-10-25",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-05386310v1",
"pdfUrl": "https://inria.hal.science/hal-05386310/document",
"doi": "10.3233/FAIA250909",
"abstract": "Machine learning (ML) algorithms are heavily based on the availability of training data, which, depending on the domain, often includes sensitive information about data providers. This raises critical privacy concerns. Anonymization techniques have emerged as a practical solution to address these issues by generalizing features or suppressing data to make it more difficult to accurately identify individuals. Although recent studies have shown that privacy-enhancing technologies can influence ML predictions across different subgroups, thus affecting fair decision-making, the specific effects of anonymization techniques, such as k-anonymity, ℓ-diversity, and t-closeness, on ML fairness remain largely unexplored. In this work, we systematically audit the impact of anonymization techniques on ML fairness, evaluating both individual and group fairness. Our quantitative study reveals that anonymization can degrade group fairness metrics by up to fourfold. Conversely, similarity-based individual fairness metrics tend to improve under stronger anonymization, largely as a result of increased input homogeneity. By analyzing varying levels of anonymization across diverse privacy settings and data distributions, this study provides critical insights into the trade-offs between privacy, fairness, and utility, offering actionable guidelines for responsible AI development. Our code is publicly available at: https://github.com/hharcolezi/anonymity-impact-fairness.",
"topics": [
"data_anonymization",
"ai_governance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "pubmed:34164131",
"title": "Standard contractual clauses for cross-border transfers of health data after",
"authors": [
"Bradford, Laura",
"Aboy, Mateo",
"Liddell, Kathleen"
],
"date": "2021-06-21",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1093/jlb/lsab007",
"pdfUrl": "",
"doi": "10.1093/jlb/lsab007",
"abstract": "Standard contractual clauses (SCCs) have long been considered the most accessible method to transfer personal data legally across borders. In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems ( Schrems II ) placed heavy conditions on their use. The Schrems II Court found that SCCs were valid as 'appropriate safeguards' for data transfers from EU entities to others outside the EU/EEA as long as unspecified 'supplementary measures' were in place to compensate for the lack of data protection in the third country. Data protection officers are under intense pressure to explain these measures and allow routine transfers to continue. Some authorities interpret the decision as preventing the use of SCCs to transfer personal data outside of the EU because private contracts cannot comprehensively redress gaps in national law. This article argues that these authorities are mistaken and that notwithstanding Schrems II SCCs can still be useful instruments for cross-border transfers. This is especially true in highly regulated contexts such as medical research. This paper traces the history of SCCs under the General Data Protection Regulation (GDPR) and shows how the CJEU in Schrems II misunderstood the purpose of SCCs and other Article 46 GDPR 'appropriate safeguards'. The CJEU mistakenly approached Article 46 safeguards such as SCCs as being similar to country-specific adequacy rulings under Article 45 GDPR. But unlike Article 45 adequacy rulings, SCCs were not intended to provide a stand-alone mechanism for transfer reliant on the law of the importing country. Rather SCCs provide an alternative, multi-layered standard for data protection that encompasses law, technology and organizational commitments. Their purpose is to be used in situations where legislation alone is insufficient to protect data subject rights. The European Commission's new draft SCCs support this analysis.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.842,
"venue": "Journal of law and the biosciences",
"language": "en"
},
{
"id": "s2:845460f1b28f5372f6248489d1cc8a6552787ff0",
"title": "Robustness of k-Anonymization Model in Compliance with General Data Protection Regulation",
"authors": [
"Ibrahim Abubakar",
"Tarjana Yagnik",
"Kabiru Mohammed"
],
"date": "2022-12-16",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/845460f1b28f5372f6248489d1cc8a6552787ff0",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/10079843/10079950/10080616.pdf?arnumber=10080616",
"doi": "10.1109/ICCBD56965.2022.10080616",
"abstract": "The advancement in technology and the emergence of big data and the internet of things (IoT), individuals (data subjects) tend to suffer from privacy breach of various types that has led to a lot of damages to both data subjects and brands. These and other issues about data privacy breach led the European Union to come up with a much stringent regulations that will serve as a deterrent to businesses or organizations that handle data. This gave birth to the General Data Protection Regulation (GDPR) in 2018 which replaced the previous 1995 Data Protection Directive in Europe. This research examined the robustness of k-anonymity in compliance with GDPR regulations at varying k-values (5,10,50, and 100) using the 1994 USA Census Bureau Data referred to as the adult dataset. Various measures were used to determine which k-value meets the GDPR criteria and the findings revealed the best anonymizing threshold complies with the GDPR criteria that prevents information loss (which determines data utility), prosecutor re-identification risk percentage and attacker models (prosecutor, journalist and marketer model).",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "2022 5th International Conference on Computing and Big Data (ICCBD)",
"language": "en"
},
{
"id": "s2:e455d32c8103022a8970261625712151b423bc01",
"title": "Towards an Efficient Log Data Protection in Software Systems through Data Minimization and Anonymization",
"authors": [
"Portillo Dominguez",
"Andres Omar",
"Ayala-Rivera",
"A. Portillo-Dominguez",
"Vanessa Ayala-Rivera"
],
"date": "2019-10-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/e455d32c8103022a8970261625712151b423bc01",
"pdfUrl": "http://researchrepository.ucd.ie/bitstreams/0b61a354-ed86-4987-b4f7-9b1a620badb7/download",
"doi": "10.1109/CONISOFT.2019.00024",
"abstract": "IT infrastructures of companies generate large amounts of log data every day. These logs are typically analyzed by software engineers to gain insights about activities occurring within a company (e.g., to debug issues exhibited by the production systems). To facilitate this process, log data management is often outsourced to cloud providers. However, logs may contain information that is sensitive by nature and considered personal identifiable under most of the new privacy protection laws, such as the European General Data Protection Regulation (GDPR). To ensure that companies do not violate regulatory compliance, they must adopt, in their software systems, appropriate data protection measures. Such privacy protection laws also promote the use of anonymization techniques as possible mechanisms to operationalize data protection. However, companies struggle to put anonymization in practice due to the lack of integrated, intuitive, and easy-to-use tools that accommodate effectively with their log management systems. In this paper, we propose an automatic approach (SafeLog) to filter out information and anonymize log streams to safeguard the confidentiality of sensitive data and prevent its exposure and misuse from third parties. Our results show that atomic anonymization operations can be effectively applied to log streams to preserve the confidentiality of information, while still allowing to conduct different types of analysis tasks such as users behavior, and anomaly detection. Our approach also reduces the amount of data sent to cloud vendors, hence decreasing the financial costs and the risk of overexposing information.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "2019 7th International Conference in Software Engineering Research and Innovation (CONISOFT)",
"language": "en"
},
{
"id": "s2:e549c52f724c91914293a0bf081cd2bc4c05a347",
"title": "Patterns of Data Anonymization",
"authors": [
"Mariana Monteiro",
"Filipe F. Correia",
"Paulo Queiroz",
"Rui Ramos",
"Dinis Trigo",
"Gonçalo Gonçalves"
],
"date": "2024-07-03",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/e549c52f724c91914293a0bf081cd2bc4c05a347",
"pdfUrl": "",
"doi": "10.1145/3698322.3698337",
"abstract": "Over the years, sensitive data has been growing in software systems. To comply with ethical and legal requirements, the General Data Protection Regulation (GDPR) recommends using pseudonymization and anonymization techniques to ensure appropriate protection and privacy of personal data. Many anonymization techniques have been described in the literature, such as generalization or suppression, but deciding which methods to use in different contexts is not a straightforward task. Furthermore, anonymization poses two major challenges: choosing adequate techniques for a given context and achieving an optimal level of privacy while maintaining the utility of the data for the context within which it is meant to be used. To address these challenges, this paper describes four new design patterns: Generalization, Hierarchical Generalization, Suppress Outliers, and Relocate Outliers, building on existing literature to offer solutions for common anonymization challenges, including avoiding linkage attacks and managing the privacy-utility trade-off.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "European Conference on Pattern Languages of Programs",
"language": "en"
},
{
"id": "s2:7d01a83878aadf1ad3c87efbe22819b577c38fde",
"title": "An Enterprise Data Privacy Governance Model: Security-Centric Multi-Model Data Anonymization",
"authors": [
"Y. Sahin",
"I. Dogru"
],
"date": "2023-04-15",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/7d01a83878aadf1ad3c87efbe22819b577c38fde",
"pdfUrl": "https://doi.org/10.29137/umagd.1272085",
"doi": "10.29137/umagd.1272085",
"abstract": "The increasing need for data privacy and the rising complexity of data environments necessitate robust data anonymization techniques to safeguard personal and sensitive information. A multi-model approach to data anonymization can strike an optimal balance between privacy protection and data utility, integrating techniques such as data masking, differential privacy, machine learning algorithms, blockchain technology, and data encryption. This article introduces a Security-Centric Enterprise Data Anonymization Governance Model, a structured framework for managing data privacy across healthcare, finance, and government industries. The model ensures adherence to best practices and compliance with legal and regulatory requirements. The article addresses challenges in implementing data anonymization techniques, including maintaining data utility and preventing re-identification, by advocating for a multi-model approach that combines various technologies and methods. We suggest that by adopting this holistic approach, organizations can enhance their data protection measures and foster a culture of data privacy.",
"topics": [
"data_anonymization",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.842,
"venue": "Uluslararası Muhendislik Arastirma ve Gelistirme Dergisi",
"language": "en"
},
{
"id": "https://openalex.org/W7128715527",
"title": "La graduación de las infracciones en Chile bajo la nueva Ley n° 21.719: Una aproximación al Reglamento General de Protección de Datos (RGPD)",
"authors": [
"Basilio Belmar Rivas",
"Violeta Muñoz Vargas"
],
"date": "2026",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.36151/rdie.2025.1.2.04",
"pdfUrl": "https://rdie.tirant.com/index.php/rdie/article/download/13/14",
"doi": "https://doi.org/10.36151/rdie.2025.1.2.04",
"abstract": "The aim of this analysis is to examine the implications of the reform of Chile’s personal data protection law in its effort to achieve regulatory alignment with European infringement standards. Through a dogmatic legal analysis with a comparative approach, the study contrasts the evolution of Law No. 19,628 and its recent amendment with the European Union’s General Data Protection Regulation (GDPR) and Spain’s Organic Law 3/2018. The results indicate that Law No. 21,719 strengthens data protection by design and by default, establishes a catalogue of graduated infringements, and introduces a new institutional framework through the creation of a Data Protection Agency. The Data Protection Officer (DPO) is identified as a strategic actor responsible for preventive management and the adoption of measures aimed at avoiding infringements of rights. This doctrinal contribution provides DPOs in Chile with essential elements for the design of infringement prevention programmes. It concludes that such programmes are not only a legal requirement but also a mechanism for the effective protection of individuals’ rights, and that their implementation enables controllers to adopt preventive actions that directly influence the grading of administrative sanctions within the new national regulatory framework.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "Revista Dike Irene y Eunomia",
"language": "es"
},
{
"id": "https://openalex.org/W4382248739",
"title": "Prawo do bycia zapomnianym w perspektywie przetwarzania danych osobowych",
"authors": [
"Łukasz Nasiadka"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "http://dx.doi.org/10.14746/spp.2023.2.42.3",
"pdfUrl": "http://dx.doi.org/10.14746/spp.2023.2.42.3",
"doi": "https://doi.org/10.14746/spp.2023.2.42.3",
"abstract": "Nowadays, effective protection of personal data is one of the fundamental issues of a democratic state under the rule of law. Therefore, the legislator should be very precise about the principles and standards of data processing. In the last few decades, in particular, the development of new technologies, digitalisation and the increase in the need for electronic communication has become evident, which leads to the adoption of appropriate regulations for the handling of personal data. In addition, the EU legislator has introduced the General Data Protection Regulation (GDPR) in order to harmonise the regulations of EU Member States regarding the protection of personal data. This provides a framework for the proper functioning of legal provisions across the European Union regarding the handling of personal data of its citizens.The aim of the article is to identify the legal changes resulting from the Personal Data Protection Regulation, with a particular focus on the persons to which they apply and then to analyse the regulation of ‘the right to be forgotten’. In the first part of the article, attention is drawn to the way personal data are processed and the scope of obligations incumbent on data controllers. This is because data controllers are, together with the personal data protection officer, responsible for recording data processing activities, including ongoing monitoring and responding to situations of inaccurate data processing. The second part focuses on the right to be forgotten and the assessment of this entitlement in the perspective of Regulation 2016/679. The research methods include an analysis of legal acts, at the same time using the subject literature.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "Studia Prawa Publicznego",
"language": "en"
},
{
"id": "https://openalex.org/W2910796938",
"title": "Gestão Documental e de processos na implementação do Regulamento Geral de Proteção de Dados (RGPD): O caso iPortalDoc",
"authors": [
"Andreia Filipa Rajão Pinto"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://hdl.handle.net/10216/114164",
"pdfUrl": "https://hdl.handle.net/10216/114164",
"doi": "https://doi.org/10.34626/8cz4-km42",
"abstract": "In this dissertation, developed under the Master in Information Science, the project developed in a business environment titled \"Document and Processes Management in the implementation of the General Data Protection Regulation (GDPR): The iPortalDoc Case.\" is presented. The purpose of this theme is the development of an integrated solution in a Document and Process Management System, called iPortalDoc. In general, this solution was developed for three fundamental aspects: to support the organization's compliance with the new General Regulation on Data Protection; serve as a tool to support the Data Protection Officer and transform the bureaucratic process into a simpler and more innovative process. The theoretical study, referred to as a literature review, is considered the basis of the project, and so it was initially important to clarify the areas that support it: Information Management, Document Management and Personal Data Protection through a general for the specific about the new Regulation. Subsequently, a survey and an analysis of requirements were elaborated to understand how the RGPD could be implemented in IPBRICK. From there, the module was developed, called \"IPBRICK RGPD Solution\", which is organized by a set of folders, each folder composed of templates and workflows. In addition to the Module, a user manual has been produced that allows a more detailed view of how to complete the forms, their objectives and the workflow that each document follows. In conclusion, the development of this project led to the creation of a Module integrated in a Document Management System that has become a technological and innovative tool in the face of data protection.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "Open Repository of the University of Porto (University of Porto)",
"language": "pt"
},
{
"id": "arxiv:2310.19304",
"title": "Privacy-Preserving Federated Learning over Vertically and Horizontally Partitioned Data for Financial Anomaly Detection",
"authors": [
"Swanand Ravindra Kadhe",
"Heiko Ludwig",
"Nathalie Baracaldo",
"Alan King",
"Yi Zhou",
"Keith Houck",
"Ambrish Rawat",
"Mark Purcell",
"Naoise Holohan",
"Mikio Takeuchi",
"Ryo Kawahara",
"Nir Drucker",
"Hayim Shaul",
"Eyal Kushnir",
"Omri Soceanu"
],
"date": "2023-10-30",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2310.19304v1",
"pdfUrl": "https://arxiv.org/pdf/2310.19304v1",
"doi": "",
"abstract": "The effective detection of evidence of financial anomalies requires collaboration among multiple entities who own a diverse set of data, such as a payment network system (PNS) and its partner banks. Trust among these financial institutions is limited by regulation and competition. Federated learning (FL) enables entities to collaboratively train a model when data is either vertically or horizontally partitioned across the entities. However, in real-world financial anomaly detection scenarios, the data is partitioned both vertically and horizontally and hence it is not possible to use existing FL approaches in a plug-and-play manner. Our novel solution, PV4FAD, combines fully homomorphic encryption (HE), secure multi-party computation (SMPC), differential privacy (DP), and randomization techniques to balance privacy and accuracy during training and to prevent inference threats at model deployment time. Our solution provides input privacy through HE and SMPC, and output privacy against inference time attacks through DP. Specifically, we show that, in the honest-but-curious threat model, banks do not learn any sensitive features about PNS transactions, and the PNS does not learn any information about the banks' dataset but only learns prediction labels. We also develop and analyze a DP mechanism to protect output privacy during inference. Our solution generates high-utility models by significantly reducing the per-bank noise level while satisfying distributed DP. To ensure high accuracy, our approach produces an ensemble model, in particular, a random forest. This enables us to take advantage of the well-known properties of ensembles to reduce variance and increase accuracy. Our solution won second prize in the first phase of the U.S. Privacy Enhancing Technologies (PETs) Prize Challenge.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|core_ac_uk__::56918f9930fca5712a16676d23a2872a",
"title": "Novel reversible text data de-identification techniques based on native data structures",
"authors": [
"Al-Abdullah, Bayan"
],
"date": "2022-05-20",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|core_ac_uk__::56918f9930fca5712a16676d23a2872a",
"pdfUrl": "",
"doi": "",
"abstract": "Technological development in today's digital world has resulted in the collection and storage of large amounts of personal data. These data enable both direct services and non-direct activities, known as secondary use. The secondary use of data can improve decision-making, service experiences, and healthcare systems. However, the widespread reuse of personal data raises significant privacy and policy issues, especially for health- related information; these data may contain sensitive data, leading to privacy breaches if compromised. Legal systems establish laws to protect the privacy of personal data disclosed for secondary use. A well-known example is the General Data Protection Regulation (GDPR), which outlines a specific set of rules for sharing and storing personal data to protect individual privacy. The GDPR explicitly points to data de-identification, especially pseudonymization, as one measure that can help meet the requirements for the processing of personal data.\\ud \\ud The literature on privacy preservation approaches has largely been developed in the field of data anonymization, where personal data are irreversibly removed or obfuscated and there is no means by which to recover an individual's identity if needed. By contrast, pseudonymization is a promising technique to protect privacy while enabling the recovery of de-identified data. Significantly, many existing approaches for pseudonymization were developed long before the GDPR requirements were established, and so they may fail to satisfy its provisions. Therefore, it is worthwhile to offer technical solutions to preserve privacy while supporting the legitimate use of data.\\ud \\ud This thesis proposes a novel de-identification system for unstructured textual data, known as ARTPHIL, that generates de-identified data in compliance with the GDPR requirement for strong pseudonymization. The system was evaluated using 2014 i2b2 testing data. The proposed system achieved a recall of 96.93% in terms of detec",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|dris___01492::abd1a2bfcdb60970f23e37607d42f29d",
"title": "THE PRIVACY IMPERATIVE IN THE POST-PANDEMIC WORLD - INSIGHTS INTO CONSUMER KNOWLEDGE ABOUT “RIGHT TO BE FORGOTTEN” AND RECOGNIZING THE IMPORTANCE OF TRUST",
"authors": [
"Ivković, Nives"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|dris___01492::abd1a2bfcdb60970f23e37607d42f29d",
"pdfUrl": "",
"doi": "",
"abstract": "During a coronavirus crisis, investing in privacy for organizations has a return on investment in several areas besides building trust with their customers. The GDPR is a complex document for the rights and freedoms of data subjects that is enacted to protect personal data of all citizens of the European Union, and this paper will pay special attention to the GDPR and the right to be forgotten regarding patients and other data subjects. Some mechanisms that are enforced in relation to the pandemic from the perspective of the rights of GDPR subjects often require the application of the principle of proportionality which, since fundamental rights are not absolute, requires careful consideration in the light of the noble public health argument. Respondents should be informed for what purposes and how much their data will be kept and the processing of data should be in accordance with the principle of fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. The privacy policies adopted during the pandemic will have a lasting impact on our societies and they will determine how we will respond to data privacy and human rights within possible emergencies in the post-covid world. The aim of this paper is to explain the rights of data subjects in a pandemic and the importance of privacy policies through the legal framework related to GDPR, the latest research and related literature. Through an interview with an expert in the field of personal data protection, a deeper insight into the rights of respondents at the time of the pandemic was provided, and the determinants of action in the case of post-covid emergencies were proposed.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od______3848::4b9652617c160af4ccfcda1e2c0809c7",
"title": "Guidance on data protection impact assessment for the telecommunications sector in Belgium",
"authors": [
"Leonard, Jan",
"Verbustel, Veerle",
"VISSERS, ROBIN",
"Skonieczka, Maciej",
"De Maesschalck, Elisabeth",
"De Wolf, Filip",
"Kloza, Dariusz",
"Casiraghi, Simone",
"Ioannidis, Nikolaos",
"Konstantinou, Ioulia",
"Roda, Sara",
"Van Dijk, Niels"
],
"date": "2020-10-30",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______3848::4b9652617c160af4ccfcda1e2c0809c7",
"pdfUrl": "",
"doi": "",
"abstract": "The General Data Protection Regulation (GDPR, 2018) is the core instrument of the personal data protection law in the European Union (EU) and has substantially reformed the legislative framework compared to the former applicable law, the Data Protection Directive (DPD, 1995). One of the newly introduced requirements in the GDPR has been the obligation to conduct a data protection impact assessment (DPIA) (Article 35 GDPR). With regard to this process, it constitutes a form of impact assessment (IA) and, to a large extent, is a variation of privacy impact assessment (PIA). In general, impact assessment and similar ex ante evaluation techniques have proliferated so as to address largely unpredictable effects of emerging technologies, before they materialize. The objective of this guidance document is to provide the necessary foundations for the legal requirements of the process of DPIA in the heavily-regulated telecommunications sector in Belgium. The obligation to conduct a DPIA reflects the risk-based approach to the protection of personal data and the strengthening of the principle of accountability therein (Article 5(2) GDPR). Alongside many other advantages, the actors in the telecommunications sector would multiply benefit from conducting the said process, not only because it would achieve legal compliance, but also it would demonstrate a systematization of their data processing operations. Indeed, the activity of the telecommunications sector varies from continuously handling requests regarding personalized products and services, concluding contracts with customers, to optimizing the network or monitoring its performance. In order to navigate through the assessment process, first, the essential framework of IA is presented. This is part of the architecture of impact assessment and consists of principles and conditions governing the theory and practice thereof, e.g. independence of the assessors, the reasonable transparency therein, and their adaptive and inclus",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "hal:3432965",
"title": "Airline Commercial Use of EU Personal Data in the Context of the GDPR, British Airways and Schrems II",
"authors": [
"W. Gregory Voss"
],
"date": "2021-09-10",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-03432965v1",
"pdfUrl": "",
"doi": "",
"abstract": "This study, which focuses on the commercial use of personal data by U.S. airlines, uses actual cases to help analyze the application of the EU General Data Protection Regulation (GDPR) to the airline industry. It is one of the first studies to do so, and as such contributes to the literature. It begins by highlighting the British Airways GDPR penalty case, in which the UK regulator publicized its notice of intention to issue the highest administrative fine to-date under the GDPR. When the GDPR applies to them, airlines should become fully aware of key provisions of the GDPR, starting with those related to its scope and its underlying data protection principles, discussed in this study. In addition, airlines must have a legal basis to process personal data under the GDPR and, as this study shows, must have adequately prepared for data subject requests to exercise rights and potential data breaches. Several examples of the first GDPR sanctions in the airline industry are detailed, and lessons drawn. In this context, security of data is a key element. Finally, the recent Schrems II decision invalidating the EU-U.S. Privacy Shield Decision is examined, and its potential impact on the transfer of personal data from the European Union to the United States by airlines is studied, following an analysis of their privacy policies available on the Internet in the European Union.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.842,
"venue": "Colorado Technology Law Journal",
"language": "en"
},
{
"id": "hal:2900624",
"title": "Modelling of a privacy language and efficient policy-based de-identification",
"authors": [
"Armin Gerl"
],
"date": "2019-12-05",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-02900624v1",
"pdfUrl": "https://theses.hal.science/tel-02900624/document",
"doi": "",
"abstract": "The processing of personal information is omnipresent in our datadriven society enabling personalized services, which are regulated by privacy policies. Although privacy policies are strictly defined by the General Data Protection Regulation (GDPR), no systematic mechanism is in place to enforce them. Especially if data is merged from several sources into a data-set with different privacy policies associated, the management and compliance to all privacy requirements is challenging during the processing of the data-set. Privacy policies can vary hereby due to different policies for each source or personalization of privacy policies by individual users. Thus, the risk for negligent or malicious processing of personal data due to defiance of privacy policies exists. To tackle this challenge, a privacy-preserving framework is proposed. Within this framework privacy policies are expressed in the proposed Layered Privacy Language (LPL) which allows to specify legal privacy policies and privacy-preserving de-identification methods. The policies are enforced by a Policy-based De-identification (PD) process. The PD process enables efficient compliance to various privacy policies simultaneously while applying pseudonymization, personal privacy anonymization and privacy models for de-identification of the data-set. Thus, the privacy requirements of each individual privacy policy are enforced filling the gap between legal privacy policies and their technical enforcement.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.842,
"venue": "",
"language": "en"
},
{
"id": "ETid-1051",
"title": "GDPR Fine: IAB Europe — Belgian Data Protection Authority (APD) (Belgium)",
"authors": [
"Belgian Data Protection Authority (APD)"
],
"date": "2022-02-02",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1051",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €0 | Articles: Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 9 (1), (2) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 24 (1) GDPR, Art. 30 GDPR, Art. 31 GDPR, Art. 32 (1), (2) GDPR, Art. 37 GDPR | Insufficient legal basis for data processing | The Belgian DPA has imposed a fine of EUR 250,000 on IAB Europe. The DPA had received several complaints against IAB Europe since 2019. In the context of this complaint, the compliance of the 'Transparency & Consent Framework (TCF)' with the GDPR was mainly questioned. The TCF was developed by IAB to promote compliance with the GDPR by organizations using the OpenRTB protocol. \n\nThe OpenRTB protocol is a protocol for 'real-time bidding,' which is the automated online auction of user profiles for the sale and purchase of advertising space on the Internet. When users visit a website that contains an ad space, technology companies, through an automated auction system, can bid in real time for that ad space to display personalized advertising. \n\nWhen users visit a website for the first time, an interface appears through which they can consent to the collection and sharing of their personal information or object to various types of processing. \n\nAs part of the TCF, a consent management tool appears during this process. The tool allows the user to object to certain types of data processing. The TCF registers the user's preferences through the tool by generating a TC string and sends it to all partners participating in the OpenRTB system. Based on this TC string, user profiles are compiled, which are then passed on to advertisers. This makes it visible to them what kind of data processing the users have agreed to. \n\nWithin the scope of its investigation against IAB, the DPA identified a number of violations of the GDPR.\n\nIt found that the TC strings already constituted personal data and therefore IAB was required to have a legal basis for processing these data. However, IAB was unable to demonstrate any such legal basis.\n\nIn addition, IAB did not properly inform users about the functioning of the TCF. For example, the information provided to users was too generic and vague to understand the scope of the data processing. \n\nFurthermore, IAB had not maintained a register of its processing activities, had not appointed a data protection officer, as well as had not conducted a data protection impact assessment. \n\nAppendix: The Belgian Market Court annuled the imposed fine of EUR 250,000 but upheld the violations found and sanctions imposed.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.842,
"venue": "GDPR DPA: Belgian Data Protection Authority (APD)",
"language": "en"
},
{
"id": "ETid-1937",
"title": "GDPR Fine: Tele2 Sverige Aktiebolag — Data Protection Authority of Sweden (Sweden)",
"authors": [
"Data Protection Authority of Sweden"
],
"date": "2023-06-30",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1937",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €1,000,000 | Articles: Art. 44 GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 1 million on Tele2 Sverige Aktiebolag. The Austrian organization None of your Business (NOYB) had filed a complaint against the company in light of the Schrems II judgment, stating that the company was unlawfully transferring personal data to the US. The company had used Google Analytics for visitor statistics and based the data processing by the statistics tool on the EU standard contractual clauses, as no adequacy decision had been issued by the EU Commission for the USA. In the course of its investigation, the DPA determined that the use of the standard contractual clauses was not sufficient to guarantee a level of protection equivalent to that of the EU. \n---UPDATE---\nFollowing an appeal to the Administrative Court of Appeal, the court upheld the DPA's decision.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.842,
"venue": "GDPR DPA: Data Protection Authority of Sweden",
"language": "en"
},
{
"id": "ETid-1938",
"title": "GDPR Fine: CDON AB — Data Protection Authority of Sweden (Sweden)",
"authors": [
"Data Protection Authority of Sweden"
],
"date": "2023-06-30",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1938",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €25,000 | Articles: Art. 44 GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 25,000 on CDON AB. The Austrian organization None of your Business (NOYB) had filed a complaint against the company in light of the Schrems II judgment, stating that the company was unlawfully transferring personal data to the US. The company had used Google Analytics for visitor statistics and based the data processing by the statistics tool on the EU standard contractual clauses in the absence of an EU Commission adequacy decision for the USA. In the course of its investigation, the DPA determined that the use of the standard contractual clauses was not sufficient to guarantee a level of protection equivalent to that of the EU.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.842,
"venue": "GDPR DPA: Data Protection Authority of Sweden",
"language": "en"
},
{
"id": "https://openalex.org/W4408358984",
"title": "Securing Data at Rest: Using ML-Driven Personally Identifiable Information(PII) Detection and Privacy-Preserving Techniques",
"authors": [
"Dorababu Nadella"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/iceet65156.2024.10913953",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/iceet65156.2024.10913953",
"abstract": "Modern Day Enterprises collect a vast amount of Personal Identifiable Information (PII) from different sources, including interactions with customers, online behavior, survey responses, user feedback, Internet of Things (loT) devices, smartphone usage, and activity on social networks. This information, which comes in structured, semi-structured, and unstructured formats, has been stored in sources like Databases, File shares, Data Lakes, Cloud storages, and Data warehouses hosted in Cloud and On-prem data centers. This data is crucial for tailoring decisions, offering businesses a competitive advantage, and delivering personalized experiences to stakeholders. However, with strict data protection laws like the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) in Europe, and Brazil's General Data Protection Law (LGPD) taking center stage, there's a pressing need for advanced methods to identify and secure PII that is stored at rest in On-Prem, Public cloud and SAAS systems. This study investigates Machine learning (ML), and artificial intelligence (AI) to find PII stored across different data formats automatically. Furthermore, it examines how encryption, anonymization and differential privacy can be applied to enhance the security of this data. These strategies ensure compliance with current data privacy laws and promote ethical data handling practices. The introduction of a comprehensive system that combines ML-based PII detection with these privacy-strengthening solutions offers a scalable, effective, and immediate way to address potential threats and enhance data safety. Simulations have proven this system's capability to significantly improve data security and reduce the risk of exposing sensitive information while it's at rest, thereby safeguarding the integrity of sensitive information.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.812,
"venue": "2024 International Conference on Engineering and Emerging Technologies (ICEET)",
"language": "en"
},
{
"id": "crossref:10.5604/01.3001.0003.3161",
"title": "The issues connected with the anonymization of medical data. Part 2. Advanced anonymization and anonymization controlled by owner of protected sensitive data",
"authors": [
"Arkadiusz Liber"
],
"date": "2014-08-07",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.5604/01.3001.0003.3161",
"pdfUrl": "https://publisherspanel.com/gicid/pdf/01.3001.0003.3161",
"doi": "10.5604/01.3001.0003.3161",
"abstract": "Introduction: Medical documentation ought to be accessible with the preservation of its integrity as well as the protection of personal data. One of the manners of its protection against disclosure is anonymization. Contemporary methods ensure anonymity without the possibility of sensitive data access control. it seems that the future of sensitive data processing systems belongs to the personalized method. In the first part of the paper k-Anonymity, (X,y)- Anonymity, (α,k)- Anonymity, and (k,e)-Anonymity methods were discussed. these methods belong to well - known elementary methods which are the subject of a significant number of publications. As the source papers to this part, Samarati, Sweeney, wang, wong and zhang’s works were accredited. the selection of these publications is justified by their wider research review work led, for instance, by Fung, Wang, Fu and y. however, it should be noted that the methods of anonymization derive from the methods of statistical databases protection from the 70s of 20th century. Due to the interrelated content and literature references the first and the second part of this article constitute the integral whole.Aim of the study: The analysis of the methods of anonymization, the analysis of the methods of protection of anonymized data, the study of a new security type of privacy enabling device to control disclosing sensitive data by the entity which this data concerns.Material and methods: Analytical methods, algebraic methods.Results: Delivering material supporting the choice and analysis of the ways of anonymization of medical data, developing a new privacy protection solution enabling the control of sensitive data by entities which this data concerns.Conclusions: In the paper the analysis of solutions for data anonymization, to ensure privacy protection in medical data sets, was conducted. the methods of: k-Anonymity, (X,y)- Anonymity, (α,k)- Anonymity, (k,e)-Anonymity, (X,y)-Privacy, lKc-Privacy, l-Diversity, (X,y)-linkability, t-closeness, confidence Bounding and Personalized Privacy were described, explained and analyzed. The analysis of solutions of controlling sensitive data by their owner was also conducted. Apart from the existing methods of the anonymization, the analysis of methods of the protection of anonymized data was included. In particular, the methods of: δ-Presence, e-Differential Privacy, (d,γ)-Privacy, (α,β)-Distributing Privacy and protections against (c,t)-isolation were analyzed. Moreover, the author introduced a new solution of the controlled protection of privacy. the solution is based on marking a protected field and the multi-key encryption of sensitive value. The suggested way of marking the fields is in accordance with Xmlstandard. For the encryption, (n,p) different keys cipher was selected. to decipher the content the p keys of n were used. The proposed solution enables to apply brand new methods to control privacy of disclosing sensitive data.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.8,
"venue": "Medical Science Pulse",
"language": "en"
},
{
"id": "openaire:50|datacite____::1d7e9d4e87d07eb50a13d163da996d2e",
"title": "METICOS Deliverable D3.1 Impact assessment and recommendations (first version)",
"authors": [
"Dumortier, Franck",
"Ioannidis, Nikolaos",
"Vagelis Papakonstantinou"
],
"date": "2022-07-15",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.8178578",
"pdfUrl": "",
"doi": "10.5281/zenodo.8178578",
"abstract": "This document is Deliverable D3.1 – “Impact assessment and recommendations (first version)” of WP3 of the METICOS project.
The aim of this document is to complete a comprehensive Data Protection Impact Assessment (DPIA) of the METICOS platform. A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them. In other words, a DPIA is a process for building and demonstrating compliance with the General Data Protection Regulation (GDPR) and other privacy requirements.
To achieve its purposes, this Deliverable: details why a DPIA is required in the context of METICOS, identifies the elements that a DPIA must contain in accordance with the GDPR and describes the methodology being followed to conduct the DPIA of the METICOS platform. contains an overview of the processing carried out by the METICOS platform, a description of the data collected by each data source, a data flow diagram and an overall description of processes being carried out by each component. ensures that the METICOS platform is built in compliance with the following privacy principles: purpose limitation, lawfulness, necessity of the data processing operations, data minimization, data quality and storage limitation. Controls protecting data subjects’ rights as well as the legal exemptions are also being examined. proceeds to the identification of the risks to the rights and freedoms of the data subjects and contains recommendations of technical or operational solutions and mitigation measures to address those risks. The analysis and hence the outcomes of this Deliverable will in turn inform the METICOS developers and data providers about the ways for developing and using the METICOS technology to ensure that data protection and privacy principles are taken care of. It is important to",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.8,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.5120/ijca2016911874",
"title": "Privacy Preserved Data Publishing Techniques for Tabular Data",
"authors": [
"Sabitha S.",
"Keerthy C."
],
"date": "2016-10-17",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5120/ijca2016911874",
"pdfUrl": "",
"doi": "10.5120/ijca2016911874",
"abstract": "Almost all countries have imposed strict laws on the disclosure of Personally Identifiable Information(PII). However PII need to be published for many purposes like research. In such cases, we apply different types of methods like anonymization, encryption etc. This paper discuss about the different methods of anonymization of tabular microdata. The most popular method of data anonymization of tabular data is k-anonymity. However, it suffers from many attacks and hence l-diversity was proposed. The l-diversity anonymization also possessed various limitations and hence t-closeness was proposed. This paper summarize these anonymization techniques and their limitations.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.8,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:vu.lt:elaba:69377791",
"title": "ES Bendrojo duomenų apsaugos reglamento taikymo dirbtiniam intelektui ypatumai",
"authors": [
"Seliutaitė, Kotryna"
],
"date": "2020-04-21",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:vu.lt:elaba:69377791",
"pdfUrl": "",
"doi": "",
"abstract": "Peculiarities of Application of the EU General Data Protection Regulation for Artificial Intelligence Rapid development and widespread application of artificial intelligence (AI) technology lead to the collection and use of an infinite amount of personal data, which, without adequate safeguards and supervision, at a global level poses a challenge to individuals' rights to privacy and data protection. Given that 90% of global data have been created over the last five years, appropriate adaptation is inevitably necessary from a data protection regulatory perspective. A particular step in the area of data protection has been taken by the adoption of the General Data Protection Regulation (GDPR). Tightened data privacy rules have not only begun a new phase of data protection regulation in the EU but have also become an example and a starting point for other legislators and technology developers around the world. In the context of AI, data protection by design and by default and automated individual decision-making, including profiling, clauses are of major importance in GDPR regulation. Nevertheless, the principles of lawfulness, fairness and transparency, purpose limitation, data minimization and data subjects‘ right to be forgotten and the right to data portability also have a significant impact on the AI processing of personal data. The first part of the thesis addresses the issues of definition of AI, differences in privacy and data protection concepts, reveals the need for AI regulation, assesses regulatory progress and measures in the EU, Lithuania and the US. The second part of the work focuses on GDPR as a source of AI regulation, discusses key regulatory features and preconditions for the application of regulation to AI. The third part of the thesis assesses the impact of the application of GDPR principles on AI, followed by the study of specific rights of the data subject and the obligations arising therefrom for an entity using AI. The work is limited to the ",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.8,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.18523/2617-2607.2023.11.64-76",
"title": "The Compliance of Facial Processing in France with the Article 9 Paragraph 2 (a) (g) of (EU) General Data Protection Regulation",
"authors": [
"Daria Bulgakova",
"Valentyna Bulgakova"
],
"date": "2023-10-26",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.18523/2617-2607.2023.11.64-76",
"pdfUrl": "",
"doi": "10.18523/2617-2607.2023.11.64-76",
"abstract": "The legal identity of individuals is critical in digital ecosystems, and biometric systems play a vital role in verifying identities throughout their lives. However, these systems also pose significant risks and require responsible use. The European Union has established a digital strategy to create a trusted and secure digital identity, setting a global standard for technological development in identification. In line with the General Data Protection Regulation Article 9(1), member countries must justify any exceptions to the rule provided. France has taken a leading role in using unique identification legally, implementing digitally processed attributes such as facial recognition through the Alicem application on smartphones to identify individuals in a digital environment, and improving e-services uniquely. Specifically, the article analyses the General Data Protection Regulation Article 9, paragraph 1, and the exceptional conditions outlined in paragraph 2 (a) (g) along with scrutinized legislation in France of Decree n°2019-452 of 13 May 2019, which authorized the use of unique identification known as ‘Certified Online Authentication on Mobile.’ The research recommends that EU member countries taking approaches to introduce GDPR Article 9 into national legislation should consider their citizens’ specific needs and concerns while aligning with the European Union law because it is critical to balance the benefits of biometric systems with the risks posed to personal data protection, ensuring that their responsible use contributes to a secure and trustworthy digital ecosystem.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.796,
"venue": "Наукові записки НаУКМА: Юридичні науки",
"language": "en"
},
{
"id": "europepmc:PPR1110041",
"title": "Federated Zero-Trust: Privacy-Preserving Analytics Across Multi-Cloud Environments",
"authors": [
"Bollikonda M."
],
"date": "2025-10-28",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202510.1928.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202510.1928.v1",
"doi": "10.20944/preprints202510.1928.v1",
"abstract": "The rapid expansion of multi-cloud ecosystems has intensified the demand for privacy-preserving analytics across untrusted infrastructures. This paper proposes Federated Zero-Trust Analytics (FZTA), a framework that integrates federated learning, zero-trust security, and privacy-enhancing computation to enable secure data collaboration without centralized trust. The design combines continuous identity verification, decentralized policy enforcement, and hybrid cryptography based on homomorphic encryption and differential privacy. Evaluation across three commercial clouds demonstrates that FZTA achieves near baseline model accuracy (within 2% of centralized training) while maintaining (ε<1.2, δ=10−5) differential privacy guarantees and less than 20% computational overhead. The framework resists eavesdropping, replay, and model inversion attacks while meeting compliance standards such as GDPR and HIPAA. Results confirm that strong privacy and federated scalability can coexist under zero-trust conditions, establishing a foundation for secure cross-domain analytics in healthcare, finance, and IoT applications.",
"topics": [
"privacy_engineering",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.796,
"venue": "",
"language": "de"
},
{
"id": "s2:ab3f26c7318059620be69b2ed5d1a5d2f5d1fc78",
"title": "A Survey on Current Trends and Recent Advances in Text Anonymization",
"authors": [
"Tobias Deußer",
"Lorenz Sparrenberg",
"Armin Berger",
"Max Hahnbück",
"Christian Bauckhage",
"R. Sifa"
],
"date": "2025-08-29",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/ab3f26c7318059620be69b2ed5d1a5d2f5d1fc78",
"pdfUrl": "https://arxiv.org/pdf/2508.21587v1",
"doi": "10.1109/DSAA65442.2025.11247969",
"abstract": "The proliferation of textual data containing sensitive personal information across various domains requires robust anonymization techniques to protect privacy and comply with regulations, while preserving data usability for diverse and crucial downstream tasks. This survey provides a comprehen-sive overview of current trends and recent advances in text anonymization techniques. We begin by discussing foundational approaches, primarily centered on Named Entity Recognition, before examining the transformative impact of Large Language Models, detailing their dual role as sophisticated anonymizers and potent de-anonymization threats. The survey further ex-plores domain-specific challenges and tailored solutions in critical sectors such as healthcare, law, finance, and education. We investigate advanced methodologies incorporating formal privacy models and risk-aware frameworks, and address the specialized subfield of authorship anonymization. Additionally, we review evaluation frameworks, comprehensive metrics, benchmarks, and practical toolkits for real-world deployment of anonymization solutions. This review consolidates current knowledge, identifies emerging trends and persistent challenges, including the evolving privacy-utility trade-off, the need to address quasi-identifiers, and the implications of LLM capabilities, and aims to guide future research directions for both academics and practitioners in this field.",
"topics": [
"data_anonymization",
"pii_entity_types",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.796,
"venue": "International Conference on Data Science and Advanced Analytics",
"language": "en"
},
{
"id": "crossref:10.1093/oso/9780198826491.003.0077",
"title": "Article 39 Tasks of the data protection officer",
"authors": [
"Cecilia Alvarez Rigaudias",
"Alessandro Spina"
],
"date": "2020-02-13",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.1093/oso/9780198826491.003.0077",
"pdfUrl": "https://academic.oup.com/oxford-law-pro/book/chapter-pdf/58569744/isbn-9780198826491-book-part-77.pdf",
"doi": "10.1093/oso/9780198826491.003.0077",
"abstract": "Abstract\n Article 30 (Records of processing activities) (see too recital 82); Article 33 (Notification of a personal data breach to the supervisory authority) (see too recital 85); Article 35 (Data protection impact assessment) (see too recitals 90–91); Article 36 (Prior consultation) (see too recital 94); Article 37 (Designation of the data protection officer) (see too recital 97); Article 38 (Position of the data protection officer) (see too recital 97); Article 47 (Binding corporate rules) (see too recital 108); Article 57 (Tasks of supervisory authorities) (see too recital 122).",
"topics": [
"gdpr_compliance",
"enterprise_privacy_ops",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.796,
"venue": "The EU General Data Protection Regulation (GDPR)",
"language": "en"
},
{
"id": "crossref:10.1093/oso/9780198826491.003.0076",
"title": "Article 38 Position of the data protection officer",
"authors": [
"Cecilia Alvarez Rigaudias",
"Alessandro Spina"
],
"date": "2020-02-13",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.1093/oso/9780198826491.003.0076",
"pdfUrl": "https://academic.oup.com/oxford-law-pro/book/chapter-pdf/58569741/isbn-9780198826491-book-part-76.pdf",
"doi": "10.1093/oso/9780198826491.003.0076",
"abstract": "Abstract\n Article 13(1)(b) (Information to be provided where personal data are collected from the data subject) (see too recitals 60–61); Article 14(1)(b) (Information to be provided where personal data have not been obtained from the data subject) (see too recital 61); Article 30 (Records of processing activities) (see too recital 82); Article 33 (Notification of a personal data breach to the supervisory authority) (see too recital 85); Article 35 (Data protection impact assessment) (see too recitals 90–91); Article 36 (Prior consultation) (see too recital 94); Article 37 (Designation of the Data Protection Officer) (see too recital 97); Article 39 (Tasks of the data protection officer) (see too recitals 77 and 97); Article 47 (Binding corporate rules) (see too recital 108); Article 52(1) (Independence of supervisory authorities) (see too recitals 117–118 and 120–121); Article 57 (Tasks of supervisory authorities) (see too recital 122); Article 69 (Independence of the EDPB) (see too recital 139).",
"topics": [
"gdpr_compliance",
"enterprise_privacy_ops",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.796,
"venue": "The EU General Data Protection Regulation (GDPR)",
"language": "en"
},
{
"id": "crossref:10.2139/ssrn.6050296",
"title": "Data Protection and Privacy in the Digital Age: Comparative Perspectives on India's Digital Personal Data Protection Act and the EU General Data Protection Regulation",
"authors": [
"Anam Siddiqui"
],
"date": "2026-02-05",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.2139/ssrn.6050296",
"pdfUrl": "",
"doi": "10.2139/ssrn.6050296",
"abstract": "Digital technologies have transformed personal data into a critical resource, raising urgent questions of privacy, accountability, and regulation. This paper examines India's Digital Personal Data Protection Act, 2023 (DPDP Act) in comparison with the European Union's General Data Protection Regulation (GDPR). It highlights key similarities-such as consent requirements and individual rights-and differences, including enforcement mechanisms, scope, and penalties. Through comparative analysis, the paper argues that India's framework, while a significant step forward, requires stronger institutional safeguards and cross-border data transfer rules to align with global standards. The study proposes a layered approach to privacy protection, emphasizing transparency, accountability, and harmonization with international norms.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.796,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.23939/csn2024.02.072",
"title": "LARGE LANGUAGE MODELS AND PERSONAL INFORMATION: SECURITY CHALLENGES AND SOLUTIONS THROUGH ANONYMIZATION",
"authors": [
"P.I. Zamroz",
"Y.V. Morozov"
],
"date": "2024-12-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.23939/csn2024.02.072",
"pdfUrl": "https://science.lpnu.ua/sites/default/files/journal-paper/2024/dec/37283/vsenew-74-83.pdf",
"doi": "10.23939/csn2024.02.072",
"abstract": "In light of the growing capabilities of Large Language Models (LLMs), there is an urgent need for effective methods to protect personal data in online texts. Existing anonymization methods often prove ineffective against complex LLM analysis algorithms, especially when processing sensitive information such as medical data. This research proposes an innovative approach to anonymization that combines k-anonymity and adversarial methods. Our approach aims to improve the efficiency and speed of anonymization while maintaining a high level of data protection. Experimental results on a dataset of 10,000 comments showed a 40% reduction in processing time (from 250 ms to 150 ms per comment) compared to traditional adversarial methods, a 5% improvement in medical data anonymization accuracy (from 90% to 95%), and a 7% improvement in data utility preservation (from 85% to 92%). Special attention is paid to the application of the method in the context of interaction with LLM-based chatbots and medical information processing. We conduct an experimental evaluation of our method, comparing it with existing industrial anonymizers on real and synthetic datasets. The results demonstrate significant improvements in both data utility preservation and privacy protection. Our method also takes into account GDPR requirements, setting a new standard in the field of data anonymization for AI interactions. This research offers a practical solution for protecting user privacy in the era of LLMs, especially in sensitive areas such as healthcare. Keywords: AI, data security, ML, LLM, privacy.",
"topics": [
"data_anonymization",
"nlp_ner_tools",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.796,
"venue": "Komp'ûternì sistemi ta merežì",
"language": "en"
},
{
"id": "openaire:10.11613/bm.2020.030201",
"title": "Before and after enforcement of GDPR",
"authors": [
"Puljak, Livia",
"Mladinić, Anamarija",
"Iphofen, Ron",
"Koporc, Zvonimir"
],
"date": "2020-10-12",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.11613/bm.2020.030201",
"pdfUrl": "",
"doi": "10.11613/bm.2020.030201",
"abstract": "Introduction The European Union’s (EU) General Data Protection Regulation (GDPR) was put in force on 25th May 2018. It is not known how many personal data protection requests the national authority in Croatia had received before and after GDPR, and how many of those were related to research. Materials and methods We obtained data from the Croatian Personal Data Protection Agency (CPDPA) about requests/complaints related to personal data protection that were received specifically from academic/research institutions, specifically the number and type of all cases/requests between the years 2015-2019. Results In 2018, CPDPA had a dramatic increase in the number of requests in the post-GDPR period, compared to the pre-GDPR period of the same year. In 2019, CPDPA received 2718 requests/complaints; less than in the year 2018. From 2015 to 2019, CPDPA received only 37 requests related to research. Conclusions Very few requests about personal data protection from academic and research institutions in Croatia were submitted to the national Croatian data protection authority. Future studies could explore whether researchers have sufficient awareness and knowledge about personal data protection related to research, to adequately implement the GDPR regulations.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.796,
"venue": "BMC research notes",
"language": "en"
},
{
"id": "openaire:10.1089/bio.2015.0100",
"title": "Reconsidering Anonymization-Related Concepts and the Term “Identification” Against the Backdrop of the European Legal Framework",
"authors": [
"Sariyar, Murat",
"Schlünder, Irene"
],
"date": "2016-10-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1089/bio.2015.0100",
"pdfUrl": "",
"doi": "10.1089/bio.2015.0100",
"abstract": "Sharing data in biomedical contexts has become increasingly relevant, but privacy concerns set constraints for free sharing of individual-level data. Data protection law protects only data relating to an identifiable individual, whereas \"anonymous\" data are free to be used by everybody. Usage of many terms related to anonymization is often not consistent among different domains such as statistics and law. The crucial term \"identification\" seems especially hard to define, since its definition presupposes the existence of identifying characteristics, leading to some circularity. In this article, we present a discussion of important terms based on a legal perspective that it is outlined before we present issues related to the usage of terms such as unique \"identifiers,\" \"quasi-identifiers,\" and \"sensitive attributes.\" Based on these terms, we have tried to circumvent a circular definition for the term \"identification\" by making two decisions: first, deciding which (natural) identifier should stand for the individual; second, deciding how to recognize the individual. In addition, we provide an overview of anonymization techniques/methods for preventing re-identification. The discussion of basic notions related to anonymization shows that there is some work to be done in order to achieve a mutual understanding between legal and technical experts concerning some of these notions. Using a dialectical definition process in order to merge technical and legal perspectives on terms seems important for enhancing mutual understanding.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.796,
"venue": "",
"language": "en"
},
{
"id": "europepmc:PPR1132386",
"title": "The Technical–Regulatory Correspondence Matrix: A Practical Development Framework for Building GDPR- and AI Act-Compliant High-Risk AI Systems",
"authors": [
"Goncalves A",
"Correia A."
],
"date": "2025-12-08",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202512.0593.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202512.0593.v1",
"doi": "10.20944/preprints202512.0593.v1",
"abstract": "The European Union Artificial Intelligence Act (AI Act) and the General Data Protection Regulation (GDPR) impose stringent and partly overlapping obligations on high-risk AI systems deployed in cybersecurity and critical infrastructure contexts. Yet organisations still lack concrete mechanisms to translate these legal requirements into actionable engineering tasks and auditable evidence along MLOps lifecycles. This paper proposes the Technical--Regulatory Correspondence Matrix (TRCM) as a structured correspondence layer that explicitly links regulatory pillars (derived from the GDPR, the AI Act and emerging AI management system standards) to families of technical dimensions in AI-based security monitoring and incident detection. The TRCM captures the many-to-many relationships between legal obligations and technical activities and is designed to be instantiated for specific high-risk use-case families. We introduce the matrix, define its regulatory and technical dimensions, and apply it to a representative cybersecurity scenario: network anomaly detection operated by essential service operators to protect critical infrastructures. For this use case, we derive a regulatory profile, construct a filtered TRCM and show how obligations on risk management, data governance, robustness, transparency and human oversight can be mapped to concrete controls (for example, data inventories and lineage, stress-testing suites, monitoring and incident response procedures, explainability mechanisms and human--AI interaction patterns) and to associated evidence artefacts embedded as correspondence checkpoints in an MLOps pipeline. We then analyse the operational implications of adopting the TRCM for engineering, compliance, risk and audit functions, arguing that it supports an evidence-by-design posture and observability-driven AI governance in cybersecurity operations. Finally, we discuss the limitations of the current formulation and outline directions for future work on standardisa",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.796,
"venue": "",
"language": "en"
},
{
"id": "europepmc:40176788",
"title": "Balancing Security and Privacy: Web Bot Detection, Privacy Challenges, and Regulatory Compliance under the GDPR and AI Act.",
"authors": [
"Martínez Llamas J",
"Vranckaert K",
"Preuveneers D",
"Joosen W."
],
"date": "2025-03-24",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.12688/openreseurope.19347.1",
"pdfUrl": "https://europepmc.org/articles/PMC11962364?pdf=render",
"doi": "10.12688/openreseurope.19347.1",
"abstract": "This paper presents a comprehensive analysis of web bot activity, exploring both offensive and defensive perspectives within the context of modern web infrastructure. As bots play a dual role-enabling malicious activities like credential stuffing and scraping while also facilitating benign automation-distinguishing between humans, good bots, and bad bots has become increasingly critical. We examine the technical challenges of detecting web bots amidst large volumes of benign traffic, highlighting the privacy risks involved in monitoring users at scale. Additionally, the study dives into the use of Privacy Enhancing Technologies (PETs) to strike a balance between bot detection and user privacy. These technologies provide innovative approaches to minimising data exposure while maintaining the effectiveness of bot-detection mechanisms. Furthermore, we explore the legal and ethical considerations associated with bot detection, mapping the technical solutions to the regulatory frameworks set forth by the EU General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AI Act). By analysing these regulatory constraints, we provide insights into how organisations can ensure compliance while maintaining robust bot defence strategies, fostering a responsible approach to cybersecurity in a privacy-conscious world.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.796,
"venue": "Open research Europe",
"language": "en"
},
{
"id": "pubmed:32774116",
"title": "Before and after enforcement of GDPR: Personal data protection requests received by Croatian Personal Data Protection Agency from academic and research institutions.",
"authors": [
"Puljak, Livia",
"Mladinić, Anamarija",
"Iphofen, Ron",
"Koporc, Zvonimir"
],
"date": "2020-08-05",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1371/journal.pone.0177158",
"pdfUrl": "",
"doi": "10.1371/journal.pone.0177158",
"abstract": "INTRODUCTION: The European Union's (EU) General Data Protection Regulation (GDPR) was put in force on 25th May 2018. It is not known how many personal data protection requests the national authority in Croatia had received before and after GDPR, and how many of those were related to research. MATERIALS AND METHODS: We obtained data from the Croatian Personal Data Protection Agency (CPDPA) about requests/complaints related to personal data protection that were received specifically from academic/research institutions, specifically the number and type of all cases/requests between the years 2015-2019. RESULTS: In 2018, CPDPA had a dramatic increase in the number of requests in the post-GDPR period, compared to the pre-GDPR period of the same year. In 2019, CPDPA received 2718 requests/complaints; less than in the year 2018. From 2015 to 2019, CPDPA received only 37 requests related to research. CONCLUSIONS: Very few requests about personal data protection from academic and research institutions in Croatia were submitted to the national Croatian data protection authority. Future studies could explore whether researchers have sufficient awareness and knowledge about personal data protection related to research, to adequately implement the GDPR regulations.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.796,
"venue": "Biochemia medica",
"language": "en"
},
{
"id": "doaj:2bfcce46d70942a59e347700c0eb943e",
"title": "Ethics and responsible AI deployment",
"authors": [
"Petar Radanliev",
"Petar Radanliev",
"Omar Santos",
"Alistair Brandon-Jones",
"Adam Joinson"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://www.frontiersin.org/articles/10.3389/frai.2024.1377011/full",
"pdfUrl": "",
"doi": "10.3389/frai.2024.1377011",
"abstract": "As Artificial Intelligence (AI) becomes more prevalent, protecting personal privacy is a critical ethical issue that must be addressed. This article explores the need for ethical AI systems that safeguard individual privacy while complying with ethical standards. By taking a multidisciplinary approach, the research examines innovative algorithmic techniques such as differential privacy, homomorphic encryption, federated learning, international regulatory frameworks, and ethical guidelines. The study concludes that these algorithms effectively enhance privacy protection while balancing the utility of AI with the need to protect personal data. The article emphasises the importance of a comprehensive approach that combines technological innovation with ethical and regulatory strategies to harness the power of AI in a way that respects and protects individual privacy.",
"topics": [
"ai_governance",
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.796,
"venue": "Frontiers in Artificial Intelligence",
"language": "en"
},
{
"id": "hal:4668779",
"title": "The lawfulness of re-identification under data protection law",
"authors": [
"Teodora Curelariu",
"Alexandre Lodie"
],
"date": "2024-09-04",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04668779v1",
"pdfUrl": "https://hal.science/hal-04668779/document",
"doi": "10.1007/978-3-031-68024-3_6",
"abstract": "Data re-identification methods are becoming increasingly sophisticated and can lead to disastrous data breaches. Re-identification is a key research topic for computer scientists as it can be used to reveal vulnerabilities of de-identification methods such as anonymisation or pseudonymisation. However, re-identification, even for research purposes, involves processing personal data. From this background, this paper aims to investigate whether reidentification carried out by computer scientists for research purposes can be considered GDPR-compliant. This issue is paramount to contribute to improving the state of knowledge concerning data security measures.",
"topics": [
"gdpr_compliance",
"reversible_anonymization",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.796,
"venue": "APF",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-031-17040-9_3",
"title": "Privacy",
"authors": [
"Bernd Carsten Stahl",
"Doris Schroeder",
"Rowena Rodrigues"
],
"date": "2022-11-02",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-031-17040-9_3",
"pdfUrl": "",
"doi": "10.1007/978-3-031-17040-9_3",
"abstract": "AbstractPrivacy and data protection are concerns raised about most digital technologies. The advance of artificial intelligence (AI) has given even higher levels of prominence to these concerns. Three cases are presented as examples to highlight the way in which AI can affect or exacerbate privacy concerns. The first deals with the use of private data in authoritarian regimes. The second looks at the implications of AI use of genetic data. The third concerns problems linked to biometric surveillance. Then follows a description of how privacy concerns are currently addressed via data protection regulation and a discussion of where AI may raise new challenges to existing data protection regimes. Current European data protection law requires data protection impact assessment. This chapter suggests that a broader AI impact assessment could broaden the remit of such an assessment to offer more comprehensive coverage of possible privacy concerns linked to AI.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.796,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.9785/cri-2025-260103",
"title": "GDPR Enforcement Beyond EU-Borders — The Dutch Data Protection Authority’s Fine on Clearview AI and the Future of AI Regulation & Enforcement",
"authors": [
"Olaf van Haperen"
],
"date": "2025-03-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.9785/cri-2025-260103",
"pdfUrl": "https://www.degruyterbrill.com/document/doi/10.9785/cri-2025-260103/xml",
"doi": "10.9785/cri-2025-260103",
"abstract": "Abstract After a brief introduction (I.), the article summarises the reasoning of the Dutch Data Protection Authority (II.) and examines the challenges of enforcing GDPR against companies outside the EU (III.) as well as the potential future impact of the upcoming European Union Artificial Intelligence (AI) Act on such cases (IV.). A particular emphasis is placed on how the AI Act’s provisions may influence future regulatory decisions and enforcement actions involving AI technologies such as facial recognition, biometric data processing, and surveillance.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.796,
"venue": "Computer Law Review International",
"language": "en"
},
{
"id": "https://openalex.org/W4206025728",
"title": "Bridging the Gap Between AI and Explainability in the GDPR: Towards Trustworthiness-by-Design in Automated Decision-Making",
"authors": [
"Ronan Hamon",
"H. Junklewitz",
"Ignacio Sanchez",
"Gianclaudio Malgieri",
"Paul De Hert"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/mci.2021.3129960",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/mci.2021.3129960",
"abstract": "Can satisfactory explanations for complex machine learning models be achieved in high-risk automated decision-making? How can such explanations be integrated into a data protection framework safeguarding a right to explanation? This article explores from an interdisciplinary point of view the connection between existing legal requirements for the explainability of AI systems set out in the General Data Protection Regulation (GDPR) and the current state of the art in the field of explainable AI. It studies the challenges of providing human legible explanations for current and future AI-based decision-making systems in practice, based on two scenarios of automated decision-making in credit scoring risks and medical diagnosis of COVID-19. These scenarios exemplify the trend towards increasingly complex machine learning algorithms in automated decision-making, both in terms of data and models. Current machine learning techniques, in particular those based on deep learning, are unable to make clear causal links between input data and final decisions. This represents a limitation for providing exact, human-legible reasons behind specific decisions, and presents a serious challenge to the provision of satisfactory, fair and transparent explanations. Therefore, the conclusion is that the quality of explanations might not be considered as an adequate safeguard for automated decision-making processes under the GDPR. Accordingly, additional tools should be considered to complement explanations. These could include algorithmic impact assessments, other forms of algorithmic justifications based on broader AI principles, and new technical developments in trustworthy AI. This suggests that eventually all of these approaches would need to be considered as a whole.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.796,
"venue": "IEEE Computational Intelligence Magazine",
"language": "en"
},
{
"id": "s2:e9925aa656dbd7e4bc63b4a31f2e03288b7d5d4f",
"title": "A Fedarated Pseudonymization Framework for Privacy-Preservating LLM's",
"authors": [
"Saravanan C",
"Keerti S R",
"Kalki S",
"Jeevan Prasanth V",
"Akileswaran J"
],
"date": "2025-10-28",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/e9925aa656dbd7e4bc63b4a31f2e03288b7d5d4f",
"pdfUrl": "",
"doi": "10.1109/ICCES67310.2025.11336365",
"abstract": "As the adoption of cloud-based Large Language Models (LLMs) expands, safeguarding Personally Identifiable Information (PII) has become a critical challenge-particularly in sensitive domains like healthcare, finance, and legal services. This work proposes a novel Federated Contextual Pseudonymization Framework with Adaptive Fine-Tuning, designed to enable secure, real-time interaction with LLMs without compromising data utility. Leveraging advanced Named Entity Recognition (NER) techniques and federated learning, the framework ensures that sensitive data is pseudonymized at the source and never centralized during training. Tools such as Hugging Face Transformers, spaCy, and POS tagging modules are integrated to enable precise detection of both common and context-specific entities across distributed nodes. The system supports adaptive fine-tuning, enhancing performance across diverse linguistic styles and domains. Crucially, a secure reidentification mechanism maps anonymized tokens back to original values only when authorized, preserving personalization in outputs. Empirical results demonstrate strong performance: 97.2% precision in PII detection, a 95.8% F1-score in multilingual settings, and a 28 % reduction in latency. This architecture balances privacy, compliance (GDPR, HIPAA), and scalability— making it suitable for high-stakes applications such as diagnostic assistants, legal automation, and secure customer service bots.",
"topics": [
"data_anonymization",
"pii_entity_types",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.796,
"venue": "International Conference on Communication and Electronics Systems",
"language": "en"
},
{
"id": "s2:c63164bd66b06ad00848ce1c564e8ddf6af10e7c",
"title": "Clinical de-identification using sub-document analysis and ELECTRA",
"authors": [
"Rosario Catelli",
"F. Gargiulo",
"Emanuele Damiano",
"M. Esposito",
"G. Pietro"
],
"date": "2021-09-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/c63164bd66b06ad00848ce1c564e8ddf6af10e7c",
"pdfUrl": "",
"doi": "10.1109/icdh52753.2021.00050",
"abstract": "The privacy protection mechanism in the health context is becoming a crucial task given the exponential increase in the adoption of the Electronic Health Records (EHRs) all around the world. This kind of data can be used for medical investigation and research only if it is filtered out of all the so called Protected Health Information (PHI). This paper proposes a clinical de-identification system based on deep learning techniques for Named Entity Recognition and aimed at recognizing PHI entities to be replaced by surrogates in EHRs for anonymization purposes. This system is based on ELECTRA, a recent neural language model, and is enhanced through a sub-document level analysis aimed at grouping input sentences together, through a Sentences Grouping Factor (SGF), with the aim of broadening the representation context and consequently enhancing its ability to learn. This system was experimentally tested on the official dataset distributed in 2014 by Informatics for Integrating Biology & the Bedside research group, exhibiting superior performance compared to the state of the art in terms of detection at the category level, crucial for properly substituting PHI entities with surrogates. The effectiveness of the proposed system with respect to its components has been also confirmed by a further experimental analysis performed by substituting BERT language model in place of ELECTRA and varying SGF in accordance with limitations concerning the maximum input size for the language model used.",
"topics": [
"data_anonymization",
"sector_healthcare",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.796,
"venue": "International Conference on Digital Health",
"language": "en"
},
{
"id": "arxiv:2507.23736",
"title": "DICOM De-Identification via Hybrid AI and Rule-Based Framework for Scalable, Uncertainty-Aware Redaction",
"authors": [
"Kyle Naddeo",
"Nikolas Koutsoubis",
"Rahul Krish",
"Ghulam Rasool",
"Nidhal Bouaynaya",
"Tony OSullivan",
"Raj Krish"
],
"date": "2025-07-31",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2507.23736v1",
"pdfUrl": "https://arxiv.org/pdf/2507.23736v1",
"doi": "",
"abstract": "Access to medical imaging and associated text data has the potential to drive major advances in healthcare research and patient outcomes. However, the presence of Protected Health Information (PHI) and Personally Identifiable Information (PII) in Digital Imaging and Communications in Medicine (DICOM) files presents a significant barrier to the ethical and secure sharing of imaging datasets. This paper presents a hybrid de-identification framework developed by Impact Business Information Solutions (IBIS) that combines rule-based and AI-driven techniques, and rigorous uncertainty quantification for comprehensive PHI/PII removal from both metadata and pixel data. Our approach begins with a two-tiered rule-based system targeting explicit and inferred metadata elements, further augmented by a large language model (LLM) fine-tuned for Named Entity Recognition (NER), and trained on a suite of synthetic datasets simulating realistic clinical PHI/PII. For pixel data, we employ an uncertainty-aware Faster R-CNN model to localize embedded text, extract candidate PHI via Optical Character Recognition (OCR), and apply the NER pipeline for final redaction. Crucially, uncertainty quantification provides confidence measures for AI-based detections to enhance automation reliability and enable informed human-in-the-loop verification to manage residual risks. This uncertainty-aware deidentification framework achieves robust performance across benchmark datasets and regulatory standards, including DICOM, HIPAA, and TCIA compliance metrics. By combining scalable automation, uncertainty quantification, and rigorous quality assurance, our solution addresses critical challenges in medical data de-identification and supports the secure, ethical, and trustworthy release of imaging data for research.",
"topics": [
"data_anonymization",
"sector_healthcare",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.796,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:cadmus.eui.eu:1814/76052",
"title": "GDPR’s reflection in privacy-enhancing technologies : implications for AI data protection",
"authors": [
"RINTAMÄKI, Tytti Katariina"
],
"date": "2023-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:cadmus.eui.eu:1814/76052",
"pdfUrl": "",
"doi": "",
"abstract": "Award date: 15 June 2023 Supervisor: Prof. Andrea Renda (European University Institute) The responsibility for regulating emerging technologies such as AI is falling into the hands of the Data Protection Regulators as responsibility is attributed to them through the AI Act. The General Data Protection Regulation (GDPR) will serve as the data governance framework that is expected to protect European data. Despite debates, this paper will show that GDPR and AI systems can coexist. But how should AI systems begin to implement GDPR in their design? This study turns to Privacy-enhancing technologies (PETs) and how well they reflect GDPR to draw lessons for future AI. This analysis finds through content analysis that GDPR is largely reflected in the privacy policies, bylaws and codes of conduct of various PETs and encourages AI systems to learn from this. Specifically this research suggests that AI systems should utilize PETs as tools to further enhance their data protection and compliance with GDPR.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.796,
"venue": "",
"language": "en"
},
{
"id": "hal:5231098",
"title": "Secure Reuse of Massive Health Data with AI : De-identification through Machine Learning for Federated Learning Information Systems",
"authors": [
"Mohamed El Azzouzi"
],
"date": "2025-05-07",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-05231098v1",
"pdfUrl": "https://theses.hal.science/tel-05231098/document",
"doi": "",
"abstract": "This thesis addresses the challenges and solutions related to the reuse of health data, focusing on protecting patients' privacy while enabling the exploitation of electronic health record (EHR) data for clinical research and improving healthcare services. First, we explore the general context of health data reuse, emphasizing its potential for clinical research while identifying key challenges: confidentiality protection, regulatory constraints, and technical obstacles. Next, we propose an innovative approach for the automatic de-identification of French EHRs, in compliance with GDPR and CNIL guidelines. By leveraging advanced deep learning techniques and distant supervision methods, we demonstrated a cost-effective solution to securely render these data reusable. The developed models, based on advanced linguistic representations, show promising performance in recognizing sensitive entities within medical texts. In another phase of our work, we studied the application of federated learning (FL) for the secure extraction of personal information from EHRs. FL allows the training of collaborative models across multiple institutions without centralizing sensitive data, thereby preserving patient confidentiality. Our results show that federated models achieve performance levels close to centralized models while maintaining data protection. For instance, using the multilingual BERT model in an FL environment simulating 20 hospitals, our federated model achieved an F1 score of 75.7%, close to the 78.5% of the centralized approach, highlighting the potential of FL for health data analysis while mitigating privacy risks. Finally, we explored the vulnerabilities of federated learning, particularly attacks exploiting shared gradients to extract sensitive information. We simulated the \"Decepticons\" attack, revealing that personal data, such as patient identifiers and medical observations, could be retrieved at alarming rates of up to 90%. In response, we discuss countermeasures such as differential privacy and secure aggregation, emphasizing the need to enhance these defenses against increasingly sophisticated threats. This work paves the way for future advancements in strengthening the security of federated learning systems by developing adaptive mechanisms specifically tailored to medical data.",
"topics": [
"data_anonymization",
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.796,
"venue": "theses.fr (ABES)",
"language": "en"
},
{
"id": "hal:5312768",
"title": "Policy Framework for Responsible AI Deployment in the National Cybersecurity Strategy",
"authors": [
"Justin Ekeneme",
"Chidiebere Ucheji",
"Chukwuemeka Ezekwem",
"Muhammad Saad Chughtai"
],
"date": "2025-10-13",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05312768v1",
"pdfUrl": "",
"doi": "",
"abstract": "Artificial Intelligence (AI) is increasingly integrated into critical sectors, including national cybersecurity, raising both opportunities and risks. Concerns over the effects of AI technology on society are raised by its extensive use. In addition to the increasingly divisive aspects of the impact of contentious technologies, such as robots and mass surveillance algorithms, researchers have drawn attention to the negative effects of AI-based systems today, arguing that the creation of tangible governance for AI cannot wait any longer. This paper critically analyses the United Kingdom’s policy framework for responsible AI deployment within its cybersecurity strategy. Using a socio-technical governance lens, the study integrates Responsible AI principles – safety, transparency, accountability, fairness, and human oversight – with the cybersecurity lifecycle (identify, protect, detect, respond, recover). A systematic literature review, guided by the PRISMA framework, identified 13 relevant academic and policy documents published between 2015 and 2025. Findings reveal that the UK’s principle-based, regulator-led model offers flexibility but suffers from fragmentation, inconsistent adoption, and a lack of enforceable mechanisms. Voluntary guidance, limited incident taxonomies, and governance ambiguities restrict effective operationalisation of secure AI. Comparative analysis shows that while the EU AI Act and US NIST frameworks enforce binding standards, the UK remains reliant on soft law and procurement leverage. Ethical dimensions – including fairness, transparency, and contestability – are insufficiently embedded, risking public trust. The study concludes that the UK must balance its pro-innovation stance with enforceable standards, procurement-led compliance, and international harmonisation. Lessons for the Global South, particularly Nigeria, underscore the need for stronger institutional coordination, AI-specific security testing, and capacity building in emerging AI governance frameworks.",
"topics": [
"ai_governance",
"power_knowledge_asymmetry",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.796,
"venue": "Asian Journal of Advanced Research and Reports",
"language": "en"
},
{
"id": "openaire:50|doajarticles::eb147dedad2467604dbe4617e18750f2",
"title": "Facial Recognition at the Fitness Center Under the General Data Protection Regulation Article 9(1) and 9(2)(a)",
"authors": [
"Daria Bulgakova",
"Valentyna Bulgakova"
],
"date": "2024-03-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|doajarticles::eb147dedad2467604dbe4617e18750f2",
"pdfUrl": "",
"doi": "",
"abstract": "There are significant concerns regarding the legitimacy of biometric data processing within the European Union. Therefore, it is imperative that facial data processing adheres to the criteria and standards outlined in the General Data Protection Regulation (GDPR). According to GDPR Article 9(1), the processing of biometric data is prohibited. In high-incursion situations that involve the private sphere, obtaining consent becomes crucial. It requires further justification and confirmation about the lawfulness of the process, as specified in GDPR Article 6. Hence, the European Union relies on Data Protection Authorities in Member States to assure obedience to GDPR in practice. Regardless above mentioned, the authors aim to investigate compliance with the GDPR Article 9(1) and 9(2)(a) through the case study about facial recognition technology with biometric involvement at a fitness center in Denmark. The research focuses on analyzing the Danish Data Protection Agency’s investigation of FysioDanmark concerning the facial biometric recognition of customers’ and employees’ faces at the entrance to a fitness center for membership control checks and business optimization. The authors have made the following findings. The Agency warned the entity in question about the use of a system in fitness centers to uniquely identify customers without obtaining their consent. Furthermore, the research has shown that the application of consent as a legal ground to avoid prohibition to uniquely identify employees can’t be granted as an appropriate argument due to an imbalance of employment relationships meaning the consent is not freely given. Based on the given outcomes, the authors propose measures to prevent noncompliance with biometric facial technology and advocate respect for individuals’ right to personal data protection by mandating consent for facial recognition, specifically for the purpose of unique identification, prior to the performance of facial biometric scans. And, the a",
"topics": [
"gdpr_compliance",
"biometric_surveillance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.796,
"venue": "交大法學評論",
"language": "en"
},
{
"id": "ETid-777",
"title": "GDPR Fine: Mercadona S.A. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2021-07-26",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-777",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00120-2021.pdf",
"doi": "",
"abstract": "Fine: €2,520,000 | Articles: Art. 5 (1) c) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 25 (1) GDPR, Art. 35 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined Mercadona S.A. EUR 2,520,000. The controller had installed facial recognition systems in Mercadona stores for the purpose of tracking individuals with criminal convictions or restraining orders. The system captured everyone who entered the stores, including minors and MERCADONA employees.\nDuring its investigation, the DPA found numerous privacy violations. \n\nFor instance, the system violated the principle of data minimization, the principle of necessity and proportionality since the controller could process multiple biometric data - beyond the purpose of the system. \n\nIn addition, the DPA concluded that Mercadona's privacy impact assessment was deficient as it did not take into account the specific and unique risks to Mercadona's employees posed by data processing through facial recognition systems.\n\nFurthermore, MERCADONA had violated its duty to inform according by not properly providing data subjects with information about the processing of their personal data.\n\nThe original fine of EUR 3,150,000 consisted of EUR 500,000 due to a violation of Art. 5(1)(c), EUR 2,000,000 due to a violation of Art. 6 and Art. 9 of the GDPR, EUR 100,000 due to a violation of Art. 12 and Art. 13 of the GDPR, EUR 500,000 due to a violation of Art. 25(1) of the GDPR, and EUR 50,000 due to a violation of Art. 35 of the GDPR. The original fine was reduced to EUR 2,250,000 due to voluntary payment.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.796,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1098",
"title": "GDPR Fine: Clearview Al Inc. — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-02-10",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1098",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €20,000,000 | Articles: Art. 5 (1) a), b), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 27 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined U.S.-based Clearview AI EUR 20 million after it was revealed that the company had been applying biometric surveillance techniques on Italian territory.\n\nThe company owns a database of over 10 billion facial images from around the world. The company offers a search service that allows profiles to be created based on the biometric data extracted from the images. The profiles can be enriched with information associated with these images, such as image tags and geolocation. \n\nThe DPA launched an investigation into the company after it became known that Clearview - contrary to initial claims - also enabled searches of Italian nationals and residents. \n\nThe DPA found that the personal data contained in the company's database had been processed unlawfully and without a valid legal basis. \nIn addition, the DPA found that the company had violated several principles of the GDPR. \n\nFor example, the company had violated the principle of transparency by failing to adequately inform users about the processing of their data. Clearview had also violated the principle of purpose limitation, by processing users' data for purposes other than those for which they had been made available online. Finally, it violated the principle of storage limitation by not specifying a time period for data storage.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"power_knowledge_asymmetry",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.796,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "s2:1cf2b3a9e4f79544c2f22c7f3b35ec179a580d74",
"title": "Guardians of the data: NER and LLMs for effective medical record anonymization in Brazilian Portuguese",
"authors": [
"Mauricio Schiezaro",
"Guilherme J. M. Rosa",
"Bruno Augusto Goulart Campos",
"Helio Pedrini"
],
"date": "2026-01-05",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/1cf2b3a9e4f79544c2f22c7f3b35ec179a580d74",
"pdfUrl": "https://europepmc.org/articles/PMC12813187?pdf=render",
"doi": "10.3389/fpubh.2025.1717303",
"abstract": "Introduction The anonymization of medical records is essential to protect patient privacy while enabling the use of clinical data for research and Natural Language Processing (NLP) applications. However, for Brazilian Portuguese, the lack of publicly available and high-quality anonymized datasets limits progress in this area. Methods In this study, we present AnonyMed-BR, a novel dataset of Brazilian medical records that includes both real and synthetic samples, manually annotated to identify personally identifiable information (PII) such as names, dates, locations, and healthcare identifiers. To benchmark our dataset and assess anonymization performance, we evaluate two anonymization strategies: (i) an extractive strategy based on Named Entity Recognition (NER) using BERT-based models, and (ii) a generative strategy using T5-based and GPT-based models to rewrite texts while masking sensitive entities. We conduct a comprehensive series of experiments to evaluate and compare anonymization strategies. Specifically, we assess the impact of incorporating synthetic generated records on model performance by contrasting models fine-tuned solely on real data with those fine-tuned on synthetic samples. We also investigate whether pre-training on biomedical corpora or task-specific fine-tuning more effectively improves performance in the anonymization task. Finally, to support robust evaluation, we introduce an LLM-as-a-Judge framework that leverages a reasoning Large Language Model (LLM) to score anonymization quality, estimate information loss, and assess reidentification risk. Model performance was primarily evaluated using the F1 score on a held-out test set. Results All evaluated models achieved good performance in the anonymization task, with the best models reaching F1 scores above 0.90. Both extractive and generative approaches were effective in identifying and masking sensitive entities while preserving the clinical meaning of the texts. Experiments also revealed that including synthetic data improved model generalization, and that task-specific fine-tuning yielded greater performance gains than pre-training the model on biomedical domain. Discussion and conclusion To the best of our knowledge, AnonyMed-BR is the first manually annotated anonymization dataset for Brazilian Portuguese medical texts, enabling systematic evaluation of both extractive and generative models. The dataset and methodology establish a foundation for privacy-preserving NLP research in the Brazilian healthcare context and the good performance achieved by all models demonstrates the feasibility of developing reliable anonymization systems for Brazilian clinical data. Importantly, the ability to anonymize sensitive information opens opportunities to create new datasets and train models for a variety of downstream tasks in the medical domain, such as clinical outcome prediction, medical entity recognition, diagnostic support, and patient stratification, fostering the growth of NLP research for Brazilian Portuguese healthcare texts. Motivated by our findings, future work includes a deeper exploration of synthetic data generation and utilization. Additionally, we plan to evaluate the models across different languages and textual domains, and to expand the dataset to cover these new languages and domains. These efforts aim to develop more complex anonymization systems with higher generalization capability, ultimately enabling broader applications and safer sharing of data in diverse research and operational settings. All resources are publicly available at https://github.com/venturusbr/AnonyMED-BR.",
"topics": [
"data_anonymization",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.783,
"venue": "Frontiers in Public Health",
"language": "en"
},
{
"id": "doaj:00c36f85b67b4d8e86401168221d3a14",
"title": "The future of the European Union “Right to be Forgotten”",
"authors": [
"Michel José Reymond"
],
"date": "2019",
"platform": "doaj",
"sourceUrl": "https://revistas.uniandes.edu.co/index.php/lar/article/view/4667",
"pdfUrl": "",
"doi": "10.29263/lar02.2019.04",
"abstract": "In its landmark ruling of May 13, 2014, the European Court of Justice deduced from European data protection law, a right for European citizens to remove search results which display information, such as spent convictions and other past indiscretions, which, even though lawfully published, has become out-dated or irrelevant in such a way as to harm the individual’s privacy.\n\n\nToday, this so-called “Right to be Forgotten” stands—in two ways—at a crossroads. First, following a years-long dispute between Google and the French data protection authority, the Commission Nationale de l’Informatique et Libertés, the French Conseil d’Etat has asked the ECJ for a preliminary ruling to provide some much-needed guidance on the implementation of the right, and in particular whether removal of search results should be performed locally in the EU or in a global manner. Second, the entry into force of the General Data Protection Regulation raises the issue of whether and how the “Right to be Forgotten” contained in its Article 17 will impact the current implementation model for erasure in the European Union. Indeed, that provision, having been drafted before the ECJ rendered the Google Spain decision, foresees an expanded scope of application going beyond search engines.\n\n\nThe present contribution discusses how each of these two developments will affect the future of the Right to be Forgotten in Europe. Observing that the current implementation model of the right following Google Spain —based on individual private ordering and, in particular, on Google’s inhouse standards and practices—lacks means of scalability, the article concludes that any expansion of either its geographical or material scope could lead to a practical break-down. The author then proposes an alternate implementation model inspired by existing alternate dispute resolution systems.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "Latin American Law Review",
"language": "en"
},
{
"id": "doaj:aaa9d4637dfa4757a3fe1365c69a3574",
"title": "Automatic de-identification of textual documents in the electronic health record: a review of recent research",
"authors": [
"South Brett R",
"Friedlin F",
"Meystre Stephane M",
"Shen Shuying",
"Samore Matthew H"
],
"date": "2010",
"platform": "doaj",
"sourceUrl": "http://www.biomedcentral.com/1471-2288/10/70",
"pdfUrl": "",
"doi": "10.1186/1471-2288-10-70",
"abstract": "Abstract
Background
In the United States, the Health Insurance Portability and Accountability Act (HIPAA) protects the confidentiality of patient data and requires the informed consent of the patient and approval of the Internal Review Board to use data for research purposes, but these requirements can be waived if data is de-identified. For clinical data to be considered de-identified, the HIPAA \"Safe Harbor\" technique requires 18 data elements (called PHI: Protected Health Information) to be removed. The de-identification of narrative text documents is often realized manually, and requires significant resources. Well aware of these issues, several authors have investigated automated de-identification of narrative text documents from the electronic health record, and a review of recent research in this domain is presented here.
Methods
This review focuses on recently published research (after 1995), and includes relevant publications from bibliographic queries in PubMed, conference proceedings, the ACM Digital Library, and interesting publications referenced in already included papers.
Results
The literature search returned more than 200 publications. The majority focused only on structured data de-identification instead of narrative text, on image de-identification, or described manual de-identification, and were therefore excluded. Finally, 18 publications describing automated text de-identification were selected for detailed analysis of the architecture and methods used, the types of PHI detected and removed, the external resources used, and the types of clinical documents targeted. All text de-identification systems aimed to identify and remove person names, and many included other types of PHI. Most systems used only one or two specific clinical document types, and were mostly based on two different groups of methodologies: pattern matching and machine learning. Many systems combined both approaches for different types of PHI, but the majority relied only on pattern matching, rules, and dictionaries.
Conclusions
In general, methods based on dictionaries performed better with PHI that is rarely mentioned in clinical text, but are more difficult to generalize. Methods based on machine learning tend to perform better, especially with PHI that is not mentioned in the dictionaries used. Finally, the issues of anonymization, sufficient performance, and \"over-scrubbing\" are discussed in this publication.
",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.783,
"venue": "BMC Medical Research Methodology",
"language": "en"
},
{
"id": "openaire:285",
"title": "Exploring the General Data Protection Regulation (GDPR) compliance in cloud services: insights from Swedish public organizations on privacy compliance",
"authors": [
"Awatef Issaoui",
"Jenny Örtensjö",
"M. Sirajul Islam"
],
"date": "2023-12-15",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1186/s43093-023-00285-2",
"pdfUrl": "https://fbj.springeropen.com/counter/pdf/10.1186/s43093-023-00285-2",
"doi": "10.1186/s43093-023-00285-2",
"abstract": "Abstract The adoption of cloud services offers manifold advantages to public organizations; however, ensuring data privacy during data transfers has become increasingly complex since the inception of the General Data Protection Regulation (GDPR). This study investigates privacy concerns experienced by public organizations in Sweden, focusing on GDPR compliance. A qualitative interpretative approach was adopted, involving semi-structured interviews with seven employees from five public organizations in Sweden. Additionally, secondary data were gathered through an extensive literature review. The collected data were analyzed and classified using the seven privacy threat categories outlined in the LINDDUN framework. The key findings reveal several significant privacy issues when utilizing public cloud services, including unauthorized access, loss of confidentiality, lack of awareness, lack of trust, legal uncertainties, regulatory challenges, and loss of control. The study underscores the importance of implementing measures such as anonymization, pseudonymization, encryption, contractual agreements, and well-defined routines to ensure GDPR compliance. The findings emphasize the importance of implementing measures such as anonymization, pseudonymization, encryption, contractual agreements, and well-defined routines to ensure GDPR compliance. Furthermore, this research highlights the critical aspect of digital sovereignty in addressing privacy challenges associated with public cloud service adoption by public organizations in Sweden.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Future Business Journal",
"language": "en"
},
{
"id": "doaj:166557e68b8a4cb7b18e94bcdc79cfbe",
"title": "Between Exploitation and Resilience: Reconciling AI’s Role in Surveillance Capitalism and Disaster Risk Management",
"authors": [
"Mohammad Sharif Sharifi Poor Bgheshmi",
"Mahsa Sharajsharifi",
"Mohammad Reza Saeidabadi"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://jcss.ut.ac.ir/article_102844_ba35ca09800a98ddd6653f69669a8426.pdf",
"pdfUrl": "https://jcss.ut.ac.ir/article_102844_ba35ca09800a98ddd6653f69669a8426.pdf",
"doi": "10.22059/jcss.2025.396045.1165",
"abstract": "Background: This study explores the paradoxical role of artificial intelligence as both a tool of exploitation within surveillance capitalism and a force for resilience in disaster risk management, highlighting the ethical and governance challenges that arise at the intersection of these domains.Aims: This article aims to enable the ethical use of AI in DRM while insulating public systems from the structural harms of commercial data exploitation.Methodology: Drawing from a comparative qualitative analysis of 35 academic sources, the study investigates how BigTech corporations and data brokers leverage AI to commodify personal data, consolidate informational power, and erode democratic agency.Results: The present study critically examines the dual role of artificial intelligence in contemporary digital society, contrasting its exploitative deployment within surveillance capitalism with its constructive use in disaster risk management (DRM). Simultaneously, it highlights a parallel body of research showcasing AI’s capacity to enhance early warning systems, situational awareness, and post-disaster recovery, especially in resource-constrained and climate-vulnerable regions.Conclusion: To reconcile these conflicting trajectories, the article proposes the Public AI for Resilience (PAIR) framework—a governance model grounded in data sovereignty, public infrastructure, algorithmic explainability, and cross-sectoral collaboration. Ultimately, the article argues for a normative recalibration of AI governance that prioritizes equity, transparency, and collective resilience over market imperatives, demonstrating that AI’s public good potential can be realized without surrendering to surveillance-based capitalism.",
"topics": [
"power_knowledge_asymmetry",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.783,
"venue": "Cyberspace Studies",
"language": "en"
},
{
"id": "openaire:10.32388/pjil3e",
"title": "SafeSynthDP: Leveraging Large Language Models for Privacy-Preserving Synthetic Data Generation Using Differential Privacy",
"authors": [
"Nahid, Md Mahadi Hasan",
"Hasan, Sadid Bin"
],
"date": "2025-01-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.32388/pjil3e",
"pdfUrl": "https://www.qeios.com/read/PJIL3E/pdf",
"doi": "10.32388/pjil3e",
"abstract": "Machine learning (ML) models frequently rely on training data that may include sensitive or personal information, raising substantial privacy concerns. Legislative frameworks such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have necessitated the development of strategies that preserve privacy while maintaining the utility of data. In this paper, we investigate the capability of Large Language Models (LLMs) to generate synthetic datasets integrated with Differential Privacy (DP) mechanisms, thereby enabling data-driven research and model training without direct exposure of sensitive information. Our approach incorporates DP-based noise injection methods, including Laplace and Gaussian distributions, into the data generation process. We then evaluate the utility of these DP-enhanced synthetic datasets by comparing the performance of ML models trained on them against models trained on the original data. To substantiate privacy guarantees, we assess the resilience of the generated synthetic data to membership inference attacks and related threats. The experimental results demonstrate that integrating DP within LLM-driven synthetic data generation offers a viable balance between privacy protection and data utility. This study provides a foundational methodology and insight into the privacy-preserving capabilities of LLMs, paving the way for compliant and effective ML research and applications.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "CoRR",
"language": "en"
},
{
"id": "openaire:s23177604",
"title": "Enhancing Data Protection in Dynamic Consent Management Systems: Formalizing Privacy and Security Definitions with Differential Privacy, Decentralization, and Zero-Knowledge Proofs",
"authors": [
"Muhammad Irfan Khalid",
"Mansoor Ahmed",
"Jungsuk Kim"
],
"date": "2023-09-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3390/s23177604",
"pdfUrl": "https://www.mdpi.com/1424-8220/23/17/7604/pdf?version=1693573687",
"doi": "10.3390/s23177604",
"abstract": "Dynamic consent management allows a data subject to dynamically govern her consent to access her data. Clearly, security and privacy guarantees are vital for the adoption of dynamic consent management systems. In particular, specific data protection guarantees can be required to comply with rules and laws (e.g., the General Data Protection Regulation (GDPR)). Since the primary instantiation of the dynamic consent management systems in the existing literature is towards developing sustainable e-healthcare services, in this paper, we study data protection issues in dynamic consent management systems, identifying crucial security and privacy properties and discussing severe limitations of systems described in the state of the art. We have presented the precise definitions of security and privacy properties that are essential to confirm the robustness of the dynamic consent management systems against diverse adversaries. Finally, under those precise formal definitions of security and privacy, we have proposed the implications of state-of-the-art tools and technologies such as differential privacy, blockchain technologies, zero-knowledge proofs, and cryptographic procedures that can be used to build dynamic consent management systems that are secure and private by design.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Sensors",
"language": "en"
},
{
"id": "europepmc:PPR1151016",
"title": "A Systematic Review of Privacy-Enhancing Technologies (PETs) for Securing Personally Identifiable Information in Public Cloud Architectures",
"authors": [
"Roberts D",
"Garcia K."
],
"date": "2026-02-04",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202602.0303.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202602.0303.v1",
"doi": "10.20944/preprints202602.0303.v1",
"abstract": "The rapid adoption of public cloud services has significantly increased the storage and processing of Personally Identifiable Information (PII), raising critical concerns about data privacy and regulatory compliance. Privacy-Enhancing Technologies (PETs) have emerged as a crucial set of methods and tools designed to protect sensitive data while maintaining functional utility for cloud applications. This systematic review examines the current landscape of PETs deployed for securing PII in public cloud architectures, including homomorphic encryption, differential privacy, federated learning, and confidential computing. A structured literature search was conducted across major scientific databases from 2021 to 2026, following PRISMA guidelines, resulting in the inclusion of studies that evaluate PET performance, scalability, security guarantees, and integration challenges. Thematic synthesis highlights key trends, such as the growing adoption of federated learning for cross-silo data sharing, the application of homomorphic encryption in real-time cloud environments, and the trade-offs between privacy preservation and computational efficiency. Additionally, operational, technical, and regulatory challenges are identified, including computational overhead, standardization barriers, and compliance with global data protection regulations. This review underscores the critical role of PETs in enhancing trust and security in public cloud ecosystems and provides insights for researchers and practitioners seeking to design and implement privacy-aware cloud architectures. Future research directions are discussed, emphasizing the need for optimized PET frameworks that balance security, efficiency, and compliance in increasingly complex cloud environments.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.783,
"venue": "",
"language": "de"
},
{
"id": "arxiv:2501.12911",
"title": "A Selective Homomorphic Encryption Approach for Faster Privacy-Preserving Federated Learning",
"authors": [
"Abdulkadir Korkmaz",
"Praveen Rao"
],
"date": "2025-01-22",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2501.12911v4",
"pdfUrl": "https://arxiv.org/pdf/2501.12911v4",
"doi": "10.1109/CCNC65079.2026.11366371",
"abstract": "Federated learning (FL) has come forward as a critical approach for privacy-preserving machine learning in healthcare, allowing collaborative model training across decentralized medical datasets without exchanging clients' data. However, current security implementations for these systems face a fundamental trade-off: rigorous cryptographic protections like fully homomorphic encryption (FHE) impose prohibitive computational overhead, while lightweight alternatives risk vulnerable data leakage through model updates. To address this issue, we present FAS (Fast and Secure Federated Learning), a novel approach that strategically combines selective homomorphic encryption, differential privacy, and bitwise scrambling to achieve robust security without compromising practical usability. Our approach eliminates the need for model pretraining phases while dynamically protecting high-risk model parameters through layered encryption and obfuscation. We implemented FAS using the Flower framework and evaluated it on a cluster of eleven physical machines. Our approach was up to 90\\% faster than applying FHE on the model weights. In addition, we eliminated the computational overhead that is required by competitors such as FedML-HE and MaskCrypt. Our approach was up to 1.5$\\times$ faster than the competitors while achieving comparable security results. Experimental evaluations on medical imaging datasets confirm that FAS maintains similar security results to conventional FHE against gradient inversion attacks while preserving diagnostic model accuracy. These results position FAS as a practical solution for latency-sensitive healthcare applications where both privacy preservation and computational efficiency are requirements.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "crossref:10.26650/b/lsb40.2024.035.08",
"title": "Anonymization and Pseudonymization of Personal Health Data within the Scope of Turkish Personal Data Protection Law and General Data Protection Regulation",
"authors": [
"Cemile Turgut",
"Duygu Koçak Diker"
],
"date": "2024-12-27",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.26650/b/lsb40.2024.035.08",
"pdfUrl": "",
"doi": "10.26650/b/lsb40.2024.035.08",
"abstract": "",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Digitalization in Health",
"language": "en"
},
{
"id": "crossref:10.3233/978-1-61499-512-8-424",
"title": "Blinded Anonymization: a method for evaluating cancer prevention programs under restrictive data protection regulations",
"authors": [
"Bartholomäus Sebastian",
"Hense Hans Werner",
"Heidinger Oliver"
],
"date": "2015",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.3233/978-1-61499-512-8-424",
"pdfUrl": "",
"doi": "10.3233/978-1-61499-512-8-424",
"abstract": "Evaluating cancer prevention programs requires collecting and linking data on a case specific level from multiple sources of the healthcare system. Therefore, one has to comply with data protection regulations which are restrictive in Germany and will likely become stricter in Europe in general. To facilitate the mortality evaluation of the German mammography screening program, with more than 10 Million eligible women, we developed a method that does not require written individual consent and is compliant to existing privacy regulations. Our setup is composed of different data owners, a data collection center (DCC) and an evaluation center (EC). Each data owner uses a dedicated software that preprocesses plain-text personal identifiers (IDAT) and plaintext evaluation data (EDAT) in such a way that only irreversibly encrypted record assignment numbers (RAN) and pre-aggregated, reversibly encrypted EDAT are transmitted to the DCC. The DCC uses the RANs to perform a probabilistic record linkage which is based on an established and evaluated algorithm. For potentially identifying attributes within the EDAT (‘quasi-identifiers’), we developed a novel process, named ‘blinded anonymization’. It allows selecting a specific generalization from the pre-processed and encrypted attribute aggregations, to create a new data set with assured k-anonymity, without using any plain-text information. The anonymized data is transferred to the EC where the EDAT is decrypted and used for evaluation. Our concept was approved by German data protection authorities. We implemented a prototype and tested it with more than 1.5 Million simulated records, containing realistically distributed IDAT. The core processes worked well with regard to performance parameters. We created different generalizations and calculated the respective suppression rates. We discuss modalities, implications and limitations for large data sets in the cancer registry domain, as well as approaches for further improvements like l-diversity and automatic computation of ‘optimal’ generalizations.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.783,
"venue": "Studies in Health Technology and Informatics",
"language": "en"
},
{
"id": "crossref:10.69554/xnrg3923",
"title": "Navigating GDPR challenges in M&A transactions: Practical insights from the Italian legal framework",
"authors": [
"Tommaso Zeccherini"
],
"date": "2025-09-01",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.69554/xnrg3923",
"pdfUrl": "",
"doi": "10.69554/xnrg3923",
"abstract": "Mergers and acquisitions (M&A) involving business unit transfers present significant data protection challenges, requiring compliance with the General Data Protection Regulation (GDPR) and national laws. This paper examines the practical obligations of data controllers transferring business units in Italy, considering Italian Civil Code and GDPR requirements. The paper provides a structured approach to ensuring compliance in business transfers, covering key obligations such as data minimisation, privacy notice requirements, legal basis identification, legitimate interest assessments, data processing agreements (DPAs) and security measures for data transfers. The analysis integrates key decisions from the Italian Data Protection Authority along with practical business cases from the banking sector, offering insights into regulatory expectations and enforcement trends. By bridging legal principles with practical implementation, this paper serves as a strategic guide for businesses, legal professionals and policy makers navigating data protection in M&A transactions. The paper concludes with recommendations for best practices in handling personal data during corporate restructuring and acquisitions, ensuring compliance while mitigating legal and operational risks. This article is also included in The Business & Management Collection which can be accessed at https://hstalks.com/business/.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "crossref:10.69554/sjri4947",
"title": "Adhering to GDPR codes of conduct: A possible option for SMEs to GDPR certification",
"authors": [
"Eric Lachaud"
],
"date": "2019-07-01",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.69554/sjri4947",
"pdfUrl": "",
"doi": "10.69554/sjri4947",
"abstract": "The paper shows that adherence to a code of conduct (CoC) offers small and medium enterprises (SMEs) an interesting option to a certification obtained under Article 42 of the General Data Protection Regulation (GDPR). Adhering controllers or processors benefit from similar rights to the one attached to certification without having to demonstrate conformity with the content of the CoC. Moreover, CoCs offer a set of customised guidelines, approved by a data protection authority (DPA(s)) that are accessible for free and designed to facilitate GDPR implementation. The functional scope that might be covered by CoCs is already wider than the one offered by certification, allowing controllers and processors to demonstrate compliance with a broader range of GDPR requirements. Nevertheless, using a CoC instead of certification presents some disadvantages. CoCs have a sectoral coverage limiting availability to the covered sectors. The adherence to a CoC does not grant any seal to signal compliance to end users. The likely competition between national business representatives to draft their own CoC entails the risk of inconsistencies between one member state and another. This risk is fostered by the absence of mutual recognition between national CoCs and the absence of mechanisms to prevent duplicates at national and European levels. The option chosen by the European lawmaker to entrust the accreditation of monitoring bodies to the DPA leaves some questions open on the capacity of DPAs to handle that task. Many of them have already complained about the shortage of resources, and accreditation will require hiring additional specialised profiles. Nevertheless, adhering to a GDPR CoC, when available, offers advantages over certification that should be considered by SMEs when they seek to comply with the accountability requirement set by the GDPR.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "openaire:50|datacite____::84fba0f3300b5e14db679e6fbd1ab3a0",
"title": "GDPR RULES AND EXCEPTIONS FOR JOURNALISTS",
"authors": [
"Voinea, Dan Valeriu"
],
"date": "2021-12-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.15249208",
"pdfUrl": "",
"doi": "10.5281/zenodo.15249208",
"abstract": "This paper examines the impact of the General Data Protection Regulation (GDPR) on journalistic practices and freedom of expression. Implemented in 2018, the GDPR aims to enhance personal data protection while recognizing the need to balance these protections with freedom of expression. The study focuses on key GDPR provisions relevant to journalism, particularly Article 85, which requires Member States to reconcile data protection rights with freedom of expression. It explores the varying implementations of these provisions across EU Member States and discusses the challenges posed by the GDPR to journalistic practices, including issues related to the right to erasure and data protection in investigative reporting. The paper also considers the GDPR's global influence on data protection standards. While the GDPR has set new benchmarks for data protection, its interaction with journalistic activities remains complex and evolving. The research concludes by identifying areas for further investigation, including comparative analyses of national implementations and the long-term impact of GDPR on press freedom.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.58555/li.2022.2.105",
"title": "Legislative Harmonization of Brazilian Data Protection Law with EU GDPR: A Comparative Study on the EU GDPR and Brazil's LGPD",
"authors": [
"Hansol Kim"
],
"date": "2022-12-31",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.58555/li.2022.2.105",
"pdfUrl": "",
"doi": "10.58555/li.2022.2.105",
"abstract": "Recently, major countries and international organizations, including the European Union, are reforming their personal data protection system, which is understood to seek the reasonable balance between the protection of personal information and communication technologies that have developed rapidly over the past three decades. The General Data Protection Regulation (GDPR), enacted by the EU in May 2016, is the world's most powerful privacy system now, and since the GDPR was enacted, EU trade partners have been actively striving to align their own data protection legislations with the GDPR by adopting and amending theirs to meet the global data protection standards. Brazil, as Latin America's economic giant, has also spent a long time finding the balance point between creating economic profits and protecting human rights under the pressure of mediating the conflicting values of using and protecting personal information. As a result of the conflict, the Brazilian General Data Protection Regulation(LGPD), affected by the EU GDPR, was passed on August 15, 2018 after eight years of discussion. This study began with questions about how specific the Brazilian LGPD was influenced by the European GDPR and how these two legislations were harmonized in the global society. We examined the system and status of Brazil's personal information legislation, as well as the legislative progress of the new legislation, and went on to conduct comparative legal reviews of the two legislations to find out the similarities and differences between them. Furthermore, we looked at the implications of Brazilian legislation for our legislation and sought compatibility between the value of privacy protection and the development of information technology.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.12688/openreseurope.15145.1",
"title": "Voicing challenges: GDPR and AI research",
"authors": [
"Kezada-Tavarez, Katherine",
"Dutkiewicz, Lidia",
"Krack, Noémie"
],
"date": "2022-11-23",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.12688/openreseurope.15145.1",
"pdfUrl": "",
"doi": "10.12688/openreseurope.15145.1",
"abstract": "EU data protection rules could be difficult for researchers to navigate, particularly when processing massive datasets containing personal data for Artificial Intelligence (AI) developments. This article examines how data protection intersects with AI research to elucidate the issues arising from the use of large-scale databases containing personal data to train, test and validate AI systems. The key objectives of this work are to (1) scrutinise the data protection requirements and limits for the processing of personal data in AI research, (2) reflect on possible complications regarding data quality requirements for trustworthy AI and General Data Protection Regulation (GDPR) compliance, and (3) present possible ways forward to reconcile GDPR requirements and AI research. While reviewing and mapping relevant provisions and guidance, we identify data protection challenges posed by the use of massive databases containing personal data for AI research. The findings suggest that, while the legal regime for research under the GDPR resolves some of the challenges identified, others, such as legal basis for processing and processing of special categories of data, remain unaddressed. We argue that the nature of these complications will make it difficult for EU researchers to advance in trustworthy AI efforts. The analysis concludes by suggesting possible ways to tackle the remaining issues.",
"topics": [
"gdpr_compliance",
"ai_governance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1177/18724981251322884",
"title": "Artificial intelligence in educational games and consent under general data protection regulation",
"authors": [
"Eirini Mougiakou",
"Spyros Papadimitriou",
"Konstantina Chrysafiadi",
"Maria Virvou"
],
"date": "2025-03-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1177/18724981251322884",
"pdfUrl": "",
"doi": "10.1177/18724981251322884",
"abstract": "As Artificial Intelligence becomes increasingly integrated into educational games, conforming with the General Data Protection Regulation (GDPR)—a legal framework governing data protection and privacy in the European Union—remains an important yet complex challenge, particularly when minors are involved. Users are required to provide consent multiple times, often unexpectedly, at different game levels. This process is further complicated by the varying durations for which consent remains valid. As a result, users—especially minors—may become confused about the consent they have given. Additional concerns arise when the educational game is AI-equipped. If AI is not involved, no new data is generated. However, if AI is present, new data is continuously produced, necessitating ongoing consent. For example, a user may consent to personalisation, which could lead the game to categorise them in unintended ways, such as labelling them a ‘poor student’. This paper explores GDPR challenges in AI-empowered educational games, focusing on user consent, AI-inferred data, and compliance gaps. Intelligent educational games rely on adaptive decision-making algorithms to personalise learning experiences, making them a subset of Intelligent Decision Technologies. Our research is based on a fuzzy-based educational game developed as a testbed for studying GDPR compliance in AI-driven decision-making. The findings provide insights into ethical AI governance, dynamic consent management, and the intersection of regulatory compliance with adaptive, data-driven decision systems in intelligent educational technologies. Based on our research, not all personal data exist from the beginning and upon original consent granting, as personal data are also generated throughout the process.",
"topics": [
"gdpr_compliance",
"ai_governance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.32628/cseit25112775",
"title": "Federated Learning: Advancing Privacy-Preserving Machine Learning at Scale",
"authors": [
"null Shreya Gupta"
],
"date": "2025-04-02",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.32628/cseit25112775",
"pdfUrl": "",
"doi": "10.32628/cseit25112775",
"abstract": "Federated Learning emerges as a transformative paradigm in machine learning, revolutionizing data privacy and distributed computing across multiple sectors. This comprehensive exploration details the evolution of federated learning from its foundational concepts to practical implementations across healthcare, finance, and industrial applications. The implementation demonstrates remarkable capabilities in preserving privacy while maintaining computational efficiency through various mechanisms, including differential privacy, secure aggregation, and homomorphic encryption. In healthcare scenarios, federated learning has enabled collaborative research across medical institutions while safeguarding patient data privacy. The financial sector benefits from enhanced fraud detection capabilities while maintaining regulatory compliance. The automotive industry utilizes federated learning to improve autonomous driving systems through distributed learning from connected vehicles. Integrating cloud computing and edge processing further enhances system efficiency and scalability. The amalgamation of these technologies presents promising directions for future developments in privacy-preserving distributed computing and machine learning applications.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "hal:4676568",
"title": "Enhancing privacy in VANETs through homomorphic encryption in machine learning applications",
"authors": [
"Yulliwas Ameur",
"Samia Bouzefrane"
],
"date": "2024-04-23",
"platform": "hal",
"sourceUrl": "https://cnam.hal.science/hal-04676567v1",
"pdfUrl": "https://cnam.hal.science/hal-04676567/document",
"doi": "10.1016/j.procs.2024.06.010",
"abstract": "This paper presents a novel framework for enhancing privacy in Vehicular Ad Hoc Networks (VANETs) by integrating homomorphic encryption with machine learning applications. VANETs, essential for Intelligent Transport Systems (ITS), face significant challenges in privacy and security due to their highly dynamic and heterogeneous nature. Our framework addresses these challenges by employing a simplified but effective machine learning algorithm, the K-nearest neighbors (KNN), to ensure the security and privacy of the network. The flexibility of the framework allows for the incorporation of other machine learning algorithms, enhancing its adaptability and efficiency in various VANET scenarios. Key to this framework is the use of homomorphic encryption (HE), a cryptographic technique that enables computations on encrypted data without the need for decryption. This feature preserves data confidentiality and allows for secure third-party computations. Our paper discusses the evolution and types of homomorphic encryption, emphasizing the importance of Fully Homomorphic Encryption (FHE) for its ability to evaluate complex polynomial functions. The paper also highlights the different domains of cybersecurity concerns in VANETs, including in-vehicle systems, ad-hoc and infrastructure networks, and data analysis. The proposed framework aims to mitigate these vulnerabilities, particularly focusing on preventing common attacks like DoS and location tracking. A significant advantage of our approach is its general nature, making it applicable to various privacy issues in VANETs. We propose the potential integration of homomorphic encryption with other privacy-preserving techniques, such as differential privacy or secure multi-party computation, to enhance computation times while ensuring robust privacy protection.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.3233/shti190414",
"title": "Layered Privacy Language Pseudonymization Extension for Health Care",
"authors": [
"Armin, Gerl",
"Felix, Bölz"
],
"date": "2019-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3233/shti190414",
"pdfUrl": "",
"doi": "10.3233/shti190414",
"abstract": "Enforcement of General Data Protection Regulation strengthens privacy in Europe and especially emphasizes protection of special categories of data as required in health care. Layered Privacy Language intends to model privacy policies to enforce them. Hereby, a special focus lays on the Policy-based De-identification process, which is based on anonymization and privacy models. Motivated by a health care scenario, this work shows pseudonymization capabilities are essential for health care. An overview of pseudonymization methods is given, showing a great variety of methods for different use cases. Therefore, a pseudonymization extension for Layered Privacy Language is introduced to define several pseudonymization methods. Furthermore, pseudonymization is added to Policy-based De-identification process of the overarching privacy framework of Layered Privacy Language. An example policy configuration is given demonstrating the introduced pseudonymization extension on the given health care example. The results are discussed, concluded, and future work is introduced.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Medinfo",
"language": "en"
},
{
"id": "openaire:S0267364916302151",
"title": "Pseudonymization and impacts of Big (personal/anonymous) Data processing in the transition from the Directive 95/46/EC to the new EU General Data Protection Regulation",
"authors": [
"Bolognini, Luca",
"Bistolfi, Camilla"
],
"date": "2017-04-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1016/j.clsr.2016.11.002",
"pdfUrl": "",
"doi": "10.1016/j.clsr.2016.11.002",
"abstract": "Abstract In order to carry out the so-called “Big Data analysis”, the collection of personal data seems to be inevitable. The opportunities arising from the analysis of such information need to be balanced with the risks for the data protection of individuals. In this sense, the anonymization technique might be a solution, but it seems to be inappropriate in certain circumstances, among which Big Data processing can be included. In fact, anonymization has a high degree of uncontrollability of the impacts of profiling directed to individual targets whose data has been anonymized. In this sense, pseudonymization can be used both to reduce the risks of reidentification and help data controllers and processors to respect their personal data protection obligations by keeping control over their activities. On the one hand, pseudonymization ensures the capability to reconstruct the processes of identity masking, by allowing re-identification. On the other hand the accountability of the data controller and data processor is guaranteed, thanks to the fact that there will always be a person who can re-identify subjects included in a cluster, acting as a “data keeper”.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Comput. Law Secur. Rev.",
"language": "en"
},
{
"id": "openaire:10.1109/icoin48656.2020.9016595",
"title": "On-the-fly DICOM-RTV metadata pseudonymization during a real-time streaming",
"authors": [
"Saad El Jaouhari",
"Guillaume Pasquier",
"Emmanuel Cordonnier"
],
"date": "2020-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/icoin48656.2020.9016595",
"pdfUrl": "",
"doi": "10.1109/icoin48656.2020.9016595",
"abstract": "With the current advancement of the information technologies and the growing demand for data sharing, the risk of private data leakages increases. Moreover, the aggregation of multiple data, required for improving quality, may favor the prediction of unrevealed private and sensitive information, in particular in the medical data. Thus, with the current laws and regulations (GDPR, CNIL, HIPAA, etc.), it becomes required to protect the privacy of the patients when dealing with their sensitive data, and in particular when sending them outside the clinical site. Inline with this objective, the data anonymization and pseudonymization emerged among the solutions for safely sharing private data with remote peers. In this work, a particular interest is given to the pseudonymization of the DICOM Real-Time Video (DICOM-RTV) associated metadata that can be generated inside the operating room (OR), and shared via a streaming technology. The pseudonymization, by definition, includes both the notion of de-identification and re-identification, necessary for ensuring patient safety. Thus, the main objective of this paper is to define and conceptualize an architecture for de-identifying DICOM-RTV metadata on-the-fly before streaming them together with the DICOM-RTV video of the ongoing surgery outside the medical facility in real-time.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "International Conference on Information Networking",
"language": "en"
},
{
"id": "openaire:10.47363/jesmr/2024(5)229",
"title": "Data Masking for GDPR Compliance in Financial Transactions",
"authors": [
"Pooja Badgujar"
],
"date": "2024-02-29",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.47363/jesmr/2024(5)229",
"pdfUrl": "https://doi.org/10.47363/jesmr/2024(5)229",
"doi": "10.47363/jesmr/2024(5)229",
"abstract": "Projecting future trends in financial technology, this paper will draw on insights and experiences from Wells Fargo to outline potential developments in the field. It will discuss emerging technologies, anticipated challenges, and strategic approaches for leveraging technology to drive innovation in banking. The paper will also reflect on the author's contributions to the field and outline future research and development directions. The GDPR mandates stringent measures to protect personal data, imposing obligations on organizations to ensure the lawful and transparent processing of such information. Within the financial realm, where transactions involve a plethora of sensitive data points, adhering to GDPR regulations becomes paramount. Data masking serves as a vital mechanism in this endeavor, facilitating the anonymization or pseudonymization of sensitive data elements while preserving their utility and integrity. By anonymizing or pseudonymizing sensitive information, data masking mitigates the risk of unauthorized access or disclosure, thus safeguarding customer privacy. This proactive approach not only aligns with GDPR principles but also fosters trust and confidence among stakeholders. Moreover, data masking enables organizations to strike a delicate balance between regulatory compliance and operational efficiency, ensuring that essential business functions remain unhindered.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Journal of Economics & Management Research",
"language": "en"
},
{
"id": "openaire:S0950705113000877",
"title": "Fast clustering-based anonymization approaches with time constraints for data streams",
"authors": [
"Kun Guo",
"Qishan Zhang"
],
"date": "2013-07-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1016/j.knosys.2013.03.007",
"pdfUrl": "",
"doi": "10.1016/j.knosys.2013.03.007",
"abstract": "Research on the anonymization of static data has made great progress in recent years. Generalization and suppression are two common technologies for quasi-identifiers' anonymization. However, the characteristics of data streams, such as potential infinity and high dynamicity, make the anonymization of data streams different from the anonymization of static data. The methods for static data anonymization cannot be directly applied to anonymizing data streams. In this paper, a novel k-anonymization approach for data streams based on clustering is proposed. In order to speed up the anonymization process and reduce the information loss, the new approach scans a stream in one turn to recognize and reuse the clusters satisfying the k-anonymity principle. The time constraints on tuple publication and cluster reuse, which are specific to data streams, are considered as well. Furthermore, the approach is improved to conform to the @?-diversity principle. The experiments conducted on the real datasets show that the proposed methods are both efficient and effective.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "europepmc:41746890",
"title": "Protection of personal medical data in the context of GDPR implementation.",
"authors": [
"Berzina AB",
"Rozsokha SS",
"Makhmurova-Dyshliuk OP",
"Pletenetska AO."
],
"date": "2026-01-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.36740/merkur202601110",
"pdfUrl": "",
"doi": "10.36740/merkur202601110",
"abstract": "Objective
Aim: To analyse the challenges of protecting personal medical data in European Union (EU) Member States and other European countries during the implementation of Regulation 2016/679 (General Data Protection Regulation [GDPR]).Patients and methods
Materials and Methods: The study is based on an analysis of international and national legal frameworks governing personal medical data protection, focusing on the GDPR, the case law of the European Court of Human Rights (seven relevant judgments), and national data protection legislation. Statistical data from reports of national Data Protection Authorities were analyzed to identify dominant categories of infringements related to unlawful processing, storage, disclosure, and security breaches of medical data. The methodology included a comparative analysis of European Court of Human Rights judgments and an overview of enforcement activities of data protection authorities in 27 EU Member States. Dialectical, hermeneutic, comparative, analytical, and systemic analysis methods were applied.Conclusion
Conclusions: To comply with the GDPR, healthcare institutions must ensure lawful and secure processing of personal medical data: organize internal procedures, appoint a Data Protection Officer, implement technical and organizational measures, obtain informed consent from patients, and guarantee their rights to access and protect such sensitive information. The protection of personal medical data is ensured through a multi-level system that combines the GDPR, the European Court of Human Rights case law, and national institutions. It is essential to develop and implement clear data protection policies that define responsibilities, data handling procedures and incident response. Many countries still have low awareness among medical personnel regarding personal data protection.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Polski merkuriusz lekarski : organ Polskiego Towarzystwa Lekarskiego",
"language": "en"
},
{
"id": "pubmed:38464431",
"title": "Measuring data access and re-use in the European Legal Framework for Data, from the General Data Protection Regulation (GDPR) law to the Proposed Data Act: the case of vehicle data.",
"authors": [
"Crepax, Tommaso",
"Gaur, Mitisha",
"da Rosa Lazarotto, Barbara"
],
"date": "2023-11-07",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1093/jeclap/lpac059",
"pdfUrl": "",
"doi": "10.1093/jeclap/lpac059",
"abstract": "This article delves into the difficulties and opportunities associated with the acquisition, sharing, and re-purposing of vehicle data, particularly information derived from black boxes used by insurance companies and event data recorders installed by manufacturers. While this data is usually utilized by insurers and car makers, it may benefit consumers, rival firms, and public institutions profiting from access to data for objectives such as data portability between insurance companies, traffic and transportation management, and the development of intelligent mobility solutions. Among other regulations, the authors examine the proposed Data Act as the European chosen champion to address the legal and technical hurdles surrounding the reuse of privately held corporate data, including privacy and intellectual property, competition, and data interoperability issues. The text also offers an overview of the sorts of data obtained through vehicle recording systems and their potential benefits for various stakeholders. This paper presents a methodology for comparing and evaluating, in an ordinal fashion, the degree of access conferred by various regulations and put it to practical use to assess how much data is currently left out from access by the existing legislation, how much of such data is covered by the Data Act, and ultimately, how much still remains inaccessible for reuse.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "Open research Europe",
"language": "en"
},
{
"id": "pubmed:34658644",
"title": "Post-GDPR survey of data protection officers in research and non-research institutions in Croatia: a cross-sectional study.",
"authors": [
"Mladinić, Anamarija",
"Puljak, Livia",
"Koporc, Zvonimir"
],
"date": "2021-10-15",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.11613/BM.2019.020202",
"pdfUrl": "https://www.biochemia-medica.com/assets/images/upload/xml_tif/bm-31-3-030703.pdf",
"doi": "10.11613/BM.2019.020202",
"abstract": "INTRODUCTION: General Data Protection Regulation (GDPR) focuses on important elements of data ethics, including protecting people's privacy, accountability and transparency. According to the GDPR, certain public institutions are obliged to appoint a Data Protection Officer (DPO). However, there is little publicly available data from national EU surveys on DPOs. This study aimed to examine the scope of work, type of work, and education of DPOs in institutions in Croatia. MATERIALS AND METHODS: During 2020-2021, this cross-sectional study surveyed DPOs appointed in Croatia. The survey had 35 items. The questions referred to their appointment, work methods, number and type of cases handled by DPOs, the sources of information they use, their experience and education, level of work independence, contacts with ethics committees, problems experienced, knowledge, suggestions for improvement of their work, changes caused by the GDPR, and sociodemographic information. RESULTS: Out of 5671 invited DPOs, 732 (13%) participated in the study. The majority (91%) indicated that they could perform their job independently; they did not have prior experience in data protection before being appointed as DPOs (54%) and that they need additional education in data protection (82%). CONCLUSIONS: Most DPOs indicated that they had none or minimal prior experience in data protection when they were appointed as DPO, that they would benefit from further education on data protection, and exhibited insufficient knowledge on basic concepts of personal data protection. Requirements for DPO appointments should be clarified; mandatory education and certification of DPOs could be introduced and DPOs encouraged to engage in continuous education.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Biochemia medica",
"language": "en"
},
{
"id": "https://openalex.org/W3016602212",
"title": "Impact of the European General Data Protection Regulation (GDPR) on Health Data Management in a European Union Candidate Country: A Case Study of Serbia",
"authors": [
"Branko Marović",
"Vasa Ćurčin"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.2196/14604",
"pdfUrl": "https://doi.org/10.2196/14604",
"doi": "https://doi.org/10.2196/14604",
"abstract": "As of May 2018, all relevant institutions within member countries of the European Economic Area are required to comply with the European General Data Protection Regulation (GDPR) or face significant fines. This regulation has also had a notable effect on the European Union (EU) candidate countries, which are undergoing the process of harmonizing their legislature with the EU as part of the accession process. The Republic of Serbia is an example of such a candidate country, and its 2018 Personal Data Protection Act mirrors the majority of provisions in the GDPR. This paper presents the impact of the GDPR on health data management and Serbia’s capability to conduct international health data research projects. Data protection incidents reported in Serbia are explored to identify common underlying causes using a novel taxonomy of contributing factors across aspects and health system levels. The GDPR has an extraterritorial application for the non-EU data controllers who process the data of EU citizens and residents, which mainly affects private practices used by medical tourists from the EU, public health care institutions frequented by foreigners, as well as expatriates, dual citizens, tourists, and other visitors. Serbia generally does not have well-established procedures to support international research collaborations around its health data. For smaller projects, contractual arrangements can be made with health data providers and their ethics committees. Even then, organizations that have not previously participated in similar ventures may require approval or support from health authorities. Extensive studies that involve multisite data typically require the support of central health system institutions and relevant research data aggregators or electronic health record vendors. The lack of a framework for preparation, anonymization, and assurance of privacy preservation forces researchers to rely heavily on local expertise and support. Given the current limitation and potential issues with the legislation, it remains to be seen whether the move toward the GDPR will be beneficial for the Serbian health system, medical research, protection of personal data and privacy rights, and research capacity. Although significant progress has been made so far, a strategic approach is needed at the national level to address insufficient resources in the area of data protection and develop the personal data protection environment further. This will also require a targeted educational effort among health workers and decision makers, aiming to improve awareness and develop skills and knowledge necessary for the workforce.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "JMIR Medical Informatics",
"language": "en"
},
{
"id": "pubmed:30642661",
"title": "How the new European data protection regulation affects clinical research and recommendations?",
"authors": [
"Demotes-Mainard, Jacques",
"Cornu, Catherine",
"Guérin, Aurélie"
],
"date": "2018-12-20",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1016/j.therap.2018.12.004",
"pdfUrl": "",
"doi": "10.1016/j.therap.2018.12.004",
"abstract": "Clinical research on human subjects or their data is confronted with conflicting requirements with, on one hand, the principle of open science (transparency and data sharing), the possibilities offered by big data and the reuse of healthcare or research data, and on the other, changes to the regulatory and legislative framework, including the general data protection regulation (GDPR). A roundtable was organized in Giens, France in October 2018 to identify problem areas, the need for clarification and streamlining, and to make recommendations to promote clinical research while ensuring a high level of patient protection. After details were given about these developments, the roundtable participants were able to propose recommendations, primarily (1) to clarify: what is considered anonymized data, and what is \"public interest\" within the meaning of the GDPR; (2) for the French data protection authority (CNIL) to continue preparing reference methodologies to simplify the approval system; (3) to promote the secondary use of data by making it easier to inform patients and obtain broad patient consent, by specifying the circumstances under which their withdrawal and opposition rights apply, so as to limit the risk of bias; (4) to facilitate access to data warehouses by providing technological and methodological aids. The roundtable also recommends increasing discussions between authorities in Europe on research topics, encouraging French authorities to contribute to the preparation of codes of conduct and setting up a voluntary harmonization procedure to coordinate the opinions of data protection authorities, while ensuring that key documents are available in English.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "Therapie",
"language": "en"
},
{
"id": "hal:4338808",
"title": "Research Biobanking, Personal Data Protection and Implementation of the GDPR in France",
"authors": [
"Gauthier Chassang",
"Michael Hisbergues",
"Emmanuelle Rial-Sebbag"
],
"date": "2021-01-06",
"platform": "hal",
"sourceUrl": "https://ut3-toulouseinp.hal.science/hal-04338808v1",
"pdfUrl": "https://ut3-toulouseinp.hal.science/hal-04338808/document",
"doi": "10.1007/978-3-030-49388-2_14",
"abstract": "Since 1978 and the initial French data protection law (Loi n°78-17 du 6 Janvier 1978), consecutive modifications regarding the protection of personal health data, especially in 2004, 2016 and 2018, set up a strict legal regime for processing sensitive personal data, including for research purposes. In recent years, French law has evolved proactively and in parallel with the work of the European Union (EU) on the preparation of what became the General Data Protection Regulation (GDPR), which has been in force since May 2018. This Chapter performs a state-of-art analysis (as of 1 July 2019) of the French legal framework for research biobanks and data protection rules applying to biobanking, in particular those related to data subjects’ rights and Article 89 of the GDPR. Firstly, it provides updated information about the national landscape of active research biobanks in France. Secondly, it explores how the French law embodies the developments brought by the GDPR and how it envisages individuals’ rights in the context of research biobanking. Thirdly, this Chapter analyses existing and potential national exemptions to individuals’ rights, including with regard to Article 89 GDPR, and how France conceives of processing activities of ‘public interest’. Finally, the authors address ongoing debates around bioethics law in France and argue for the creation of a specific Act focused on biobanking as a means of integrating, clarifying and developing not only data protection rules but also other activities related to samples, human or not, in a unique, operational and compact.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "hal:5515030",
"title": "Clinconnet : a Blockchain-based dynamic consent management platform for clinical research",
"authors": [
"Montassar Naghmouchi",
"Maryline Laurent"
],
"date": "2026-02-17",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05515030v1",
"pdfUrl": "https://hal.science/hal-05515030/document",
"doi": "10.48550/arXiv.2602.02610",
"abstract": "Consent is an ethical cornerstone of clinical research and healthcare in general. Although the ethical principles of consent -providing information, ensuring comprehension, and ensuring voluntarinessare well-defined, the technological infrastructure remains outdated. Clinicians are responsible for obtaining informed consent from research subjects or patients, and for managing it before, during, and after clinical trials or care, which is a burden for them. The voluntary nature of participating in clinical research or undergoing medical treatment implies the need for a participant-centric consent management system. However, this is not reflected in most established systems. Not only do most healthcare information systems not follow a user-centric model, but they also create data silos, which significantly reduce the mobility of patient data between different healthcare institutions and impact personalized medicine. Furthermore, consent management tools are outdated. We propose ClinConNet (Clinical Consent Network), a platform that connects researchers and participants based on clinical research projects. ClinConNet is powered by a dynamic consent model based on blockchain technology and take advantage of dynamic consent interfaces, as well as blockchain and Self-Sovereign Identity (SSI) systems. ClinConNet is user-centric and provides important privacy features for patients, such as unlinkability, confidentiality, and ownership of identity data. It is also compatible with the right to be forgotten, as defined in many personal data protection regulations, such as the GDPR. We provide a detailed privacy and security analysis in an adversarial model, as well as a Proof of Concept implementation with detailed performance measures that demonstrate the feasibility of our blockchain-based consent management system with a median end-to-end consent establishment time of under 200ms and a throughput of 250 transactions per second.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "hal:5471874",
"title": "Legally validated evaluation framework for voice anonymization",
"authors": [
"Nathalie Vauquier",
"Brij Mohan Lal Srivastava",
"Seyed Ahmad Hosseini",
"Emmanuel Vincent"
],
"date": "2025-08-17",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-05471874v1",
"pdfUrl": "https://inria.hal.science/hal-05471874/document",
"doi": "10.21437/interspeech.2025-1699",
"abstract": "Classical speaker verification metrics used to evaluate voice anonymization systems, such as the equal error rate (EER), fail to properly quantify the residual re-identification risk. This paper introduces a new evaluation framework based on two metrics, Linkability and Singling Out, derived from the legal definitions in the Article 29 Working Party's Opinion 05/2014 on Anonymization Techniques endorsed by the European Data Protection Board (EDPB). Our framework translates these legal concepts into quantitative metrics for speech data. The proposed framework has been legally validated by the French Data Protection Authority. Experiments across various attack scenarios reveal that, while the EER remains stable, Linkability and Singling Out vary much more. This demonstrates that the residual privacy risk after anonymization is far more variable than indicated by the EER, underscoring the need for evaluation metrics that align with legal criteria.",
"topics": [
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "INTERSPEECH",
"language": "en"
},
{
"id": "https://openalex.org/W2941857399",
"title": "Use and Understanding of Anonymization and De-Identification in the Biomedical Literature: Scoping Review",
"authors": [
"Raphaël Chevrier",
"Vasiliki Foufi",
"Christophe Gaudet-Blavignac",
"Arnaud Robert",
"Christian Lovis"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.2196/13484",
"pdfUrl": "https://www.jmir.org/2019/5/e13484/PDF",
"doi": "https://doi.org/10.2196/13484",
"abstract": "Interest is growing for privacy-enhancing techniques in the life sciences community. This interest crosses scientific boundaries, involving primarily computer science, biomedical informatics, and medicine. The variability observed in the use of the terms de-identification and anonymization emphasizes the need for clearer definitions as well as for better education and dissemination of information on the subject. The same observation applies to the methods. Several legislations, such as the American Health Insurance Portability and Accountability Act (HIPAA) and the European General Data Protection Regulation (GDPR), regulate the domain. Using the definitions they provide could help address the variable use of these two concepts in the research community.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Journal of Medical Internet Research",
"language": "en"
},
{
"id": "https://openalex.org/W4390848134",
"title": "Clarifying “personal data” and the role of anonymisation in data protection law: Including and excluding data from the scope of the GDPR (more clearly) through refining the concept of data protection",
"authors": [
"Valentin Rupp",
"Maximilian von Grafenstein"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1016/j.clsr.2023.105932",
"pdfUrl": "https://doi.org/10.1016/j.clsr.2023.105932",
"doi": "https://doi.org/10.1016/j.clsr.2023.105932",
"abstract": "In a data-driven society, the collection and processing of data is essential to the operation of existing technologies and the development of new ones. Data protection law protects individuals against risks associated with the processing of “personal data”. However, despite an intensive legal debate, there is still considerable uncertainty as to when data is personal data and when it is not. The reason for this is that data such as technical data or geo-location data usually is not “personal” per se but only when it is used for a specific purpose and in a specific way, or to be more precise, when the data processing causes a specific risk to a fundamental right of an individual. In our paper, we demonstrate that by focusing on these risks when assessing the scope of application, the question whether data falls into the scope of the General Data Protection Regulation (GDPR) or not becomes much clearer. The about, purpose, and result elements, introduced by the Art. 29 Working Party, thereby turn out to be a powerful set of analytical tools to determine which rights are specifically affected by data processing and, thus, to what extent a data subject is identified or identifiable in the processing context. While the about element addresses different risks to the right to privacy, the purpose element specifically reveals risks to the autonomy status of an individual. Finally, the result element focuses on the negative effect data processing can have on any other fundamental rights of the individual. On this basis, it is also possible to define more precisely the legal requirements for anonymising personal data. First of all, we illustrate that anonymisation mainly affects the about element and can do little “against” the purpose and result element. At least, however, by assessing which sphere of privacy is specifically concerned, it is possible to more precisely define when an individual is identified in a dataset and, thus, what the requirements for anonymization are.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Computer law & security review",
"language": "en"
},
{
"id": "https://openalex.org/W2944884171",
"title": "GDPR principles in Data protection encourage pseudonymization through most popular and full-personalized devices - mobile phones",
"authors": [
"Peter Štarchoň",
"Tomáš Pikulík"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1016/j.procs.2019.04.043",
"pdfUrl": "https://doi.org/10.1016/j.procs.2019.04.043",
"doi": "https://doi.org/10.1016/j.procs.2019.04.043",
"abstract": "The core concept of European reform of the law on the protection of personal data, implemented in EU General Data Protection Regulation (GDPR) – European Parliament and Council Regulation No 2016/679 becoming enforceable on 25th May 2018. GDPR as a new framework for unit 500 million of customers has strengthen and unite the aspect of data privacy that retaining the main principles of previous Data Protection Directive 95/46/EC. Regulation brings by its hidden traps, many important new obligations in coherence with tougher regime of data privacy in terms of usage of fines and sanctions for the unwary ones. Thus, in this paper, we refer to data protection principles by the example of mobile operators that affect our everyday lives with reference to assigned problem of collect, process and manage a relatively large amount of our personal data. Analytical and conceptual view of processing customer’s metadata and considering right of subject to data portability also reveals and encourage methods for implementing pseudonymization techniques to process them on behind to secure customer’s privacy.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Procedia Computer Science",
"language": "en"
},
{
"id": "s2:bc0f56a2bc17461f9f761f95dacf6e89890ec21f",
"title": "Clinical Text Anonymization, its Influence on Downstream NLP Tasks and the Risk of Re-Identification",
"authors": [
"Iyadh Ben Cheikh Larbi",
"A. Burchardt",
"R. Roller"
],
"date": "2023",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/bc0f56a2bc17461f9f761f95dacf6e89890ec21f",
"pdfUrl": "https://aclanthology.org/2023.eacl-srw.11.pdf",
"doi": "10.18653/v1/2023.eacl-srw.11",
"abstract": "While text-based medical applications have become increasingly prominent, access to clinicaldata remains a major concern. To resolve this issue, further de-identification and anonymization of the data are required. This might, however, alter the contextual information within the clinical texts and therefore influence the learning and performance of possible language models. This paper systematically analyses the potential effects of various anonymization techniques on the performance of state-of-the-art machine learning models based on several datasets corresponding to five different NLP tasks. On this basis, we derive insightful findings and recommendations concerning text anonymization with regard to the performance of machine learning models. In addition, we present a simple re-identification attack applied to the anonymized text data, which can break the anonymization.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.783,
"venue": "Conference of the European Chapter of the Association for Computational Linguistics",
"language": "en"
},
{
"id": "crossref:10.5195/tlp.2020.235",
"title": "Privacy, Risk, Anonymization and Data Sharing in the Internet of Health Things",
"authors": [
"Liane Colonna"
],
"date": "2020-04-06",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.5195/tlp.2020.235",
"pdfUrl": "http://tlp.law.pitt.edu/ojs/index.php/tlp/article/viewFile/235/230",
"doi": "10.5195/tlp.2020.235",
"abstract": "This paper explores a specific risk-mitigation strategy to reduce privacy concerns in the Internet of Health Things (IoHT): data anonymization. It contributes to the current academic debate surrounding the role of anonymization in the IoHT by evaluating how data controllers can balance privacy risks against the quality of output data and select the appropriate privacy model that achieves the aims underlying the concept of Privacy by Design. It sets forth several approaches for identifying the risk of re-identification in the IoHT as well as explores the potential for synthetic data generation to be used as an alternative method to anonymization for data sharing.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.783,
"venue": "Pittsburgh Journal of Technology Law & Policy",
"language": "en"
},
{
"id": "https://openalex.org/W4384825851",
"title": "The third country problem under the GDPR: enhancing protection of data transfers with technology",
"authors": [
"Bjørn Aslak Juliussen",
"Elisavet Kozyri",
"Dag Johansen",
"Jon Petter Rui"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1093/idpl/ipad013",
"pdfUrl": "https://academic.oup.com/idpl/advance-article-pdf/doi/10.1093/idpl/ipad013/50909868/ipad013.pdf",
"doi": "https://doi.org/10.1093/idpl/ipad013",
"abstract": "The overall objective of the General Data Protection Regulation (GDPR)1 is two-fold: To contribute to the protection of privacy and personal data and to promote the free flow of personal data within the protected area2 through uniform regulations and homogenized interpretations of those regulations.<p>\\n\\n<p>If a controller or processor in the protected area (the exporter) transfers personal data to a country, region, or international organization outside the EEA, the exporter gets the advantage of the free flow of personal data to an area without homogenized data protection rules and interpretations. Under such circumstances, it is imperative to establish requirements that contribute to the initial objective of the GDPR, the protection of privacy and personal data. In EU data protection law, this requirement is known as the ‘essentially equivalent’ requirement.4 If personal data are to be transferred outside the protected area, the receiving country must have a level of personal data protection ‘essentially equivalent’ to the protected area.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "International Data Privacy Law",
"language": "en"
},
{
"id": "https://openalex.org/W4393870707",
"title": "A comparative analysis: health data protection laws in Malaysia, Saudi Arabia and EU General Data Protection Regulation (GDPR)",
"authors": [
"Jawahitha Sarabdeen",
"Mohamed Mazahir Mohamed Ishak"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1108/ijlma-01-2024-0025",
"pdfUrl": "",
"doi": "https://doi.org/10.1108/ijlma-01-2024-0025",
"abstract": "Purpose General Data Protection Regulation (GDPR) of the European Union (EU) was passed to protect data privacy. Though the GDPR intended to address issues related to data privacy in the EU, it created an extra-territorial effect through Articles 3, 45 and 46. Extra-territorial effect refers to the application or the effect of local laws and regulations in another country. Lawmakers around the globe passed or intensified their efforts to pass laws to have personal data privacy covered so that they meet the adequacy requirement under Articles 45–46 of GDPR while providing comprehensive legislation locally. This study aims to analyze the Malaysian and Saudi Arabian legislation on health data privacy and their adequacy in meeting GDPR data privacy protection requirements. Design/methodology/approach The research used a systematic literature review, legal content analysis and comparative analysis to critically analyze the health data protection in Malaysia and Saudi Arabia in comparison with GDPR and to see the adequacy of health data protection that could meet the requirement of EU data transfer requirement. Findings The finding suggested that the private sector is better regulated in Malaysia than the public sector. Saudi Arabia has some general laws to cover health data privacy in both public and private sector organizations until the newly passed data protection law is implemented in 2024. The finding also suggested that the Personal Data Protection Act 2010 of Malaysia and the Personal Data Protection Law 2022 of Saudi Arabia could be considered “adequate” under GDPR. Originality/value The research would be able to identify the key principles that could identify the adequacy of the laws about health data in Malaysia and Saudi Arabia as there is a dearth of literature in this area. This will help to propose suggestions to improve the laws concerning health data protection so that various stakeholders can benefit from it.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "International Journal of Law and Management",
"language": "en"
},
{
"id": "https://openalex.org/W2904119980",
"title": "Forgetting personal data and revoking consent under the GDPR: Challenges and proposed solutions",
"authors": [
"Eugenia Politou",
"Efthimios Alepis",
"Constantinos Patsakis"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1093/cybsec/tyy001",
"pdfUrl": "https://academic.oup.com/cybersecurity/article-pdf/4/1/tyy001/27126900/tyy001.pdf",
"doi": "https://doi.org/10.1093/cybsec/tyy001",
"abstract": "Upon the General Data Protection Regulation's (GDPR) application on 25 May 2018 across the European Union, new legal requirements for the protection of personal data will be enforced for data controllers operating within the EU territory. While the principles encompassed by the GDPR were mostly welcomed, two of them, namely the right to withdraw consent and the right to be forgotten, caused prolonged controversy among privacy scholars, human rights advocates and business world due to their pivotal impact on the way personal data would be handled under the new legal provisions and the drastic consequences of enforcing these new requirements in the era of big data and internet of things. In this work, we firstly review all controversies around the new stringent definitions of consent revocation and the right to be forgotten in reference to their implementation impact on privacy and personal data protection, and secondly, we evaluate existing methods, architectures and state-of-the-art technologies in terms of fulfilling the technical practicalities for the implementation and effective integration of the new requirements into current computing infrastructures. The latter allow us to argue that such enforcement is indeed feasible provided that implementation guidelines and low-level business specifications are put in place in a clear and cross-platform manner in order to cater for all possible exceptions and complexities.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "Journal of Cybersecurity",
"language": "en"
},
{
"id": "s2:3fb2d2a28f26c82febe37c632315073ccbc5863c",
"title": "Automatic Anonymization of Textual Documents: Detecting Sensitive Information via Word Embeddings",
"authors": [
"Fadi Hassan",
"David Sánchez",
"Jordi Soria-Comas",
"J. Domingo-Ferrer"
],
"date": "2019-08-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/3fb2d2a28f26c82febe37c632315073ccbc5863c",
"pdfUrl": "",
"doi": "10.1109/TrustCom/BigDataSE.2019.00055",
"abstract": "Data sharing is key in a wide range of activities but raises serious privacy concerns when the data contain personal information. Anonymization mechanisms provide ways to transform the data so that identities and/or sensitive data are not disclosed (i.e., data are no longer personal). Even though a variety of methods have been proposed for structured data, automatic anonymization of unstructured text it still far from being solved. Textual data anonymization consists of detecting sensitive pieces of text, which are later removed and/or generalized. The detection process is especially challenging and it is usually based on classifiers pre-trained on large quantities of manually tagged data, which are able to detect a fixed set of (sensitive) entities such as names or locations. However, this approach is severely limited because sensitive information may appear in text in many forms and not all the appearances of a certain entity type may disclose information on the individual to be protected. In this work we propose a more general solution to text anonymization based on the notion of word embedding. The idea is to represent all the entities appearing in the document as word vectors that capture their semantic relationships. Then a particular entity (e.g. an individual or an organization) can automatically be protected by removing the other entities co-occurring in the document whose vectors are similar to the particular entity's vector. Furthermore, our method does not require manually tagged training data and is language-agnostic. We empirically evaluated our proposal on a collection of biographies. Our results show a significant improvement of the detection recall in comparison with classical approaches to text anonymization based on named entity recognition.",
"topics": [
"data_anonymization",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.783,
"venue": "2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)",
"language": "en"
},
{
"id": "europepmc:PPR274355",
"title": "Data Protection Impact Assessment for the Corona App",
"authors": [
"Bock K",
"Kühne CR",
"Mühlhoff R",
"Ost MR",
"Pohle J",
"Rehak R."
],
"date": "2021-01-18",
"platform": "europe_pmc",
"sourceUrl": "https://europepmc.org/article/PPR274355",
"pdfUrl": "https://europepmc.org/api/fulltextRepo?pprId=PPR274355&type=FILE&fileName=EMS115285-pdf.pdf&mimeType=application/pdf",
"doi": "",
"abstract": "Since SARS-CoV-2 started spreading in Europe in early 2020, there has been a strong call for technical solutions to combat or contain the pandemic, with contact tracing apps at the heart of the debates. The EU's General Daten Protection Regulation (GDPR) requires controllers to carry out a data protection impact assessment (DPIA) where their data processing is likely to result in a high risk to the rights and freedoms (Art. 35 GDPR). A DPIA is a structured risk analysis that identifies and evaluates possible consequences of data processing relevant to fundamental rights and describes the measures envisaged to address these risks or expresses the inability to do so. Based on the Standard Data Protection Model (SDM), we present a scientific DPIA which thoroughly examines three published contact tracing app designs that are considered to be the most \"privacy-friendly\": PEPP-PT, DP-3T and a concept summarized by Chaos Computer Club member Linus Neumann, all of which process personal health data. The DPIA starts with an analysis of the processing context and some expected use cases. Then, the processing activities are described by defining a realistic processing purpose. This is followed by the legal assessment and threshold analysis. Finally, we analyse the weak points, the risks and determine appropriate protective measures. We show that even decentralized implementations involve numerous serious weaknesses and risks. Legally, consent is unfit as legal ground hence data must be processed based on a law. We also found that measures to realize the rights of data subjects and affected people are not sufficient. Last but not least, we show that anonymization must be understood as a continuous process, which aims at separating the personal reference and is based on a mix of legal, organizational and technical measures. All currently available proposals lack such an explicit separation process.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "",
"language": "de"
},
{
"id": "arxiv:2410.06086",
"title": "The GDPR's Rules on Data Breaches: Analysing Their Rationales and Effects",
"authors": [
"Frederik Zuiderveen Borgesius",
"Hadi Asghari",
"Noël Bangma",
"Jaap-Henk Hoepman"
],
"date": "2024-10-08",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2410.06086v1",
"pdfUrl": "https://arxiv.org/pdf/2410.06086v1",
"doi": "",
"abstract": "The General Data Protection Regulation (GDPR) requires an organisation that suffers a data breach to notify the competent Data Protection Authority. The organisation must also inform the relevant individuals, when a data breach threatens their rights and freedoms. This paper focuses on the following question: given the goals of the GDPR's data breach notification obligation, and we assess the obligation in the light of those goals. We refer to insights from information security and economics, and present them in a reader-friendly way for lawyers. Our main conclusion is that the GDPR's data breach rules are likely to contribute to the goals. For instance, the data breach notification obligation can nudge organisations towards better security; such an obligation enables regulators to perform their duties; and such an obligation improves transparency and accountability. However, the paper also warns that we should not have unrealistic expectations of the possibilities for people to protect their interests after a data breach notice. Likewise, we should not have high expectations of people switching to other service providers after receiving a data breach notification. Lastly, the paper calls for Data Protection Authorities to publish more information about reported data breaches. Such information can help to analyse security threats.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2205.13265",
"title": "Privacy-Preserving Wavelet Neural Network with Fully Homomorphic Encryption",
"authors": [
"Syed Imtiaz Ahamed",
"Vadlamani Ravi"
],
"date": "2022-05-26",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2205.13265v2",
"pdfUrl": "https://arxiv.org/pdf/2205.13265v2",
"doi": "",
"abstract": "The main aim of Privacy-Preserving Machine Learning (PPML) is to protect the privacy and provide security to the data used in building Machine Learning models. There are various techniques in PPML such as Secure Multi-Party Computation, Differential Privacy, and Homomorphic Encryption (HE). The techniques are combined with various Machine Learning models and even Deep Learning Networks to protect the data privacy as well as the identity of the user. In this paper, we propose a fully homomorphic encrypted wavelet neural network to protect privacy and at the same time not compromise on the efficiency of the model. We tested the effectiveness of the proposed method on seven datasets taken from the finance and healthcare domains. The results show that our proposed model performs similarly to the unencrypted model.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|57a035e5b1ae::4ad89e8ab16a1af166f2531430b0547c",
"title": "CYBER SECURITY FOUNDATIONS FOR COMPLIANCE WITHIN GDPR FOR BUSINESS INFORMATION SYSTEMS",
"authors": [
"Boban, Marija"
],
"date": "2018-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|57a035e5b1ae::4ad89e8ab16a1af166f2531430b0547c",
"pdfUrl": "",
"doi": "",
"abstract": "While the General Data Protection Regulation presents the new and the most important, regulation regarding personal data protection to be passed into law by the European Union, cyber security is considered to be a primary method in achieving compliance within the articles of the GDPR. Fundamentally, it aims to protect the citizen’s privacy and security of personal data, and this requirement for protection extends globally, to all organisations, public and private, wherever personal data is held, processed, or transmitted concerning any citizen of European union. In this paper, the author will present the new EU data protection regulation and cyber security cmpliance of business infomation systems within GDPR. In it's introduction the paper is giving an overview of the theoretical framework, the principles and rights within GDPR and the key areas of compliance to the cyber security within GDPR with emphasis on security of personal data and data processing in order to avoid penalties as well as to achieve greater efficiency and more cost effective management of business information systems in whole.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od______3848::213d4fa1549f353343cb66239d39f980",
"title": "THE GDPR MADE SIMPLE(R) FOR SMEs",
"authors": [],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______3848::213d4fa1549f353343cb66239d39f980",
"pdfUrl": "",
"doi": "",
"abstract": "This user-friendly Handbook offers guidance and practical suggestions for small and medium-sized enterprises (SMEs) that could facilitate compliance with the General Data Protection Regulation (GDPR). Being primarily addressed to enterprises for which personal data processing is an auxiliary activity, the Handbook explains how to navigate the barrage of resources available on GDPR. In doing so it provides an overview of the main actors in the European data protection landscape. It also clarifies the scope of data protection law and the scope of its application to SMEs. The Handbook introduces concepts and principles that form the crux of personal data protection legal framework and then it unpacks the theory and practice of the risk-based approach to personal data protection. The Handbook seeks to go beyond a mere description of GDPR provisions and obligations stemming from them. It includes a set of proactive measures that were put forward by European DPAs and bodies. In addition, it provides references to other publicly available (open access) resources that also provide practical suggestions.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od______1548::8f0b129c956feab9f39367bdd4ae3c64",
"title": "The Mathematics of Risk: An introduction to guaranteed data de-identification",
"authors": [
"Thompson, Kristi"
],
"date": "2022-03-03",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______1548::8f0b129c956feab9f39367bdd4ae3c64",
"pdfUrl": "",
"doi": "",
"abstract": "This webinar is devoted to the mathematical and theoretical underpinnings of guaranteed data anonymization. Topics covered include an overview of identifiers and quasi-identifiers, an introduction to k-anonymity, a look at some cases where k-anonymity breaks down, and anonymization hierarchies. The presenter will describe a method to assess a survey dataset for anonymization using standard statistical software and consider the question of \"anonymization overkill\". Much of the academic material looking at data anonymization is quite abstract and aimed at computer scientists, while material aimed at data curators does not always consider recent developments. This webinar is intended to help bridge the gap.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "hal:4844898",
"title": "AI Hallucinations and Data Subject Rights under the GDPR: Regulatory Perspectives and Industry Responses",
"authors": [
"Theodore Christakis"
],
"date": "2024-12-11",
"platform": "hal",
"sourceUrl": "https://hal.univ-grenoble-alpes.fr/hal-04844898v1",
"pdfUrl": "https://hal.univ-grenoble-alpes.fr/hal-04844898/document",
"doi": "",
"abstract": "The rise of general-purpose artificial intelligence (GPAI) systems is transforming industries by generating human-like text, images, and other content. However, these advancements bring a significant challenge: AI hallucinations—instances where AI produces plausible but false or nonsensical information. Such hallucinations undermine the reliability of AI outputs and pose risks when disseminated as factual data, especially in critical fields like law, healthcare, and journalism. This article explores the complex interplay between AI hallucinations and data subject rights under the General Data Protection Regulation (GDPR). It examines high-profile cases where individuals were inaccurately portrayed by AI systems, leading to data protection complaints. In April 2024, the consumer organization Noyb notoriously filed a complaint with the Austrian Data Protection Authority (DPA), alleging that ChatGPT violated GDPR's accuracy principle by providing an incorrect date of birth for a public figure and failing to rectify the error when notified. Drawing on regulatory perspectives, the article focuses into the nuanced approaches proposed by DPAs such as the Hamburg DPA and the UK's Information Commissioner's Office. In July 2024, the Hamburg DPA published a Discussion Paper that ignited extensive debate. This paper's significance lies in the Hamburg DPA's focus on the critical distinction between GPAI systems and Large Language Models (LLMs), which constitute only one component of GPAI systems. According to the Hamburg DPA, LLMs themselves do not contain personal data and, as such, fall outside the scope of the GDPR—a stance that has drawn criticism examined in detail in the paper – as well as the Hamburg DPAs response. However, the true significance of the Discussion Paper, lies in its call to shift regulatory attention toward other components of GPAI systems—particularly their outputs, where the GDPR clearly applies—rather than the internal mechanics of LLMs. The Hamburg DPA’s paper underscores an important point: LLMs do not store personal data in discrete records or operate as traditional structured databases. Consequently, applying the GDPR's accuracy requirement in its conventional form may be neither feasible nor appropriate. Similarly, the ICO proposed a risk-based approach to the issue of AI hallucinations, tailoring accuracy requirements to the purpose and context of AI use and emphasizing information and transparency. The combination of these guidances could be very helpful to mitigate the risks of violating the principle of accuracy and data subject rights under the GDPR when GPAI systems generate incorrect personal information, without hindering the development of these technologies in Europe. This article also explores the multifaceted efforts by GPAI system creators to address these issues, explaining in detail the technical and legal measures implemented to reduce hallucinations and mitigate associated risks. While these measures represent significant progress, they are yet far from perfect, and ongoing refinement is necessary as the technology evolves. By weaving together regulatory insights and industry practices, the article argues for a balanced approach and for ongoing collaboration among stakeholders to refine strategies that effectively manage AI hallucinations within the GDPR framework.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "hal:2553947",
"title": "European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting",
"authors": [
"W. Gregory Voss"
],
"date": "2017-01-05",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02553947v1",
"pdfUrl": "https://hal.science/hal-02553947/document",
"doi": "",
"abstract": "This article discusses a few of the most important European data privacy law developments in recent history – perhaps the most significant since 1995 when the European Union adopted the Data Protection Directive. These include the adoption of the General Data Protection Regulation (GDPR), the invalidation of the U.S. – EU Safe Harbor cross-border personal data transfer framework in the Schrems decision, and the Safe Harbor’s subsequent replacement by the Privacy Shield. The latter allows transfer of personal data (such as data about employees and prospects) from the European Union to the United States, upon certification of commitments by participating companies, and provides guarantees from U.S. agencies and means of enforcement in case of violations. The article also covers continuing developments concerning the “right to delisting,” which was applied in the 2014 Google Spain decision. Treatment of the GDPR, which will be applicable as of May 2018 (allowing companies time to prepare), includes its extended territorial scope, changes to personal data processing principles, provisions regarding storage of data for public interest, scientific, historical or statistical purposes, developments regarding legitimate bases for processing, including consent, increased data subject rights which will require companies to take action, as well as new compliance requirements which may include, when applicable, performing data protection impact assessments and/or hiring data protection officers. Furthermore, new record-keeping obligations, new requirements for data breach notifications, and higher administrative fines are detailed.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "Business Lawyer",
"language": "en"
},
{
"id": "hal:5002906",
"title": "Cryptography for privacy-preserving machine learning",
"authors": [
"Théo Ryffel"
],
"date": "2022-06-23",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-05002906v2",
"pdfUrl": "https://theses.hal.science/tel-05002906/document",
"doi": "",
"abstract": "The ever growing use of machine learning (ML), motivated by the possibilities it brings to a large number of sectors, is increasingly raising questions because of the sensitive nature of the data that must be used and the lack of transparency on the way these data are collected, combined or shared. Therefore, a number of methods are being developed to reduce its impact on our privacy and make its use more acceptable, especially in areas such as healthcare where its potential is still largely under-exploited. This thesis explores different methods from the fields of cryptography and security, and applies them to machine learning in order to establish new confidentiality guarantees for the data used and the ML models. Our first contribution is the development of a technical foundation to facilitate experimentation of new approaches, through an open-source library named PySyft. We propose a modular architecture that facilitates the use of privacy blocks, or the development and integration of new blocks. This library is reused in all the implementations proposed in this thesis. Our second contribution consists in highlighting the vulnerability of ML models by proposing an attack that exploits a trained model to reveal confidential data. This attack could, for example, subvert a model that recognizes a person’s sport from an image, to detect the person’s racial origins. We propose solutions to limit the impact of this attack. In a third step, we focus on some cryptographic protocols that allow us to perform computations on encrypted data. A first study proposes a functional encryption protocol that allows to make predictions using a small ML model over encrypted data and to only make the predictions public. A second study focuses on optimizing a functional secret sharing protocol, which allows an ML model to be trained or evaluated on data privately, i.e. without revealing either the model or the data to anyone. This protocol provides sufficient performance to use models that have practical utility in non-trivial tasks such as pathology detection in lung X-rays. Our final contribution is in differential privacy, a technique that limits the vulnerability of ML models and thus the exposure of the data used in training by introducing a controlled perturbation. We propose a new protocol and show that it offers the possibility to train a smooth and strongly convex model with a bounded privacy loss regardless of the number of calls to sensitive data during training.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "hal:5514704",
"title": "International privacy and data protection law to the test of agentic AI",
"authors": [
"William Letrone"
],
"date": "2025-05-27",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05514704v1",
"pdfUrl": "",
"doi": "",
"abstract": "Agentic AI may be understood as an AI system capable of executing a diverse suite of more-or-less complex tasks without human involvement. Agentic AI systems are designed to exhibit high levels of autonomy, functioning with minimal human inputs. However, agentic AI raises privacy and data protection issues that need to be addressed before the technology becomes ubiquitous. (1) Objective This prospective research anticipates the generalization of autonomous AI agents within society. As such, it aims to analyze agentic AI from the perspective of international privacy and data protection law, drawing upon widely-recognized data protection principles, in order to assess whether current frameworks on privacy are up to the task of regulating agentic AI systems. (2) Results The research will provide clarifications on the possible categorization of agentic AI systems under the european AI Act and the consequences of their categorization. It will also provide relevant legal insights to enlighten the application of key privacy and data protection principles, such as data minimization and purpose limitation. (3) Method The research will employ an evaluative legal research methodology, where key legal rules are mobilized to assess their applicability in new, concrete contexts.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "",
"language": "en"
},
{
"id": "hal:2554678",
"title": "The European Commission on the Privacy Shield: All Bark and No Bite?",
"authors": [
"Kimberly A. Houser",
"W. Gregory Voss"
],
"date": "2018-12-20",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02554678v1",
"pdfUrl": "",
"doi": "",
"abstract": "Much has been written about the difference in the privacy laws of the European Union and the United States and ideologies behind the two regimes. One risk of the increasing divergence in views on privacy is the potential halting of data transfers from the European Union to the United States by the European Commission (EC). As data is a significant driver of the world economy, special care must be taken both to ensure that data is able to cross borders easily, and individuals’ rights to data protection are respected. The General Data Protection Regulation (GDPR) prohibits the transfer of personal data outside of the European Economic Area (EEA) to countries without “adequate” privacy protections. As the United States is considered to have insufficient protections, the EC requires that an approved mechanism, such as the Privacy Shield—its agreement with the United States that permits U.S. companies to self-certify that they will meet certain minimum privacy protections—be used for such transfers. Alternative mechanisms include standard contractual clauses (SCCs). Suspension of any one approved mechanism may call into question the legitimacy of the others. Although the Privacy Shield survived its first EC review in 2017, many called for the EC to suspend the Privacy Shield at its second review due to a number of factors: the continuation of the Schrems case; the failure of the U.S. government to enact the recommendations made in the 2017 Privacy Shield review; and recent U.S. government actions demonstrating disregard for data privacy protection; the EC chose to back down instead of proceeding to a clash. On In a report issued on December 19, 2018 (2018 Report), the EC indicated that the Privacy Shield had passed its second review, subject to the United States appointing a permanent Privacy Shield Ombudsperson by February 28, 2019. Before analyzing the 2018 Report, it is important to understand why the U.S.’s commitment to the Privacy Shield mechanism seems tenuous.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "University of Illinois Journal of Law, Technology & Policy: Timely Tech",
"language": "en"
},
{
"id": "https://openalex.org/W3136539726",
"title": "Data Protection by Design? A Critique of Article 25 of the GDPR",
"authors": [
"Ari Ezra Waldman"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3773143",
"pdfUrl": "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3773143",
"doi": "",
"abstract": "Europe’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. Article 25, titled, “Data Protection by Design and by Default,” purports to incorporate the concept of “privacy by design” into European data protection law. This Article challenges that common pre- sumption. Although privacy by design is not a new doctrine, having been the subject of academic debate, legal, and regulatory discussions for more than a decade, the final draft of Article 25(1) reflects little, if any, of that history. Relying on multiple forms of statutory interpretation commonly used to interpret European Community legislation, this Article argues that Article 25 of the GDPR lacks any meaningful connection to privacy by design under textualist, contextual, purposive, and precedential interpreta- tions. Only teleological reasoning offers a meaningful way forward. This means that it is up to the European Court of Justice to determine if Article 25(1) will have any chance of protecting European Union citizens and lim- iting the power of data controllers.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.783,
"venue": "SSRN Electronic Journal",
"language": "en"
},
{
"id": "ETid-65",
"title": "GDPR Fine: PWC Business Solutions — Hellenic Data Protection Authority (HDPA) (Greece)",
"authors": [
"Hellenic Data Protection Authority (HDPA)"
],
"date": "2019-07-30",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-65",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €150,000 | Articles: Art. 5 (1) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 13 (1) c) GDPR, Art. 14 (1) c) GDPR | Insufficient legal basis for data processing | The processing of employee personal data was based on consent. The HDPA found that consent as legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest. In addition, the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis. This was in violation of the principle of transparency and thus in breach of the obligation to provide information under Articles 13(1)(c) and 14(1)(c) of the GDPR. Lastly, in violation of the accountability principle, the company failed to provide the HDPA with evidence that it had carried out a prior assessment of the appropriate legal bases for processing employee personal data",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "GDPR DPA: Hellenic Data Protection Authority (HDPA)",
"language": "en"
},
{
"id": "ETid-577",
"title": "GDPR Fine: I-DE Redes Eléctricas Inteligentes, S.A.U — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2021-03-02",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-577",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00197-2020.pdf",
"doi": "",
"abstract": "Fine: €200,000 | Articles: Art. 5 (1) b), c) GDPR, Art. 6 (1) b) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) imposed a fine of EUR 200,000 on I-DE Redes Eléctricas Inteligentes, S.A.U. The DPA received complaints from Waitum, S.L. and Servicios Aby 2018, S.L. because their customers had received letters from the controller. Both companies had previously transferred their customers' personal data to the controller under a network access agreement entered into with the controller. Under this agreement, the two companies acted as representatives of their respective customers, who were supplied with electricity by the controller. In the letters sent, the controller mentioned, among other things, alleged breaches of contract and non-payment by the companies to the controller. \nIn the course of its investigations, the DPA determined that the sending of these letters was neither related to nor necessary for the performance of the respective contract. The controller had therefore violated the principles of purpose limitation and data minimization, so that the sending of these letters constituted unlawful processing of the customers' personal data.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-600",
"title": "GDPR Fine: Regione Lazio — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2021-01-14",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-600",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €75,000 | Articles: Art. 5 (2) GDPR, Art. 28 GDPR | Insufficient data processing agreement | The Italian DPA (Garante) has fined Regione Lazio (Lazio Region) EUR 75,000 for failing to designate Capodarco, the company it entrusted with the management of reservations for healthcare services in 1999, as a data processor. The controller had not entered into a contract with Capodarco that would have governed its role as data processor in accordance with the requirements of data protection law. Thus, a proper contract for commissioned processing had not been concluded until 2019, which meant that data had been processed unlawfully for a period of about 20 years.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-743",
"title": "GDPR Fine: Foodinho s.r.l. — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2021-06-10",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-743",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €2,600,000 | Articles: Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 22 (3) GDPR, Art. 25 GDPR, Art. 30 (1) a), b), c), f), g) GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 37 (7) GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined Foodinho s.r.l. EUR 2,600,000. Foodinho is an Italian food delivery service. The investigation against Foodinho mainly focused on the drivers of Foodinho. In the process, the DPA found some serious violations of applicable data protection regulations. Thus, the DPA identified some irregularities concerning the algorithms of the Foodinho system. In particular, the DPA found that the controller had not adequately informed employees about how the system worked and did not guarantee the accuracy and correctness of the results of the algorithms used to evaluate drivers. Furthermore, the DPA found violations of the principles of data minimization as well as memory limitation. For example, the systems processed drivers' data to an extent that exceeded the purpose of the processing and, in some cases, stored the data significantly longer than necessary. In addition, the controller had not taken sufficient technical and organizational measures to ensure secure data processing. The controller had also not conducted a data protection impact assessment, although this would have been necessary due to the considerable amount of data of different types relating to a significant number of data subjects. Separate proceedings are being conducted against the parent company GlovoApp23 by the Spanish DPA (AEPD).",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-747",
"title": "GDPR Fine: Comune di Bolzano — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2021-05-13",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-747",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €84,000 | Articles: Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 13 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined the municipality of Bolzano EUR 84,000. A former employee of the municipality filed a complaint with the DPA against the municipality. \r\nIn particular, the former employee complained that the municipality processed personal data related to his internet use during working hours and that he later received a notice of initiation of disciplinary proceedings accusing him of accessing Facebook for more than 40 minutes and YouTube for more than 3 hours during his working hours and of using the municipality's computer for private purposes. The DPA's investigation revealed that the municipality had been using a system to control and filter employees' internet browsing for about a decade, with monthly retention of data and creation of special reports for network security purposes. The system also collected information that had nothing to do with professional activities and, in any case, concerned the private life of the person in question.\r\nThe DPA finds that the controller thus violated the principle of data minimization, lawfulness and purpose limitation. The controller should rather have taken less intrusive measures to prevent the private use of the Internet. The DPA pointed out that the need to reduce the risk of misuse of Internet navigation cannot lead to the complete elimination of any privacy of the data subject at the workplace, even in cases where the employee uses network services provided by the employer. In addition, the controller had not adequately informed employees about the collection of Internet history, in violation of its obligation under Article 13 of the GDPR. \r\nFurthermore, the investigation identified other violations in the processing of data related to employees' requests for extraordinary medical examinations, which were made using a special form. The form provided by the controller had to be checked by the head of the organizational unit, a circumstance that led to the unlawful processing of health data.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-876",
"title": "GDPR Fine: Bocconi University — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2021-09-16",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-876",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €200,000 | Articles: Art. 5 (1) a), c), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 35 GDPR, Art. 44 GDPR, Art. 46 GDPR, Art. Art. 2-sexies Codice della Privacy | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible to take the exams live and in person as usual. The software was able to monitor the behavior of the students through video recordings and snapshots taken at random intervals. In addition, the exam was audio-visually recorded and a photograph was taken of each examinee at the beginning of the exam. At the end of the exam, the system processed the video, inserted warning signals regarding possible indications of incorrect behavior, and, among other things, assigned a so-called 'review priority' so that the examiner could subsequently assess whether an unauthorized act had been committed during the exam. In its investigation the DPA found that students were not properly informed of the processing of their personal data involved in the use of Respondus. For instance they were not informed that they would be audiovisually recorded and that the images would subsequently be processed. In addition, students were not provided with information regarding specific retention periods for personal data. Nor had they received sufficient information about the fact that their personal data would be transferred to the United States; instead, they were only informed in general terms that personal data would be processed both within and outside the territory of the European Union. Furthermore, the DPA found that the little information the students had received was presented in a fragmented and disorganized manner in various documents. The DPA considered this to be a violation of the principles of lawfulness, fairness and transparency. The DPA also found that the university had processed the personal data without a valid legal basis. Thus, consent to the processing of personal data was a prerequisite to participate in the exams in the first place. As an alternative to online exams, the option of an in-person exam was proposed. However, in the light of the pandemic, this also meant an increased health risk. Students were also concerned that refusing to take the online exams would negatively impact their grades. Consequently, the DPA concluded that the students' consent could not be considered voluntary. Further, the DPA found that the university retained the data for 12 months, although this would not have been necessary for the purpose of ensuring that the exams were properly carried out. \nEventually, the DPA found violations related to the transfer of data to Respondus. The processing agreement between the University and Respondus was based on the data protection agreement between the EU and the USA, known as the Privacy Shield, although it had been declared invalid by the Schrems II ruling of the Court of Justice of the European Union (CJEU). For this reason, the DPA found that the university transferred personal data to a third country, even though this transfer was not in compliance with the conditions set forth in Chapter V of the GDPR.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1222",
"title": "GDPR Fine: Clinic — Data Protection Authority of Berlin (Germany)",
"authors": [
"Data Protection Authority of Berlin"
],
"date": "2021",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1222",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €Unknown | Articles: Unknown | Insufficient involvement of data protection officer | The DPA from Berlin has imposed a fine on a clinic. The clinic had appointed the clinic manager, who was also a shareholder of the clinic, as the data protection officer. A data protection officer may perform other tasks and duties, but the company must ensure that other tasks and duties do not lead to a conflict of interest. In the present case, however, there was such a conflict of interest. On the one hand, the clinic manager had to make economic decisions in his executive position, and on the other hand, he had to monitor the clinic's compliance with data protection law. The DPA also noted that such a dual role carries the risk that patients and employees would be hesitant to seek the assistance of the data protection officer, also the hospital director, with critical questions about the processing of personal data.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "GDPR DPA: Data Protection Authority of Berlin",
"language": "en"
},
{
"id": "ETid-1305",
"title": "GDPR Fine: Volkswagen — Data Protection Authority of Niedersachsen (Germany)",
"authors": [
"Data Protection Authority of Niedersachsen"
],
"date": "2022-07-26",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1305",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €1,100,000 | Articles: Art. 13 GDPR, Art. 28 GDPR, Art. 30 GDPR, Art. 35 GDPR | Insufficient fulfilment of information obligations | The DPA of Lower Saxony has imposed a fine of EUR 1. 1 million on Volkswagen. \n\nThe company had installed cameras on a test vehicle. The vehicle was being used to test and train the functionality of a driving assistance system to prevent traffic accidents. For this purpose, the traffic around the vehicle was recorded with the cameras.\n\nHowever, Volkswagen failed to provide information in accordance with Art. 13 GDPR about the data processing by the cameras attached to the vehicle. \n\nThe DPA further found that, contrary to its obligation under Art. 28 GDPR, Volkswagen had not concluded a processing agreement with the company that carried out the journeys. Also, no data protection impact assessment pursuant to Art. 35 DSGVO had been carried out and the technical and organizational protection measures had not been outlined in the list of processing activities.\n\nVolkswagen has cooperated extensively with the DPA.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "GDPR DPA: Data Protection Authority of Niedersachsen",
"language": "en"
},
{
"id": "ETid-1486",
"title": "GDPR Fine: TECHPUMP SOLUTIONS S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2022-10-31",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1486",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00555-2021.pdf",
"doi": "",
"abstract": "Fine: €525,000 | Articles: Art. 5 (1) a), b), e) GDPR, Art. 6 (1) GDPR, Art. 8 GDPR, Art. 12 (1), (2) GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 30 (1) GDPR, Art. 22 (2) LSSI | Non-compliance with general data processing principles | The Spanish DPA has fined Techpump Solutions S.L. EUR 525,000. Techpump operates several websites with adult content. The DPA found several violations of data protection law during its investigation. Firstly, the DPA found that, contrary to the specified information in the privacy policy, Techpump shared users' personal data with companies belonging to the same group. In addition, the DPA found that Techpump had not specified a retention period for users' personal data and kept it indefinitely until users requested to withdraw their consent. Techpump also processed users' personal data without first obtaining their consent. Further, the DPA found that Techpump did not have sufficient parental controls to prevent minors under the age of 14 from accessing its content. In addition, Techpump's privacy policy was only available in English, rather than Spanish, and the information was not clearly understandable. Techpump also required that individuals who wished to exercise their data subject rights submit their ID card information in order to verify their identity. The DPA considered this to be an unacceptable impediment to the exercise of data subject rights. Finally, Techpump also collected various data such as IP addresses and WIFI data without having defined a processing purpose for it.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1844",
"title": "GDPR Fine: Meta Platforms Ireland Limited — Data Protection Authority of Ireland (Ireland)",
"authors": [
"Data Protection Authority of Ireland"
],
"date": "2023-05-12",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1844",
"pdfUrl": "https://edpb.europa.eu/system/files/2022-09/edpb_bindingdecision_20222_ie_sa_instagramchildusers_en.pdf",
"doi": "",
"abstract": "Fine: €1,200,000,000 | Articles: Art. 46 (1) GDPR | Insufficient legal basis for data processing | The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 1.2 billion. This is the highest fine imposed to date under the GDPR. In its decision, the DPC found that Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU. According to the Schrems II ruling, U.S. law does not provide a level of protection for personal data substantially equivalent to that provided by EU law and that the standard contractual clauses (SCCs) also do not provide sufficient protection. Meta based its data transfers on the SCCs and additional own safeguards. However, during its investigation, the DPC determined that these additional measures did not compensate for the inadequate protections provided by U.S. law. \n\nFollowing the investigation, the DPC submitted a draft decision to other concerned supervisory authorities pursuant to Art. 60 GDPR. In response, the DPC received objections from supervisory authorities, which led to a dispute resolution procedure before the European Data Protection Board (EDPB). In its decision, the EDPB asked the DPC to amend the proposed fine and adapt it to the seriousness of the data protection breach.\n\nThe DPC also ordered to cease any future transfer of personal data to the U.S., as well as to cease storage, within six months, of data already transferred to the U.S.\n\nMeta has announced that it will appeal the ruling and seek a suspension of the orders in court.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.783,
"venue": "GDPR DPA: Data Protection Authority of Ireland",
"language": "en"
},
{
"id": "doaj:1f8a29464e484c0fb693a96864304e98",
"title": "The Fundraiser's Transfer of Personal Data from the European Union to the United States in Context of Crowdfunding Activities",
"authors": [
"Nicolai Kjærgaard Sørensen",
"Ulla Steen"
],
"date": "2022",
"platform": "doaj",
"sourceUrl": "https://journals.aau.dk/index.php/NJCL/article/view/7545",
"pdfUrl": "",
"doi": "10.54337/ojs.njcl.2.7545",
"abstract": "European start-up companies must overcome more ‘transfer hurdles’ when personal data is transferred from the European Union to the US (United States of America) as part of crowdfunding campaign activities. Transfer of personal data is commonly not associated with (small scale) crowdfunding activities. However, the strict rules of the EU GDPR (European General Data Protection Regulation) on safeguarding personal data apply to all companies when data is transferred from the EU to the US - regardless the size of the business.\n\r\n\nThis article identifies exchange of personal data that takes place between primarily fundraiser and crowdfunding service provider in different steps of fundraising campaigns. The framework for rewardbased crowdfunding for goods production that is provided by the US based Indiegogo platform is used as example and context. The article highlights by way of example the obligations that must be met by European fundraisers as \"data controllers\" when personal data is transferred to Indiegogo. No easy solutions are provided by either European Union or national data protection authorities on how to establish an adequate level of personal data protection. Paradigms on how to secure transfer of personal data to third countries are available in form of so-called standard contractual clauses, but still conditions for transfer of personal data from Europe to the US are hard to comply with. Apart from entering into an inter partes agreement on use of standard contractual clauses with the crowdfunding platform provider, a European fundraiser must furthermore make a so-called \"transfer impact assessment\" to ensure that third party access to personal data is avoided. In the case of transfer of personal data from the EU to the US the fundraiser must consider using encryption of data as a \"supplementary measure\" to block third party access. Encryption of data is however not suitable for exchange of data in a dynamic crowdfunding campaign so other means for protection of data must be found and applied.\n\r\n\nThe reason and explanation for making data transfers from the EU to the US that hard for e.g., fundraisers are thus to be found at interstate level in the relation between the EU and the US. According to EU law, more specifically the GDPR and several of the provision of the Charter of Fundamental Rights of the European Union, US security legislation authorises a disproportionate access for US intelligence services to citizens' personal data. A solution on manageable transfer of personal data from the EU to the US may be found before the end of 2022, since a new TADP (Trans-Atlantic Data Privacy Framework) is currently being negotiated between EU and US at top politician level. However, the implementation of the TADP may take som time since the EU legislative framework needs adjustments to make the new transfer possibilities operational.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.767,
"venue": "Nordic Journal of Commercial Law",
"language": "en"
},
{
"id": "doaj:70b9fc7d25844567bcf0acdab68901c9",
"title": "Data Privacy Across Borders: A Comparative Analysis of European Union and Indian Protection Laws",
"authors": [
"Anita Yadav",
"Rabikant Pandey"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://bolognalawreview.unibo.it/article/view/22377",
"pdfUrl": "",
"doi": "10.6092/issn.2531-6133/22377",
"abstract": "Cross-border data protection frameworks increasingly shape global digital governance as privacy rights intersect with economic imperatives. This article examines the European Union’s General Data Protection Regulation (GDPR) and India’s Digital Personal Data Protection Act (DPDP Act) through comparative legal analysis, evaluating their distinct approaches to international data transfers and privacy safeguards. The GDPR establishes privacy as a fundamental right through extraterritorial application and stringent adequacy mechanisms, while India’s DPDP Act balances individual data protection with economic development objectives in one of the world’s fastest-growing digital markets. This study employs doctrinal methodology and comparative legal analysis to explore privacy within the international human rights framework, emphasising personal data sovereignty as essential to human dignity. Drawing on surveillance theory and analysing the GDPR’s adequacy mechanism against India’s data localisation and cross-border transfer provisions, the research reveals significant divergences in regulatory philosophy and enforcement mechanisms. The analysis demonstrates that India’s evolving engagement with global data protection standards positions it as a critical actor in developing harmonised international frameworks. The findings indicate that reconciling the EU’s rights-based approach with India’s development-oriented model requires adaptive governance structures that accommodate diverse regulatory contexts. This research contributes to understanding how divergent legal traditions can converge toward cooperative data governance, highlighting implications for international trade negotiations, digital sovereignty debates, and the architecture of future cross-border data transfer mechanisms that balance privacy protection with economic integration.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.767,
"venue": "University of Bologna Law Review",
"language": "en"
},
{
"id": "europepmc:PPR1098869",
"title": "Federated Learning for Agentic Gen AI in Financial Risk Management for National Financial Security",
"authors": [
"Joshi S."
],
"date": "2025-10-07",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202510.0524.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202510.0524.v1",
"doi": "10.20944/preprints202510.0524.v1",
"abstract": "Agentic Gen AI deployment is critically hampered by the siloed and sensitive nature of financial data, stringent data privacy regulations (e.g., GDPR, CCPA), and growing cybersecurity threats. This paper provides a comprehensive analysis of the synergistic integration of Federated Learning with Generative and Agentic AI systems for financial risk management. We explore the technical foundations of FL, its role in training and deploying Gen AI models like Large Language Models (LLMs) for synthetic data generation and risk analysis, and its function as the backbone for secure, collaborative Agentic AI systems that can autonomously navigate complex, multi-institutional workflows. The paper surveys key applications in anti-financial crime (AFC), credit risk assessment, and market risk modeling, while also addressing the persistent challenges—including communication overhead, systems heterogeneity, and model security—that must be overcome. We summarize recent FL frameworks including FedAvg with partial model averaging, federated LLM fine-tuning with differential privacy, secure multi-party computation protocols, and edge-FL hybrid systems. Our technical review include: (1) FedF1 aggregation for imbalanced financial datasets achieving 10-15% AUC improvement, (2) Privacy-preserving synthetic data generation via federated diffusion models with 0.85-.95 data fidelity, (3) Agentic AI systems with federated policy learning demonstrating 80-90\\% task completion rates, and (4) Secure aggregation protocols providing formal privacy guarantees. Experimental results across financial applications show significant performance gains: 20-30% improvement in AML detection, 20-25% reduction in false positives, and 30-40% cost savings in automated compliance. The reviewed architectures address critical challenges in data privacy, regulatory compliance (GDPR, CCPA, Basel III), and cross-institutional collaboration while maintaining model accuracy within 2-4% of centralized approaches. Our wo",
"topics": [
"privacy_engineering",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.767,
"venue": "",
"language": "de"
},
{
"id": "crossref:10.21203/rs.3.rs-3612315/v1",
"title": "Towards Privacy Preserved Document Image Classification - A Comprehensive Benchmark",
"authors": [
"Saifullah Saifullah",
"Dominique Mercier",
"Stefan Agne",
"Andreas Dengel",
"Sheraz Ahmed"
],
"date": "2023-11-17",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-3612315/v1",
"pdfUrl": "https://www.researchsquare.com/article/rs-3612315/v1",
"doi": "10.21203/rs.3.rs-3612315/v1",
"abstract": "Abstract\n As data-driven AI systems become increasingly integrated into industry, concerns have recently arisen regarding potential privacy breaches and the inadvertent leakage of sensitive user data through the exploitation of these systems. In this paper, we explore the intersection of data privacy and AI-powered document analysis systems, presenting a comprehensive benchmark of well-known privacy-preserving methods for the task of document image classification. In particular, we investigate four different privacy methods---Differential Privacy (DP), Federated Learning (FL), Differentially Private Federated Learning (DP-FL), and Secure Multi-Party Computation (SMPC)---on two well-known document benchmark datasets, namely RVL-CDIP and Tobacco3482. Furthermore, we investigate the performance of each method under a variety of configurations for thorough benchmarking. Finally, the privacy strength of each approach is assessed by subjecting the private models to well-known membership inference attacks. Our results demonstrate that, with sufficient tuning of hyperparameters, Differential Privacy (DP) can achieve reasonable performance on the task of document image classification while also ensuring rigorous privacy constraints, both in standalone and federated learning setups. On the other hand, while FL-based approaches present less implementation complexity and incur little to no loss in performance on the task, they do not offer sufficient protection against privacy attacks. By rigorously benchmarking various privacy approaches, our study paves the way for integrating deep document classification models into industrial pipelines while meeting regulatory and ethical standards, including GDPR and the AI Act 2022.
",
"topics": [
"privacy_engineering",
"data_anonymization",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.767,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.4337/9781802205657.00027",
"title": "Governing AI in the European Union: emerging infrastructures and regulatory ecosystems in health",
"authors": [
"Minssen, Timo",
"Solaiman, Barry",
"Köttering, Lea",
"Wested, Jakob",
"Malik, Abeer"
],
"date": "2024-07-16",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.4337/9781802205657.00027",
"pdfUrl": "",
"doi": "10.4337/9781802205657.00027",
"abstract": "The European Union (EU) has been at the forefront of developing sophisticated artificial intelligence (AI) and data governance frameworks, driven by a commitment to data protection, digital rights, fundamental values and ethical standards. This chapter examines the evolving EU AI-related regulations and their potential implications for healthcare, highlighting key instruments including the Artificial Intelligence Act (AI Act), the AI Liability Directive (AILD) and the revised Product Liability Directive (revised PLD), and their intersection with AI medical devices under the Medical Device Regulation (MDR) and generative AI (GenAI). Additionally, it delves into the complex interplay between the General Data Protection Regulation (GDPR) and the AI Act, alongside an examination of the sector-specific European Health Data Space (EHDS) regulation, underscoring the need for additional instruments to govern non-personal data sharing. While the EU’s multifaceted regulatory framework aims to strike a balance between seizing the opportunities of recent AI developments and safeguarding against potential harms, challenges arise from overlapping regulations and the lack of specific healthcare focus. As these regulations come into force, systematic analyses will be imperative to fully assess their impact. Ultimately, calibrating the risks of over- and under-regulation will be a delicate task where potential trade-offs will have to be carefully considered with a keen eye on international competition and the protection of fundamental values.",
"topics": [
"gdpr_compliance",
"ai_governance",
"power_knowledge_asymmetry",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.767,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.63126/mzbq4150",
"title": "The Impact of Artificial Intelligence on Medical Ethics and Confidentiality: Current State and Future Prospects in Morocco",
"authors": [
"Oussama LOUKILI",
"Imane BAGHAD",
"Hind ABOUZAHIR",
"Samir NYA"
],
"date": "2025-10-03",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.63126/mzbq4150",
"pdfUrl": "",
"doi": "10.63126/mzbq4150",
"abstract": "The integration of Artificial Intelligence (AI) into healthcare systems introduces substantial ethical, legal, and data governance challenges, particularly in relation to medical confidentiality and the protection of personal health information. While AI offers considerable benefits in diagnostics, personalized care, and predictive modeling, it raises significant concerns regarding algorithmic transparency, informed consent, data privacy, and liability. This article presents a normative and comparative analysis of the regulatory landscape governing AI in healthcare, with a focus on Morocco. It evaluates the adequacy of Moroccan Law 09-08 in comparison to the European General Data Protection Regulation (GDPR) and the United States’ Health Insurance Portability and Accountability Act (HIPAA). The study identifies critical gaps in Morocco’s current legal framework, including the absence of AI-specific provisions, limited safeguards for automated decision-making, and weak institutional enforcement. It proposes legal and policy reforms such as revising Law 09-08, adopting a sector-specific AI law for healthcare, enhancing the capacity of the national data protection authority (CNDP), and promoting ethical training for healthcare professionals and developers. Rather than impeding innovation, ethical regulation is framed as a necessary condition for building trustworthy, accountable, and equitable AI systems. By drawing from international best practices while adapting to national realities, Morocco has the potential to become a leader in responsible AI governance in healthcare.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"power_knowledge_asymmetry",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.767,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::135b5325ba7dd655327883526875692d",
"title": "Towards a Code of Conduct for the re-use and integration of Virtual Human Twins: analysis of the legal landscape and identification of legal and ethical challenges",
"authors": [
"Cristofaro, Lorenzo"
],
"date": "2024-12-18",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.14516807",
"pdfUrl": "",
"doi": "10.5281/zenodo.14516807",
"abstract": "This deliverable D6.2 is designed as an in-depth analysis of the essential elements to be considered when proceeding towards establishing a Code of conduct, with the aim of serving as a compliance-enabler and an accountability tool under the General Data Protection Regulation, for the re-use and integration of Virtual Human Twins in healthcare. D6.2 focuses on two primary objectives: (i) assisting all stakeholders composing the VHT ecosystem in identifying the key legal and regulatory challenges that need to be overcome for ensuring compliance with various applicable regulations, and (ii) offering specific recommendations with the aim of helping European policymakers to better identify and remove the obstacles, detected within the complex and multi-layered legal framework, that currently hinder a wider adoption of VHTs and Europe’s global leadership in this field. To this end, the following document first analyzes the current EU general regulatory and policy scenario in the AI and data-driven landscape, exploring the outcomes of some significant public initiatives carried out with the same scope of outlining the applicable barriers to scientific and technological innovation. Secondly, it sets out a comprehensive state-of-the-art on data anonymization, data pseudonymization and Privacy-Enhancing Technologies, both from a technical and a legal perspective, highlighting the key role that synthetic data may play in the future. Subsequently, all – already in force or forthcoming – EU regulations with major impacts on the VHT ecosystem are comprehensively investigated, including: the General Data Protection Regulation (providing a practical focus on some of EDITH’s specific use cases); the European Health Data Space; the Artificial Intelligence Act; the Data Governance Act and the Data Act; the Clinical Trial Regulation; the Medical Device Regulation and the In Vitro Diagnostic medical devices Regulation. Following this extensive analysis, Intellectual Property Rights ",
"topics": [
"jurisdiction_regulatory",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.767,
"venue": "",
"language": "en"
},
{
"id": "hal:4972082",
"title": "Regulatory Compliance and Ethical Considerations: Compliance challenges and opportunities with the integration of Big Data and AI",
"authors": [
"Elisha Blessing"
],
"date": "2024",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04972082v1",
"pdfUrl": "https://hal.science/hal-04972082/document",
"doi": "10.5281/zenodo.14926009",
"abstract": "The integration of Big Data and Artificial Intelligence (AI) technologies offers transformative potential for industries, accompanied by intricate challenges in regulatory compliance and ethical considerations. This paper explores the multifaceted landscape of compliance challenges, encompassing data privacy, security, and algorithmic transparency, alongside the evolving ethical considerations in AI and Big Data.
Drawing insights from case studies of successful organizations, the paper highlights proactive compliance measures, ethical AI frameworks, and collaborative approaches as opportunities for responsible integration. Anticipated future trends, including emerging regulatory developments and evolving ethical standards, are discussed. The conclusion emphasizes the imperative of a holistic and proactive approach to navigate challenges, leverage opportunities, and ensure the responsible integration of Big Data and AI in the evolving technological landscape.
I. Introduction
A. Brief overview of Big Data and AI integration B. Importance of regulatory compliance and ethical considerations II. Regulatory Landscape A. Overview of existing regulations related to data and AI 1. GDPR (General Data Protection Regulation) 2. HIPAA (Health Insurance Portability and Accountability Act) 3. CCPA (California Consumer Privacy Act) 4. Other relevant regulations based on industry or location III. Compliance Challenges A. Data Privacy and Security 1. Ensuring proper data encryption and storage 2. Minimizing data breaches and unauthorized access 1. Implementing privacy-by-design principles 2. Conducting regular audits and assessments B. Ethical AI Frameworks 1. Adopting ethical guidelines for AI development and deployment 2. Promoting responsible AI practices within the organization C. Collaboration with Stakeholders 1. Engaging with regulators, industry peers, and advocacy groups 2. Building a collaborative approach to address compliance challenges VI. Case Studies A. Examples of organizations successfully navigating compliance and ethics in Big Data and AI B. Lessons learned and best practices from these cases VII. Future Trends A. Emerging regulatory developments B. Evolving ethical considerations in AI and Big Data C. Anticipated challenges and opportunities VIII. Conclusion A. Summarizing the importance of regulatory compliance and ethical considerations in the integration of Big Data and AI B. Emphasizing the need for a holistic and proactive approach to address challenges and leverage opportunities.
Objectives
Period tracker downloads worldwide continue to increase year over year even though users are exposed to intimate data surveillance, unconsented third-party data sharing, and unauthorized commercial use of their reproductive information. This paper argues that data protection measures such as Europe's General Data Protection Regulation, considered the gold standard for personal privacy protection, could be bolstered if an intimate privacy design code was applied.Study design
As no code, such as the United Kingdom Information Commissioner's Children's Code, exists for reducing data protection risks associated with online processing of sensitive reproductive information, we developed 15 measures operationalizing the concept of intimate privacy. Risk assessments based on intimate privacy criteria were compared to General Data Protection Regulation requirements in our 2023 United Kingdom-based pilot study auditing three popular period trackers, Flo, Clue, and Eve.Results
When our intimate privacy criteria were applied, we identified tracker data protection weaknesses and privacy elements falling outside of existing General Data Protection Regulation requirements. Particularly worrisome was the lack of dynamic consent for data sharing, no built-in surveillance detection measures, and few user-determined data retention and deletion processes. Processing and storage of United Kingdom Flo and Eve users' data in the United States raises significant intimate privacy protection concerns, especially as legal implications of such data transfers were not well explained to users. Privacy policies were complex, requiring college education.Conclusions
Incorporating intimate privacy-by-design would provide Femtech device users enhanced protection for their sensitive, private intimate data.",
"topics": [
"gdpr_compliance",
"enterprise_privacy_ops"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.725,
"venue": "Contraception",
"language": "en"
},
{
"id": "pubmed:31611024",
"title": "[Adaptation of the General Data Protection Regulation (GDPR) to a smartphone app for rhinitis and asthma (MASK-air®)].",
"authors": [
"Laune, D",
"Arnavielhe, S",
"Viart, F",
"Bedbrook, A",
"Mercier, J",
"Lun San Luk, G",
"deVries, G",
"Spreux, O",
"Bousquet, J"
],
"date": "2019-10-11",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1016/j.rmr.2019.08.003",
"pdfUrl": "",
"doi": "10.1016/j.rmr.2019.08.003",
"abstract": "The General Data Protection Regulation (GDPR) regulates the processing of personal data in the European Union. The legal context is adapted to follow the evolution of technologies and of society. This new European regulation became mandatory, especially for connected devices, on May 25, 2018. An app originally known as \"The Allergy Diary\" is available for Android phones and iPhones. Its name was recently changed to MASK-air. The downloading and use of this app are free of charge and there are no adverts. It enables users to record their symptoms and their medications to better track the progress of their allergic rhinitis and/or asthma. It has been developed by public (Foundation FMC VIA-LR, University of Montpellier) and private (KYomed INNOV) organizations based in France and therefore falls under French jurisdiction. This article summarizes the five main principles of personal data protection to be respected during the development of the app: purpose, proportionality and relevance, limited retention period, security and confidentiality, as well as the rights of the people who are involved in the management of the personal data (including withdrawal and modification).",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.725,
"venue": "Revue des maladies respiratoires",
"language": "en"
},
{
"id": "dblp:conf/apweb/WangWLW25",
"title": "An Efficient Federated Learning Privacy Preservation Method with Differential Privacy Against Model Inversion Attack.",
"authors": [
"Bolun Wang",
"Dong Wang 0019",
"Chenpu Li",
"Jinhuan Wang"
],
"date": "2025",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/conf/apweb/WangWLW25",
"pdfUrl": "",
"doi": "10.1007/978-981-95-5716-5_19",
"abstract": "",
"topics": [
"data_anonymization",
"llm_privacy_attacks"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII"
],
"relevanceScore": 0.725,
"venue": "APWeb-WAIM",
"language": "en"
},
{
"id": "dblp:journals/corr/abs-2501-14756",
"title": "Towards An Automated AI Act FRIA Tool That Can Reuse GDPR's DPIA.",
"authors": [
"Tytti Rintamaki",
"Harshvardhan J. Pandit"
],
"date": "2025",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/corr/abs-2501-14756",
"pdfUrl": "",
"doi": "10.48550/ARXIV.2501.14756",
"abstract": "",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.725,
"venue": "CoRR",
"language": "en"
},
{
"id": "s2:11b53c8dc4609e44cfe8254993293228d1dd7f43",
"title": "LLMs-in-the-Loop Part 2: Expert Small AI Models for Anonymization and De-identification of PHI Across Multiple Languages",
"authors": [
"Murat Gunay",
"Bunyamin Keles",
"Raife Hizlan"
],
"date": "2024-12-14",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/11b53c8dc4609e44cfe8254993293228d1dd7f43",
"pdfUrl": "",
"doi": "10.48550/arXiv.2412.10918",
"abstract": "The rise of chronic diseases and pandemics like COVID-19 has emphasized the need for effective patient data processing while ensuring privacy through anonymization and de-identification of protected health information (PHI). Anonymized data facilitates research without compromising patient confidentiality. This paper introduces expert small AI models developed using the LLM-in-the-loop methodology to meet the demand for domain-specific de-identification NER models. These models overcome the privacy risks associated with large language models (LLMs) used via APIs by eliminating the need to transmit or store sensitive data. More importantly, they consistently outperform LLMs in de-identification tasks, offering superior performance and reliability. Our de-identification NER models, developed in eight languages (English, German, Italian, French, Romanian, Turkish, Spanish, and Arabic) achieved f1-micro score averages of 0.966, 0.975, 0.976, 0.970, 0.964, 0.974, 0.978, and 0.953 respectively. These results establish them as the most accurate healthcare anonymization solutions, surpassing existing small models and even general-purpose LLMs such as GPT-4o. While Part-1 of this series introduced the LLM-in-the-loop methodology for bio-medical document translation, this second paper showcases its success in developing cost-effective expert small NER models in de-identification tasks. Our findings lay the groundwork for future healthcare AI innovations, including biomedical entity and relation extraction, demonstrating the value of specialized models for domain-specific challenges.",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.725,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "https://openalex.org/W2799054379",
"title": "openEHR Based Systems and the General Data Protection Regulation (GDPR)",
"authors": [
"Mariana Sousa",
"Duarte Ferreira",
"Cátia Santos-Pereira",
"Gustavo Bacelar",
"Samuel Frade",
"Olívia Pestana",
"Ricardo Cruz‐Correia"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3233/978-1-61499-852-5-91",
"pdfUrl": "https://hdl.handle.net/10216/112073",
"doi": "https://doi.org/10.3233/978-1-61499-852-5-91",
"abstract": "The concerns about privacy and personal data protection resulted in reforms of the existing legislation in European Union (EU). The General Data Protection Regulation (GDPR) aims to reform the existing measures on the topic of personal data protection of the European Union citizens, with a strong input on the rights and freedoms of people and in the establishment of rules for the processing of personal data. OpenEHR is a standard that embodies many principles of interoperable and secure software for electronic health records. This work aims to understand to what extent the openEHR standard can be considered a solution for the requirements needed by GDPR. A list of requirements for a Hospital Information Systems (HIS) compliant with GDPR and an identification of openEHR specifications was made. The requirements were categorized and compared with the specifications. The requirements identified for the systems were matched with the openEHR specifications, which result in 16 requirements matched with openEHR. All the specifications identified matched at least one requirement. OpenEHR is a solution for the development of HIS that reinforce privacy and personal data protection, ensuring that they are contemplated in the system development. The institutions can secure that their Eletronic Health Record are compliant with GDPR while safeguarding the medical data quality and, as a result, the healthcare delivery.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.725,
"venue": "Studies in health technology and informatics",
"language": "en"
},
{
"id": "https://openalex.org/W3024958189",
"title": "General Data Protection Regulation (GDPR) Implementation: What was the Impact on the Market Value of European Financial Institutions?",
"authors": [
"Maria Cristina Arcuri"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.17015/ejbe.2020.025.01",
"pdfUrl": "https://doi.org/10.17015/ejbe.2020.025.01",
"doi": "https://doi.org/10.17015/ejbe.2020.025.01",
"abstract": "Personal data protection (PDP) is a big concern for political leaders, IT managers, information security consultants, the financial services industry, and the millions of people currently online. This paper analyses the impact that the most important European data protection regulation, the General Data Protection Regulation (GDPR), had on the market value of European financial institutions. Financial institutions collect and manage large amounts of personal data. Data protection is thus a key issue, and risks of non-compliance include financial, legal, and reputational risks. It is, therefore, interesting to find out whether stockholders recognized the real value and scope of GDPR. In order to examine the financial institution stockholder reaction to GDPR, we apply the event study methodology. We analyse a sample of 357 European listed financial companies, and we use daily market prices. In general, we find a significant positive reaction and note differences among European countries, showing that perception of GDPR impacts differed, probably because of uncertainty and worries about complying with new provisions, which required economic and organizational investment.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.725,
"venue": "Eurasian Journal of Business and Economics",
"language": "en"
},
{
"id": "https://openalex.org/W2903146754",
"title": "Project Management in the Implementation of General Data Protection Regulation (GDPR)",
"authors": [
"Ivan Todorović",
"Stefan Komazec",
"Đorđe Krivokapić",
"Danilo Krivokapić"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.18485/epmj.2018.8.1.7",
"pdfUrl": "http://media.epmj.org/2018/11/7-Project-Management-in-the-Implementation-of-General-Data-Protection-Regulation-GDPR-1.pdf",
"doi": "https://doi.org/10.18485/epmj.2018.8.1.7",
"abstract": "Technology development and digitalization have reshaped business models and made data one of the key resources in business ecosystem. Organizations have become more focused on gathering and processing personal data for the purpose of gaining competitive advantage and profit. Consequently, the importance of personal data protection has significantly grown, since one of the fundamental civil rights, the right of privacy, has become more jeopardized than ever before. This caused major changes in the European Union (EU) legislation related to personal data protection, which resulted in the introduction of General Data Protection Regulation (GDPR). The new regime significantly increases the protection of EU data subjects, but also demands all controllers and processors of personal data to adjust their business in order to avoid huge fines for non-compliance. This paper deals with project management in the process of implementing GDPR provisions.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.725,
"venue": "European Project Management Journal",
"language": "en"
},
{
"id": "https://openalex.org/W2922285670",
"title": "An Analysis of the Consequences of the General Data Protection Regulation (GDPR) on Social Network Research",
"authors": [
"Andreas Kotsios",
"Matteo Magnani",
"Luca Rossi",
"Irina Shklovski",
"Davide Vega"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "http://arxiv.org/abs/1903.03196",
"pdfUrl": "https://arxiv.org/pdf/1903.03196",
"doi": "https://doi.org/10.48550/arxiv.1903.03196",
"abstract": "This article examines the principles outlined in the General Data Protection Regulation (GDPR) in the context of social network data. We provide both a practical guide to GDPR-compliant social network data processing, covering aspects such as data collection, consent, anonymization and data analysis, and a broader discussion of the problems emerging when the general principles on which the regulation is based are instantiated to this research area.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.725,
"venue": "arXiv (Cornell University)",
"language": "en"
},
{
"id": "https://openalex.org/W4238571661",
"title": "Effective Regulation through Design – Aligning the ePrivacy Regulation with the EU General Data Protection Regulation (GDPR): Tracking Technologies in Personalised Internet Content and the Data Protection by Design Approach",
"authors": [
"Maximilian von Grafenstein",
"Julie Heumüller",
"Elias Belgacem",
"Timo Jakobi",
"Patrick Smiesko"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.2139/ssrn.3945471",
"pdfUrl": "https://doi.org/10.2139/ssrn.3945471",
"doi": "https://doi.org/10.2139/ssrn.3945471",
"abstract": "",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.725,
"venue": "SSRN Electronic Journal",
"language": "en"
},
{
"id": "openaire:oai:thesis.unipd.it:20.500.12608/62169",
"title": "Anonymization and pseudonymization of judicial decisions in the European Union legal space: seeking a proper balance between data protection and fundamental rights",
"authors": [
"RUSSO, SIMONE MARIA#idabnull"
],
"date": "",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:thesis.unipd.it:20.500.12608/62169",
"pdfUrl": "",
"doi": "",
"abstract": "Anonymization and pseudonymization of personal data in judicial decisions represent a very recent phenomenon that is likely to result in a lack of a proper balance between the need to protect individuals’ data and the necessity to respect the principle of open justice and the other fundamental rights recognized by the international and the European legal orders. In light of the GDPR legislation, the present work analyzes the approach adopted in this field by the Constitutional Courts of some Member States and the Court of Justice of the European Union.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.725,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|phd_tilb__nl::d476d060393c6ec9cdb272a1d68ffbb2",
"title": "Comparative analysis on cross border personal data transfer between EU GDPR and Singapore Personal Data Protection Act vs Indonesian Personal Data Protection Law: shortcomings and improvements",
"authors": [
"Made Aryasana Parta , I"
],
"date": "2023-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|phd_tilb__nl::d476d060393c6ec9cdb272a1d68ffbb2",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.725,
"venue": "",
"language": "en"
},
{
"id": "hal:5320109",
"title": "Stochastic Mixing and Differential Privacy in Utility-Preserving Data Anonymization",
"authors": [
"Alban-Félix Barreteau",
"Eric Le Carpentier",
"Olivier Regnier-Coudert",
"Saïd Moussaoui",
"Pierre-Antoine Gourraud"
],
"date": "2025-06-08",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05320109v1",
"pdfUrl": "https://hal.science/hal-05320109/document",
"doi": "",
"abstract": "The generation of privacy-preserving synthetic data is essential for its secure sharing and reliable usage in machine learning algorithms. This work presents a novel data anonymization method that performs a stochastic mixing of the original data in a latent space. The method is referred to as the dirichletavatar and its performance is compared to the original avatar method and to differential privacy (DP)-based approaches. These methods are applied to the public adult dataset and an evaluation of their utility and privacy characteristics is performed. Utility is assessed through a comparison of feature distributions and an assessment of their dependency preservation. Privacy is quantified using the Anonymeter framework, which evaluates privacy risksbased on the three GDPR criteria. Obtained results demonstrate that the dirichlet-avatar method achieves a superior balance between privacy and utility, outperforming both the original avatar method and DP-based methods, offering an effective alternative for generating high-quality anonymous synthetic data.
The paper examines the integration of decentralized data governance and regulatory compliance in the framework of federated learning and edge computing for healthcare. The cumulative reliance on digital technologies in healthcare enforces strong frameworks that ensure data privacy, security, and regulatory adherence. Federated learning, which allows machine learning (ML) models to be trained across multiple decentralized devices without sharing raw data, and edge computing, which processes data near its source, tender hopeful resolutions. The study explores into the ideologies of decentralized data governance, highlighting its benefits in maintaining data locality, enhancing privacy, and improving security. By examining many privacy-preserving techniques i.e. differential privacy and homomorphic encryption, the study exemplifies how these methods can be effectively implemented within federated learning and edge computing frameworks. Moreover, the study addresses the critical aspect of regulatory compliance, focusing on key regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). Policies for ensuring compliance, including data encryption, access controls, and audit trails, are carefully studied. Through case studies and practical implementations, the paper demonstrates the feasibility and advantages of combining decentralized data governance with federated learning and edge computing.
",
"topics": [
"gdpr_compliance",
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.708,
"venue": "",
"language": "de"
},
{
"id": "doaj:0b6929f928034809851763c5e879528c",
"title": "Privacy Protection Optimization in Federated Learning",
"authors": [
"Zhou Xinyi"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.itm-conferences.org/articles/itmconf/pdf/2025/09/itmconf_cseit2025_04003.pdf",
"pdfUrl": "https://www.itm-conferences.org/articles/itmconf/pdf/2025/09/itmconf_cseit2025_04003.pdf",
"doi": "10.1051/itmconf/20257804003",
"abstract": "Federated learning has emerged as a promising distributed machine learning paradigm that enables collaborative model training while preserving data privacy. However, the increasing sophistication of privacy attacks and evolving regulatory requirements have exposed critical vulnerabilities in current FL systems. This paper provides a comprehensive analysis of privacy threats in federated learning, identifying three primary attack surfaces: gradient-based reconstruction, aggregation-phase breaches, and membership leakage during participant selection. This paper examines how these vulnerabilities manifest differently across healthcare, financial, and industrial applications, with sector-specific risks ranging from medical image reconstruction to inference of sensitive financial attributes. The study systematically evaluates three categories of defense mechanisms: differential privacy techniques (including adaptive noise injection and hybrid approaches), cryptographic methods (homomorphic encryption and secure multi-party computation), and blockchain-based distributed architectures. This paper analyzes the inherent trade-offs between privacy protection and model performance, presenting optimization strategies such as adaptive privacy budgeting and lightweight encryption to mitigate accuracy degradation. The paper further discusses compliance challenges posed by emerging regulations like the EU AI Act and FDA guidelines, highlighting the need for verifiable privacy proofs in sensitive domains. Finally, this paper concludes with a summary and outlook.",
"topics": [
"privacy_engineering",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.708,
"venue": "ITM Web of Conferences",
"language": "en"
},
{
"id": "doaj:0bf0ae658e874efb8d32a1f35a60737e",
"title": "Trustfed a scalable privacy preserving federated AI framework for industrial IoT healthcare and finance",
"authors": [
"Dileep Kumar Murala",
"K. Madhura",
"Veera Ankalu Vuyyuru",
"K. Vara Prasada Rao",
"Eric Hitimana"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1007/s43926-025-00276-5",
"pdfUrl": "",
"doi": "10.1007/s43926-025-00276-5",
"abstract": "Abstract The integration of AI, IoT, and edge–cloud computing is accelerating smart industrial system improvements, particularly in healthcare and finance. This paper presents TrustFed, a secure and privacy-preserving federated AI platform, to address IIoT data privacy, security, and scalability issues. TrustFed uses Intel SGX–based trusted execution, Federated Deep Learning (FDL), Differential Privacy (DP), PCA-driven feature reduction, and encryption-based secure aggregation for decentralised model training confidentiality and robustness. Two privacy-aware face recognition and brain tumour classification use cases verify the system, showing better accuracy, reduced communication overhead, and robustness to inference and poisoning assaults. TrustFed improves data privacy and performance, adding scientific value to secure AI adoption in large-scale smart industrial environments.",
"topics": [
"privacy_engineering",
"data_anonymization",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.708,
"venue": "Discover Internet of Things",
"language": "en"
},
{
"id": "arxiv:2408.08904",
"title": "Privacy in Federated Learning",
"authors": [
"Jaydip Sen",
"Hetvi Waghela",
"Sneha Rakshit"
],
"date": "2024-08-12",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2408.08904v1",
"pdfUrl": "https://arxiv.org/pdf/2408.08904v1",
"doi": "10.5772/intechopen.1003421",
"abstract": "Federated Learning (FL) represents a significant advancement in distributed machine learning, enabling multiple participants to collaboratively train models without sharing raw data. This decentralized approach enhances privacy by keeping data on local devices. However, FL introduces new privacy challenges, as model updates shared during training can inadvertently leak sensitive information. This chapter delves into the core privacy concerns within FL, including the risks of data reconstruction, model inversion attacks, and membership inference. It explores various privacy-preserving techniques, such as Differential Privacy (DP) and Secure Multi-Party Computation (SMPC), which are designed to mitigate these risks. The chapter also examines the trade-offs between model accuracy and privacy, emphasizing the importance of balancing these factors in practical implementations. Furthermore, it discusses the role of regulatory frameworks, such as GDPR, in shaping the privacy standards for FL. By providing a comprehensive overview of the current state of privacy in FL, this chapter aims to equip researchers and practitioners with the knowledge necessary to navigate the complexities of secure federated learning environments. The discussion highlights both the potential and limitations of existing privacy-enhancing techniques, offering insights into future research directions and the development of more robust solutions.",
"topics": [
"privacy_engineering",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::af0e56571191394618a483681f49c29e",
"title": "LLM Access Shield: Domain-Specific LLM Framework for Privacy Policy Compliance",
"authors": [
"Wang, Yu",
"Cai, Cailing",
"Xiao, Zhihua",
"Lam, Peifung E."
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.48550/arxiv.2505.17145",
"pdfUrl": "",
"doi": "10.48550/arxiv.2505.17145",
"abstract": "Large language models (LLMs) are increasingly applied in fields such as finance, education, and governance due to their ability to generate human-like text and adapt to specialized tasks. However, their widespread adoption raises critical concerns about data privacy and security, including the risk of sensitive data exposure. In this paper, we propose a security framework to enforce policy compliance and mitigate risks in LLM interactions. Our approach introduces three key innovations: (i) LLM-based policy enforcement: a customizable mechanism that enhances domain-specific detection of sensitive data. (ii) Dynamic policy customization: real-time policy adaptation and enforcement during user-LLM interactions to ensure compliance with evolving security requirements. (iii) Sensitive data anonymization: a format-preserving encryption technique that protects sensitive information while maintaining contextual integrity. Experimental results demonstrate that our framework effectively mitigates security risks while preserving the functional accuracy of LLM-driven tasks.",
"topics": [
"gdpr_compliance",
"reversible_anonymization",
"data_breach_incident",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.708,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "openaire:10.53555/kuey.v29i4.10965",
"title": "Privacy-Preserving Machine Learning Models for Sensitive Customer Data in Insurance Systems",
"authors": [
"Keerthi Amistapuram"
],
"date": "2024-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.53555/kuey.v29i4.10965",
"pdfUrl": "https://kuey.net/index.php/kuey/article/download/10965/8549",
"doi": "10.53555/kuey.v29i4.10965",
"abstract": "The insurance industry is exploring the use of machine learning (ML) models to leverage the huge volume of customer data for of-the-moment business decisions. It is, however, extremely sensitive information. From a design per- spective, data attribute utility should be carefully balanced with privacy guarantees, particularly when sensitive customer data is involved. Privacy risks can be mitigated by using techniques that reduce and control the amount of sensitive information exposed during the training and use of ML models. A wide spectrum of privacy-preserving machine learning solutions has been developed. They are based on a comprehensive view of data protection-impact assessments under privacy laws and reg- ulations, subsequently consolidating the specific requirements for both personal identifiable information (PII) and personal health identifiable (PHI) information. For sufficiently large datasets, fair ML solutions with differential privacy-DPIA compliance can be obtained without compromising model performance. Notably, certain ML tasks, such as risk scoring and underwriting, can be accomplished with very close-to-the-source data while preserving DP-compliance for protected attributes. Risk scoring and underwriting processes are performed under the control of one institution, while fraud detection and claims management procedures apply an anomaly-detection-based architecture. For sensitive attributes such as health data, disparity in training data volume can be solved by transferring knowledge through privacy-preserving federated learning. Sensitive attributes with low entropy are avoided at prediction time to mitigate the associated disclosure risk. For such features, privacy and risk evaluation techniques such as k-anonymity and ℓ-diversity are embedded into the data-governance step, ensuring that the data support radarized and risk-aware disclosures when exposed to third parties.",
"topics": [
"privacy_engineering",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1145/3715779",
"title": "Protecting Privacy in Software Logs: What Should Be Anonymized?",
"authors": [
"Roozbeh Aghili",
"Heng Li",
"Foutse Khomh"
],
"date": "2025-06-19",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/3715779",
"pdfUrl": "",
"doi": "10.1145/3715779",
"abstract": " Software logs, generated during the runtime of software systems, are essential for various development and analysis activities, such as anomaly detection and failure diagnosis. However, the presence of sensitive information in these logs poses significant privacy concerns, particularly regarding Personally Identifiable Information (PII) and quasi-identifiers that could lead to re-identification risks. While general data privacy has been extensively studied, the specific domain of privacy in software logs remains underexplored, with inconsistent definitions of sensitivity and a lack of standardized guidelines for anonymization. To mitigate this gap, this study offers a comprehensive analysis of privacy in software logs from multiple perspectives. We start by performing an analysis of 25 publicly available log datasets to identify potentially sensitive attributes. Based on the result of this step, we focus on three perspectives: privacy regulations, research literature, and industry practices. We first analyze key data privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) , to understand the legal requirements concerning sensitive information in logs. Second, we conduct a systematic literature review to identify common privacy attributes and practices in log anonymization, revealing gaps in existing approaches. Finally, we survey 45 industry professionals to capture practical insights on log anonymization practices. Our findings shed light on various perspectives of log privacy and reveal industry challenges, such as technical and efficiency issues while highlighting the need for standardized guidelines. By combining insights from regulatory, academic, and industry perspectives, our study aim",
"topics": [
"gdpr_compliance",
"linkability_tracking",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.708,
"venue": "Proc. ACM Softw. Eng.",
"language": "en"
},
{
"id": "openaire:10.58631/injurity.v4i7.1451",
"title": "Optimization of Personal Data Rights Protection in Artificial Intelligence Era Under Indonesia’s Cybersecurity Law",
"authors": [
"Dwi Nugroho Masudianto",
"Megawati Barthos"
],
"date": "2025-07-08",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.58631/injurity.v4i7.1451",
"pdfUrl": "",
"doi": "10.58631/injurity.v4i7.1451",
"abstract": "The unclear regulation regarding Artificial Intelligence (AI) in Law Number 27 of 2022 concerning Personal Data Protection (UU PDP) poses significant challenges in personal data protection in Indonesia, especially in automatic data processing, algorithm transparency, and accountability for AI-based decisions. The current PDP Law focuses on general data protection without explicitly regulating how AI can process, store, and use personal data, thus creating legal loopholes that can be exploited by various parties. The main risks that arise include data exploitation without consent, information leakage, data scraping, and discrimination due to algorithmic bias that may harm certain individuals or groups. In addition, the black box problem phenomenon in AI-based decision-making further complicates legal accountability because the system works in a complex and difficult-to-understand way. Without strict regulations, certain companies or entities can use AI to make decisions that impact individuals without transparency or legal mechanisms that allow data subjects to sue or request explanations. Compared to the EU General Data Protection Regulation (GDPR) which has set transparency and accountability of AI systems laws, the PDP Law has yet to adopt concepts such as Explainable AI (XAI), which ensures that AI decisions can be understood by humans. Therefore, this study highlights the urgency of strengthening personal data protection regulations that cover the use of AI by referring to global practices to create a balance between technological innovation and the protection of individual rights.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:0959-6941(20200801)31:4;1-T",
"title": "Artificial Intelligence and Transparency: A Blueprint for Improving the Regulation of AI Applications in the EU",
"authors": [
"Ognyan Seizov",
"Alexander J. Wulf"
],
"date": "2020-08-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.54648/eulr2020024",
"pdfUrl": "",
"doi": "10.54648/eulr2020024",
"abstract": "The adoption of Artificial Intelligence is steadily increasing, but the underlying algorithms have become so complex that they are no longer transparent. The EU has introduced some modest AI transparency requirements as part of its General Data Protection Regulation. However, two years after their introduction, the effectiveness of these rules remains questionable. Our aim is to contribute towards the further development of a governance framework for AI. We begin by explaining how the algorithms that enable the speed and data processing power of AI also obscure its transparency. We review how major guidelines on AI ethics operationalize algorithmic transparency, following which we assess whether these principles are adequately covered by the GDPR. We then present the results of semi-structured interviews of a heterogeneous sample of stakeholders of consumer information online (N=75). Our data provide evidence that the current implementation of the EU’s informed consumer paradigm fails to establish a satisfactory level of consumer protection and information online. If simple technological applications such as cookies remain non-transparent to consumers, the current approaches are entirely incapable of addressing the problem of complex AI applications. We conclude by formulating a policy proposal as to how the transparency of AI applications could be improved from the perspective of end users. artificial intelligence, explainable AI, automated individual decision-making, profiling, consumer protection, data protection, GDPR, information disclosures, transparency, AI ethics",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "European Business Law Review",
"language": "en"
},
{
"id": "openaire:26663570(20240301)5:1;1-Z",
"title": "The EU Artificial Intelligence (AI) Act: An Introduction",
"authors": [
"Ceyhun Necati Pehlivan"
],
"date": "2024-03-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.54648/gplr2024004",
"pdfUrl": "",
"doi": "10.54648/gplr2024004",
"abstract": "As part of its digital strategy, the European Commission proposed the world’s first-ever comprehensive legal framework on AI in April 2021. In December 2023, the Council and the Parliament reached a political agreement on the EU’s new Artificial Intelligence Act (AI Act). The AI Act follows a risk-based approach and aims to ensure that AI systems placed on or used in the EU market are safe and respect fundamental rights. The AI Act is expected to become a model for AI governance worldwide in a similar way that the General Data Protection Regulation (GDPR) has influenced data protection regulation beyond European borders. While technical negotiations on the final text are ongoing and the final wording of the provisional agreement is not yet public, this article aims at providing a detailed overview and analysis of the upcoming provisions and requirements of the AI Act based on public (and some non-public) reports and press releases on the political agreement reached by the Council and the Parliament. AI Act, EU, Artificial Intelligence, AI, AI Systems, High-Risk, General Purpose, GPAI, Generative AI, Foundation Models, ChatGPT",
"topics": [
"gdpr_compliance",
"ai_governance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "Global Privacy Law Review",
"language": "en"
},
{
"id": "openaire:10.24144/2788-6018.2025.04.2.24",
"title": "The Supervision of EU National Data Protection Authorities over personal data processing by AI Systems (The case of ChatGPT)",
"authors": [
"A. O. Hachkevych"
],
"date": "2025-09-11",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.24144/2788-6018.2025.04.2.24",
"pdfUrl": "",
"doi": "10.24144/2788-6018.2025.04.2.24",
"abstract": "The article addresses the issue of personal data protection in the context of the rapid development and proliferation of artificial intelligence. This issue once again highlights the complex relationship between human rights and emerging technologies. The focus is on the legitimacy of processing personal data by AI systems, taking into account the experiences of EU national data protection authorities supervisory activities. The growing interest in AI-related human rights issues, among other things, stems from the dependence of artificial intelligence on vast amounts of information, including personal data. To be as helpful as possible, AI systems should be provided with extensive input of data. Among the AI systems widely used today, chatbots based on artificial intelligence, particularly ChatGPT by OpenAI, have gained significant popularity due to their ability to mimic human communication skills. The development and use of such chatbots is accompanied by the emergence of dangers to personal data protection, which the EU national data protection authorities have already noted. The article outlines the specifics of the legal status of EU national data protection authorities and lists their powers designed to ensure that personal data processing by AI systems complies with the stringent standards of the General Data Protection Regulation. The author thoroughly examines the case of Garante of Italy v. OpenAI that revolves around data protection violations revealed by the Italian national data protection authority due to the lack of GDPR compliance regarding how ChatGPT operates. The article also summarizes cases involving OpenAI and initiated by AEPD of Spain, UODO of Poland, and complaints addressed to Datenschutzbehörde of Austria and Datatilsynet of Norway. The findings of this study may contribute to enhancing Ukraine’s personal data protection system. It is essential for national authorities responsible for monitoring and enforcing personal data protecti",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::d218d25ab7bb48c3f484aa0107765bae",
"title": "Analysis of the Impacts of European Union Regulations and Acts on Virtual Worlds",
"authors": [
"Runde, Christoph",
"Perey, Christine"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.6084/m9.figshare.29400131.v1",
"pdfUrl": "",
"doi": "10.6084/m9.figshare.29400131.v1",
"abstract": "The document “EU Regulations and their Impacts on Virtual Worlds” analyzes how existing and upcoming European Union regulations influence the development, governance, and usage of virtual worlds and the Metaverse. It explores legislation such as the Digital Services Act, AI Act, Data Governance Act, and GDPR, emphasizing their relevance for privacy, content moderation, algorithmic transparency, and data protection in immersive environments. The report also discusses regulatory fragmentation, innovation barriers, and the need for legal clarity. It concludes with recommendations for coordinated EU-level action, harmonized enforcement, and anticipatory regulatory frameworks to support responsible, inclusive, and competitive virtual world ecosystems.",
"topics": [
"jurisdiction_regulatory",
"power_knowledge_asymmetry",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.55908/sdgs.v13i4.4396",
"title": "IS THERE ANY PERSONAL DATA PROTECTION IN THE CORE TAX ADMINISTRATION SYSTEM?",
"authors": [
"Loso Judijanto"
],
"date": "2025-04-29",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.55908/sdgs.v13i4.4396",
"pdfUrl": "",
"doi": "10.55908/sdgs.v13i4.4396",
"abstract": "Objective: This study examines the adequacy of personal data protection within Indonesia’s Core Tax Administration System (CTAS), focusing on compliance with the national Personal Data Protection Law and alignment with international standards. Theoretical Framework: The research is grounded in legal and regulatory analysis, referencing Indonesia’s Personal Data Protection Law (UU PDP) and international frameworks such as the EU’s GDPR and Canada’s PIPEDA, to evaluate the protection of taxpayer data in digital tax administration systems Method: A qualitative approach is utilized, involving literature review, document analysis of relevant laws and policies, and comparative analysis with data protection practices in other jurisdictions. The study synthesizes findings from academic sources, legal documents, and international case studies Results and Discussion: The findings reveal significant gaps in the implementation of personal data protection in CTAS. Despite the enactment of the PDP Law, Indonesia lacks specific regulations and enforcement mechanisms tailored to the tax sector, leaving sensitive taxpayer data vulnerable to unauthorized access, misuse, and breaches. Comparative analysis highlights that international best practices require clear guidelines, robust security protocols (such as encryption and access controls), regular audits, and a culture of transparency and accountability. The absence of a dedicated data protection authority and insufficient employee training further exacerbate risks Research Implications: The study underscores the urgent need for Indonesia to strengthen its legal and operational framework for data protection in tax administration. Recommendations include developing sector-specific regulations, enhancing technological safeguards, instituting regular audits, and fostering public awareness to ensure taxpayer trust and system integrity Originality/Value: This research provides a comprehensive, context-specific analysis ",
"topics": [
"data_anonymization",
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "europepmc:40481871",
"title": "De-identification of medical imaging data: a comprehensive tool for ensuring patient privacy.",
"authors": [
"Rempe M",
"Heine L",
"Seibold C",
"Hörst F",
"Kleesiek J."
],
"date": "2025-06-07",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1007/s00330-025-11695-x",
"pdfUrl": "https://europepmc.org/articles/PMC12634758?pdf=render",
"doi": "10.1007/s00330-025-11695-x",
"abstract": "Objectives
Medical imaging data employed in research frequently comprises sensitive Protected Health Information (PHI) and Personal Identifiable Information (PII), which is subject to rigorous legal frameworks such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA). Consequently, these types of data must be de-identified prior to utilization, which presents a significant challenge for many researchers. Given the vast array of medical imaging data, it is necessary to employ a variety of de-identification techniques.Materials and methods
To facilitate the de-identification process for medical imaging data, we have developed an open-source tool that can be used to de-identify Digital Imaging and Communications in Medicine (DICOM) magnetic resonance images, computer tomography images, whole slide images and magnetic resonance twix raw data. Furthermore, the implementation of a neural network enables the removal of text within the images.Results
The proposed tool reaches comparable results to current state-of-the-art algorithms at reduced computational time (up to × 265). The tool also manages to fully de-identify image data of various types, such as Neuroimaging Informatics Technology Initiative (NIfTI) or Whole Slide Image (WSI-)DICOMS.Conclusion
The proposed tool automates an elaborate de-identification pipeline for multiple types of inputs, reducing the need for additional tools used for de-identification of imaging data.Key points
Question How can researchers effectively de-identify sensitive medical imaging data while complying with legal frameworks to protect patient health information? Findings We developed an open-source tool that automates the de-identification of various medical imaging formats, enhancing the efficiency of de-identification processes. Clinical relevance This tool addresses the critical need for robust and user-friendly de-identification sol",
"topics": [
"gdpr_compliance",
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Health & Genomic PII"
],
"relevanceScore": 0.708,
"venue": "European radiology",
"language": "en"
},
{
"id": "europepmc:40998104",
"title": "Data sharing for responsible artificial intelligence in dentistry: a narrative review of legal frameworks and privacy-preserving techniques.",
"authors": [
"Brinz J",
"Eslamiamirabadi N",
"Salamati A",
"Tresp V",
"Schwendicke F",
"Tichy A."
],
"date": "2025-09-23",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1016/j.jdent.2025.106130",
"pdfUrl": "",
"doi": "10.1016/j.jdent.2025.106130",
"abstract": "Objectives
Data sharing is essential for ensuring research reproducibility and for developing generalizable artificial intelligence (AI) systems, but it demands robust safeguards for patient privacy. This narrative review aims to guide dental clinicians and researchers in sharing patient data responsibly while preserving confidentiality.Data
Dental patient data include radiographs, (cone beam) CTs, photographs, intraoral scans, tabular data, and electronic health records. These datasets are often heterogeneous, distributed across institutions, and subject to strict privacy regulations. Handling and sharing such sensitive data requires secure, privacy-preserving techniques to ensure compliance with legal and ethical standards.Sources
PubMed, Embase, Scopus, arXiv and Google Scholar were searched using keywords related to dentistry, data sharing, AI, and privacy-preserving techniques. Given the limited number of results relevant to dentistry, the search was extended to medicine. In parallel, we reviewed applicable regulatory frameworks such as the European Union (EU) General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), EU AI Act, and European Health Data Space (EHDS).Study selection
We selected studies addressing data sharing in dentistry/medicine, de-identification, privacy-preserving techniques, and/or federated learning, as well as applicable regulatory frameworks. Most of the articles were peer-reviewed, but authoritative grey literature was included as well.Conclusions
This review summarized legal and technical aspects of dental data sharing to enable compliant multi-institutional collaboration. Beyond AI in dentistry, which was primarily emphasized, responsible data sharing is integral to FAIR practice and strengthens transparency and reproducibility across dental and medical research.Clinical significance
This review provides regulation-aligned guidance on de-iden",
"topics": [
"gdpr_compliance",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "Journal of dentistry",
"language": "en"
},
{
"id": "europepmc:39152232",
"title": "EU-US data transfers: an enduring challenge for health research collaborations.",
"authors": [
"Lalova-Spinks T",
"Valcke P",
"Ioannidis JPA",
"Huys I."
],
"date": "2024-08-16",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1038/s41746-024-01205-6",
"pdfUrl": "https://europepmc.org/articles/PMC11329736?pdf=render",
"doi": "10.1038/s41746-024-01205-6",
"abstract": "EU-US data transfers for health research remain a particularly thorny issue in view of the stringent rules of the EU General Data Protection Regulation (GDPR) and the challenges related to US mass surveillance programs, particularly the manner in which US law enforcement and national security agencies can access personal data originating from the EU. Since the entry into force of the GDPR, evidence of impeded collaborations is increasing, particularly in the case of sharing data with US public institutions. The adoption of a new EU-US adequacy decision in July 2023 does not hold the promise for a long-lasting solution due to the risks of being challenged and invalidated - yet again - at the Court of Justice of the EU. As the research community is calling for answers, the new proposal for a European Health Data Space regulation may hold a key to solving some of the existing issues. In this paper, we critically discuss the current rules and outline a possible way forward for transfers between public bodies.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "NPJ digital medicine",
"language": "en"
},
{
"id": "europepmc:39346780",
"title": "The new EU-US data protection framework's implications for healthcare.",
"authors": [
"Tschider C",
"Compagnucci MC",
"Minssen T."
],
"date": "2024-07-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1093/jlb/lsae022",
"pdfUrl": "https://europepmc.org/articles/PMC11427690?pdf=render",
"doi": "10.1093/jlb/lsae022",
"abstract": "In July 2023, the United States and the European Union introduced the Data Privacy Framework (DPF), introducing the third generation of cross-border data transfer agreements constituting adequacy with respect to personal data transfers under the General Data Protection Regulation (GDPR) between the European Union (EU) and the US. This framework may be used in cross-border healthcare and research relationships, which are highly desirable and increasingly essential to innovative health technology development and health services deployment. A reliable model meeting EU adequacy requirements could enhance the transfer of patient and research participant data. While the DPF might present a familiar terrain for US organizations, it also brings unique challenges. A notable concern is the ability of individual EU Member States to establish individual and additional requirements for health data that are more restrictive than GDPR requirements, which are not anticipated by the DPF. This article highlights the DPF's potential impact on the healthcare and research sectors, finding that the DPF may not provide the degree of lawful health data transfer desirable for healthcare entities. We examine the DPF against a background of existing Health Insurance Portability and Accountability Act obligations and other GDPR transfer tools to offer alternatives that can improve the likelihood of reliable, lawful health data transfer between the US and EU.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"enterprise_privacy_ops"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.708,
"venue": "Journal of law and the biosciences",
"language": "en"
},
{
"id": "https://openalex.org/W4301398353",
"title": "The future regulation of artificial intelligence systems in healthcare services and medical research in the European Union",
"authors": [
"János Mészáros",
"Jusaku Minari",
"Isabelle Huys"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3389/fgene.2022.927721",
"pdfUrl": "https://www.frontiersin.org/articles/10.3389/fgene.2022.927721/pdf",
"doi": "https://doi.org/10.3389/fgene.2022.927721",
"abstract": "Despite its promising future, the application of artificial intelligence (AI) and automated decision-making in healthcare services and medical research faces several legal and ethical hurdles. The European Union (EU) is tackling these issues with the existing legal framework and drafting new regulations, such as the proposed AI Act. The EU General Data Protection Regulation (GDPR) partly regulates AI systems, with rules on processing personal data and protecting data subjects against solely automated decision-making. In healthcare services, (automated) decisions are made more frequently and rapidly. However, medical research focuses on innovation and efficacy, with less direct decisions on individuals. Therefore, the GDPR's restrictions on solely automated decision-making apply mainly to healthcare services, and the rights of patients and research participants may significantly differ. The proposed AI Act introduced a risk-based approach to AI systems based on the principles of ethical AI. We analysed the complex connection between the GDPR and AI Act, highlighting the main issues and finding ways to harmonise the principles of data protection and ethical AI. The proposed AI Act may complement the GDPR in healthcare services and medical research. Although several years may pass before the AI Act comes into force, many of its goals will be realised before that.",
"topics": [
"gdpr_compliance",
"ai_governance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "Frontiers in Genetics",
"language": "en"
},
{
"id": "doaj:532ed1730cb44fc1978039848076bb6c",
"title": "Safeguarding Footballers’ Rights in European AI and Biometric Regulation",
"authors": [
"Elena García-Antón Palacios"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://dirittodellosport.eu/?p=2723",
"pdfUrl": "",
"doi": "10.30682/disp0602d",
"abstract": "The article analyses the legal impact of the use of digital technologies, electronic tracking systems and artificial intelligence (AI) in professional football, with a particular focus on the protection of players' rights. These innovations have transformed sports performance and tactical management, but they also pose significant legal challenges, particularly in terms of personal data protection. The study focuses on the application of the General Data Protection Regulation (GDPR) and the new AI Act (Regulation (EU) 2024/1689), assessing their effectiveness in safeguarding the privacy, identity and autonomy of footballers against the use of technologies such as tracking systems, workload monitoring platforms and biometric technologies. It also examines specific FIFA regulations and devotes a section to players' rights in relation to AI systems.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "Diritto dello Sport",
"language": "en"
},
{
"id": "doaj:8885fc9cc9e0401fb6fdddcd4ae6f75e",
"title": "Will AI “Subtly” Take Over Decision-making in the EU Migration Context? Warnings and Lessons from ETIAS and VIS",
"authors": [
"Lorenzo Gugliotta",
"Abdullah Elbi"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://www.europeanpapers.eu/en/e-journal/will-ai-subtly-take-over-decision-making-EU-migration-context-warnings-lessons-from-etias-vis",
"pdfUrl": "",
"doi": "10.15166/2499-8249/797",
"abstract": "(Series Information) European Papers - A Journal on Law and Integration, 2024 9(3), 1018-1047 | Article | (Table of Contents) I. Introduction – II. AI in the EU Large-Scale Information Systems: The Case of ETIAS and VIS – II.1. ETIAS and VIS within Interoperability – II.2. ETIAS and VIS automated processing – II.3. How will the ETIAS and VIS automated processing work in practice? – III. The ETIAS and VIS Automated Processing and the Legal Constraints of Decisions Based Solely on Automated Means – III.1. The general rule in Article 22 GDPR and Article 24 EUDPR – III.2. Condition I: The result of ETIAS and VIS automated processing: A decision that significantly affects data subjects? – III.3. Condition II: Safeguards for data subjects - IV. Conclusions | (Abstract) In 2019, the EU laid down the groundwork for interoperability in the Area of Freedom, Security and Justice, envisaging the use of algorithmic tools that can qualify as AI systems under the AI Act. AI tools used by EU migration databases are subject to the safeguards and the protective measures for individuals provided for under the AI Act, such as art. 86 thereof. However, given the fundamental rights impact of AI technologies processing large amounts of personal data, it is worth focusing on data protection law as one of the main strongholds against violations caused by AI in EU border and migration systems. In this Article we apply data protection provisions on purely automated decisions and the Court of Justice’s case law to the AI-enabled processing envisaged under two information systems, ETIAS and VIS. This processing was conceived as a supporting tool for competent authorities. This Article argues that, despite aiming to avoid solely automated decisions, the ETIAS and VIS processing might inadvertently lead to automation “taking over” the decision-making process. By contrast, a substantive reading of art. 22(1) GDPR (and art. 24(1) EUDPR) should not only prohibit decisions taken without any form of human involvement, but also decisions based on meaningless human involvement. As a result, the ETIAS and VIS processing may progressively reduce the extent to which human caseworkers review and question the AI-generated recommendations. By analysing the implications of the AI-enabled processing envisaged in the current EU border regulation, the Article seeks to draw useful lessons for further adoption of trustworthy AI in the border and security ecosystem.",
"topics": [
"gdpr_compliance",
"ai_governance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "European Papers",
"language": "en"
},
{
"id": "hal:5113823",
"title": "Securing Financial Transactions: A Taxonomical Review of Cybersecurity Strategies in Banking",
"authors": [
"Pallavi Mane",
"Shrawan Kumar Sharma"
],
"date": "2024-11-12",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05113823v1",
"pdfUrl": "",
"doi": "10.9734/bpi/bmerp/v7/2862",
"abstract": "The financial sector has become one of the most heavily targeted industries for cyberattacks due to its vast repository of sensitive information and its pivotal role in the global economy. As banking institutions rapidly adopt digital technologies to enhance service delivery and customer experience, they are increasingly exposed to sophisticated cyber threats. This paper presents an extensive taxonomical review of the various cybersecurity strategies employed in the banking sector to secure financial transactions and protect against data breaches, financial fraud, and identity theft. The study categorizes existing cybersecurity mechanisms into distinct classes based on their core functionalities, technological frameworks, and applicability in different contexts of banking operations. The taxonomy is divided into preventive, detective, and corrective strategies, each covering a diverse set of techniques and tools. Preventive measures include encryption standards, secure coding practices, and robust authentication methods such as multi-factor authentication (MFA) and biometric verification. Detective strategies focus on real-time monitoring systems like intrusion detection systems (IDS), artificial intelligence (AI)-driven threat detection, and Security Information and Event Management (SIEM) solutions. Corrective strategies encompass incident response frameworks, disaster recovery plans, and data loss prevention (DLP) measures designed to mitigate damage in the aftermath of a cyberattack. One of the key contributions of this review is an in-depth evaluation of emerging technologies and their role in transforming banking cybersecurity. These include blockchain-based transaction validation, quantum cryptography, AI and machine learning algorithms for anomaly detection, and zero-trust architectures that enforce strict verification at every layer of the network. The paper discusses how these advanced solutions complement traditional security measures and create a multi-layered defense system capable of addressing the increasingly complex threat landscape. The review highlights the importance of regulatory compliance and international standards, such as the Payment Card Industry Data Security Standard (PCI-DSS), General Data Protection Regulation (GDPR), and ISO/IEC 27001, in shaping cybersecurity strategies within banking institutions. Adherence to these standards not only ensures legal compliance but also provides a foundational framework for implementing effective security controls. Furthermore, the study analyzes the cost-effectiveness of different cybersecurity strategies, considering the financial constraints and resource availability that often influence the adoption of advanced technologies in small and medium-sized banking institutions.",
"topics": [
"gdpr_compliance",
"sector_finance",
"data_breach_incident"
],
"painPointTracks": [
"Enforcement",
"Financial & Payment PII"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "hal:5050635",
"title": "The Ethical and Legal Implications of Shadow AI in Sensitive Industries: A Focus on Healthcare, Finance and Education",
"authors": [
"Adebayo Yusuf Balogun",
"Olufunke Cynthia Metibemu",
"Abayomi Titilola Olutimehin",
"Adekunbi Justina Ajayi",
"Damilola Comfort Babarinde",
"Oluwaseun Oladeji Olaniyi"
],
"date": "2025-02-13",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05050635v1",
"pdfUrl": "",
"doi": "10.9734/jerr/2025/v27i31414",
"abstract": "This study examines the ethical and legal implications of Shadow AI in healthcare, finance, and education by analyzing unauthorized AI deployments and their impact on data privacy, cybersecurity, and regulatory compliance. Using a quantitative research approach, descriptive statistics, ordinal regression modeling, and network analysis were employed to assess AI violations using the MITRE ATLAS AI Incident Database, EU AI Act Public Database, and IBM X-Force Threat Intelligence Report. Findings reveal that privacy breaches are most prevalent in education (22 cases), bias-related issues dominate finance (20 cases), and cybersecurity risks are highest in healthcare (19 cases). Legal risk analysis shows a 20% probability of regulatory intervention, with breach type as the strongest determinant. Anomaly detection identified healthcare as the most vulnerable to AI-driven cyber threats (8 anomalies). This study contributes to AI governance literature by quantifying the impact of regulatory interventions on Shadow AI risks, demonstrating how enforcement actions influence unauthorized AI adoption trends. It also underscores the limitations of current frameworks (e.g., GDPR, HIPAA, SEC regulations) in mitigating AI-related violations. The findings emphasize the urgent need for sector-specific AI compliance frameworks, AI ethics committees, and real-time cybersecurity monitoring systems to mitigate risks. Strengthening legal accountability and regulatory enforcement is critical to preventing the unchecked proliferation of Shadow AI in sensitive industries. Recommendations include sector-specific AI compliance frameworks, AI ethics committees, cybersecurity policies, and stricter regulatory enforcement.",
"topics": [
"ai_governance",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "Journal of Engineering Research and Reports",
"language": "en"
},
{
"id": "openaire:10.55041/ijsrem11473",
"title": "Privacy-Preserving Analytics in HR Tech- Federated Learning and Differential Privacy Techniques for Sensitive Data",
"authors": [
"Naveen Edapurath Vijayan"
],
"date": "2024-11-10",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.55041/ijsrem11473",
"pdfUrl": "",
"doi": "10.55041/ijsrem11473",
"abstract": "This paper explores the application of privacy-preserving analytics in human resources (HR), focusing on the synergistic use of federated learning and differential privacy. As HR departments increasingly leverage data-driven insights, the protection of sensitive employee information becomes paramount. Federated learning enables collaborative model training without centralizing raw data, while differential privacy adds calibrated noise to ensure individual data remains indiscernible. Together, these techniques form a robust framework for safeguarding HR data while enabling advanced analytics. The paper discusses the challenges of handling sensitive HR information, examines the implementation of federated learning and differential privacy, and demonstrates their combined effectiveness in maintaining data utility while ensuring privacy. By adopting these approaches, organizations can derive valuable workforce insights, comply with data protection regulations, and foster employee trust. This research contributes to the growing field of ethical data use in HR, offering a blueprint for balancing analytical capabilities with privacy imperatives in the modern workplace. Keywords—Privacy-preserving analytics, Federated learning, Differential privacy, HR analytics, Data protection, Employee privacy, Decentralized learning, GDPR compliance, CCPA compliance, Sensitive data handling, Data-driven HR, Privacy-utility trade-off.",
"topics": [
"privacy_engineering",
"data_anonymization",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W4226184233",
"title": "Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law",
"authors": [
"Mehmet Kaya"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.26650/annales.2021.70.0007",
"pdfUrl": "https://doi.org/10.26650/annales.2021.70.0007",
"doi": "https://doi.org/10.26650/annales.2021.70.0007",
"abstract": "Technology has penetrated every aspect of life and brought security and privacy issues to the forefront of the regulatory landscape. In such a hyper-connected world, security breaches are inevitable. Hence, general legislation in the field of protection of personal data is becoming ubiquitous. The rules are likewise being drafted to ensure the highest degree of privacy and security. The violation of security requirements can have an unprecedented and catastrophic consequence on data controllers. A security incident can compel the data controller to notify a competent data protection authority of a breach and communicate all facts to affected data subjects. Data breach notification is self-disclosure of the data controller about a personal data-related incident regardless of the intentional or negligent character of the event. The underlying aim of this obligation is to prevent or mitigate all adverse effects or damage deriving from a data breach incident. This article maps out the legal framework governing data breach notification under the European Union’s law, in particular General Data Protection Regulation and the Turkish Data Protection Law. This article maintains that strict and burdensome data breach notification rules do not serve the interest of data protection of individuals as data controllers could refrain from notification and bury the pieces of evidence. Such a notification-phobia is a major threat to the overall cybersecurity realm. The article emphasizes that there is a need for balanced rules and adequate accountability tools which would encourage data controllers to report any data breach incidents without hesitation.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "Annales de la Faculté de Droit d’Istanbul",
"language": "en"
},
{
"id": "openaire:10.5594/jmi.2025/ojdi1382",
"title": "A User-Centric Approach to Facial Recognition for TV Content",
"authors": [
"Alexandre Rouxel",
"Alberto Messina",
"Sébastien Ducret",
"Pierre Fouché"
],
"date": "2025-10-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5594/jmi.2025/ojdi1382",
"pdfUrl": "",
"doi": "10.5594/jmi.2025/ojdi1382",
"abstract": "Facial recognition technology (FRT) in broadcasting often lacks evaluation methods tailored to video content and the operational requirements of broad-casters and media archives. We present a user-centric framework that meets these needs through targeted performance metrics and operational workflows that improve relevance, efficiency, and compliance. The approach supports responsible deployment in television and media-archive contexts under the General Data Protection Regulation (GDPR) and the European AI Act.",
"topics": [
"gdpr_compliance",
"biometric_surveillance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "SMPTE Motion Imaging Journal",
"language": "en"
},
{
"id": "openaire:10.2478/raft-2025-0024",
"title": "Facial Recognition and Biometric Systems: Benefits and Challenges for Law Enforcement",
"authors": [
"George-Marius Țical"
],
"date": "2025-06-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2478/raft-2025-0024",
"pdfUrl": "",
"doi": "10.2478/raft-2025-0024",
"abstract": "Abstract In the digital era, biometric technologies such as facial recognition and fingerprint scanning have become essential for law enforcement, enabling rapid and accurate suspect identification while enhancing investigative efficiency. These technologies offer significant benefits, including crime reduction, minimization of human errors, and resource optimization. However, their use raises major challenges related to data privacy, cybersecurity, and the ethics of surveillance. European regulations, particularly the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AI Act), impose strict restrictions on biometric data processing to prevent misuse and excessive surveillance. According to the European Data Protection Board (EDPB) recommendations, the use of facial recognition in public spaces must be justified and limited to exceptional situations. Although biometric technologies can significantly improve public safety, risks associated with algorithmic bias, which may lead to discrimination, as well as the potential misuse of collected data, remain pressing concerns. Therefore, their implementation must be transparent, ethical, and compliant with existing legislation. For the responsible use of these technologies, strict data protection measures, continuous monitoring and auditing of biometric systems, and the development of fairer algorithms are recommended. This approach ensures a balance between the operational efficiency of law enforcement agencies and the protection of fundamental rights of citizens.",
"topics": [
"gdpr_compliance",
"biometric_surveillance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "Land Forces Academy Review",
"language": "en"
},
{
"id": "openaire:10.30996/dih.v0i0.132295",
"title": "A Critical Analysis of Criminal Accomplice Provision in Employment Law Violations",
"authors": [
"Sarta Sarta",
"Moh Soleh"
],
"date": "2025-08-25",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.30996/dih.v0i0.132295",
"pdfUrl": "",
"doi": "10.30996/dih.v0i0.132295",
"abstract": "The increasing use of artificial intelligence (AI), deepfake technology, and advanced medical procedures has transformed the landscape of biometric data, particularly facial features. This study examines the extent to which Indonesia’s Law No. 27 of 2022 on Personal Data Protection (PDP Law) ensures legal certainty for altered biometric facial data, including digitally or medically modified images. Employing a normative juridical research method with statutory and conceptual approaches, the paper interprets legal provisions, evaluates their adequacy, and compares them with international frameworks such as the EU’s General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA). Findings reveal that the PDP Law classifies altered facial data as “specific personal data,” mandating explicit consent, robust security measures, and recognition of data subjects’ rights. The law’s extraterritorial scope further extends protection to Indonesian citizens’ data processed abroad. However, enforcement challenges persist, particularly in cross-border contexts and automated profiling. The novelty of this research lies in its focused analysis of altered biometric data as a unique legal category, coupled with comparative insights to address regulatory gaps. The study recommends strengthening implementing regulations, adopting AI-specific safeguards, and enhancing cross-border enforcement cooperation to ensure sustainable protection of biometric privacy in the digital era",
"topics": [
"gdpr_compliance",
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "DiH: Jurnal Ilmu Hukum",
"language": "en"
},
{
"id": "openaire:50|datacite____::ee555c90e3cf288f4d4c1d760225a42c",
"title": "Cultural Representativeness in the Principles of AI",
"authors": [
"Lin, Yu-Ru",
"Morgan, Frank",
"Machery, Edouard",
"Rottman, Benjamin",
"Cabot, Heath"
],
"date": "2022-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.18117/xgzv-dc74",
"pdfUrl": "",
"doi": "10.18117/xgzv-dc74",
"abstract": "Artificial intelligence (AI) applications have reached a wide range of domains and have raised concerns over fairness, accountability, transparency, and ethics. For example, social media platforms face challenges from Congress over data privacy and facial recognition software have been racially biased. Accordingly, society is actively establishing principles to govern the development and application of AI technologies; examples include General Data Protection Regulation (GDPR). But, as AI innovation disseminates across cultural and political boundaries, how do societies in different cultures perceive these high-level AI principles? What are the acceptable ground rules for global AI governance? This project seeks to answer these by studying the interactions between cultural norms, the public opinion of AI, and the AI research community. To understand how key AI principles resonate amongst different cultures, we will study knowledge production and dissemination. Our approach is informed by the studies in comparative philosophy, which contrast moral traditions developed along relatively isolated cultural and regional lines. We will combine data science, qualitative studies, and mixed-methods approach to analyze micro- and macroscopic data. This project will build synergy among distinct disciplines represented by the team, including Philosophy and Ethics, Data and Information Sciences, Psychology, and Anthropology.",
"topics": [
"gdpr_compliance",
"biometric_surveillance",
"ai_governance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.15294/ipmhi.v5i1.28731",
"title": "Consent or Coercion? A Comparative Legal Analysis of Biometric Data Practices in Digital Banking Systems",
"authors": [
"Chanidia Ari Rahmayani"
],
"date": "2025-07-18",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.15294/ipmhi.v5i1.28731",
"pdfUrl": "",
"doi": "10.15294/ipmhi.v5i1.28731",
"abstract": "The digital revolution in the financial sector has accelerated the adoption of biometric technology as an authentication method, offering greater security and efficiency compared to traditional password or PIN-based systems. Biometric technology leverages unique physical or behavioral characteristics—such as fingerprints, facial patterns, and voice recognition—making it highly resistant to forgery. However, the use of biometrics introduces a fundamental paradox between enhanced security and the risk to personal privacy, as biometric data is immutable and, if compromised, the consequences are permanent and irreversible. Indonesia has addressed these challenges through the enactment of Law No. 27 of 2022 on Personal Data Protection (PDP Law), which classifies biometric data as specific personal data requiring explicit, written, and revocable consent. Despite this legal framework, implementation remains challenging due to the lack of sector-specific regulations and limited regulatory oversight. Comparatively, the European Union’s GDPR sets a high standard for biometric data protection, emphasizing explicit consent, data minimization, and strong enforcement. The United States adopts a sectoral approach, with state laws such as Illinois’ BIPA imposing strict requirements and significant liabilities. A central concern is whether consent obtained from consumers in banking truly meets legal standards, given the power imbalance between institutions and users. This study employs a normative juridical and comparative approach to analyze regulatory frameworks in Indonesia, the EU, and the US, identifying best practices and recommending improvements for biometric data protection in banking.",
"topics": [
"gdpr_compliance",
"biometric_surveillance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.55843/isl2025symp191s",
"title": "ARTIFICIAL INTELLIGENCE IN MIGRATION POLICIES: RISKS AND OPPORTUNITIES FROM AN INTERNATIONAL LAW AND HUMAN RIGHTS PERSPECTIVE",
"authors": [
"Akmaral SEIDBEKOVA"
],
"date": "2025-01-21",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.55843/isl2025symp191s",
"pdfUrl": "",
"doi": "10.55843/isl2025symp191s",
"abstract": "This article critically examines the integration of artificial intelligence (AI) into migration governance, focusing on the dual dimensions of efficiency gains and human rights challenges. The global rise in migration flows has prompted states to adopt advanced AI tools for border security, asylum adjudication, risk assessment, and migrant tracking. Case studies—including the EU’s Eurodac and ETIAS biometric systems, Australia’s “Seek” social media analysis project, and the U.S. CBP One facial recognition application—illustrate how AI enhances operational efficiency while raising significant ethical and legal questions. The study identifies three primary areas of concern under international law. First, algorithmic bias in migrant profiling and refugee status determination may violate the non-discrimination principle under Article 14 of the European Convention on Human Rights (ECHR) and the individual assessment requirement of the 1951 Refugee Convention. Second, the opacity of “black box” algorithms undermines transparency and accountability, restricting access to effective appeal mechanisms. Third, mass biometric surveillance, including iris scans at border crossings, presents acute data protection challenges, often conflicting with the EU’s General Data Protection Regulation (GDPR) and exposing migrants to cybersecurity breaches (Nuredin & Inan2024b). Despite these risks, AI offers notable humanitarian benefits, such as improving access to legal aid through AI-powered translation tools, enabling disaster-related evacuation planning, and fostering transparency via algorithmic impact assessments. The article highlights best practices from Canada’s mandatory ethical audits and Sweden’s explainable AI policies in migration decisionmaking. To reconcile innovation with human rights obligations, the article proposes a multilayered governance model: strengthening global standards such as the UNHCR AI Ethics Guidance, mandating human oversight in at least 30% o",
"topics": [
"gdpr_compliance",
"biometric_surveillance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.47772/ijriss.2024.805181",
"title": "Reviewing the Philippines Legal Landscape of Artificial Intelligence (AI) in Business: Addressing Bias, Explainability, and Algorithmic Accountability",
"authors": [
"Michael T. Sacramed"
],
"date": "2024-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.47772/ijriss.2024.805181",
"pdfUrl": "",
"doi": "10.47772/ijriss.2024.805181",
"abstract": "Pushing towards the almost universal adoption of Artificial Intelligence (AI) across the globe, the Philippines is not far behind. This tsunami has huge promise, but at the same time, under the present legal footing, it is likely to raise critical issues of ethics that have yet to be resolved. Against this background, the present paper reviews related literature on this emerging issue of AI bias, explainability, and algorithmic accountability. It comes down mainly to work done regarding bias in AI relative to the domain of recruitment and facial recognition technologies, in this case how it leads to discrimination. This asks to discuss the “black box problem” applied to nontransparent AI systems for which there is a need for the outcome to be explainable. It identifies the Data Privacy Act (DPA) of 2012 as the nearest framework that may be the firm foundation in the assurance of the right to understand AI decision-making. The other issue the article is concerned with is algorithmic accountability. Currently, guiding laws exist in the country, but these are narrow in scope and may not necessarily capture the many faces of AI behavior. In other words, the paper reviews the European Union’s General Data Protection Regulation (GDPR) as a model that can possibly find a solution for the biases. To summarize, this country needs a legal framework to overcome the challenges that have been brought about and reach an agreement on AI explainability enhancement, a clear definition of who is responsible and liable for what, and bias mitigation. The identified gaps in previous studies will form the basis for making recommendations on further research into AI bias within Philippine enterprises. All this underlines ever-necessary comparative research on the other rules concerning AI that has been put in place elsewhere. Still more importantly, it complements reasons for exporting such an idea to which the Philippines should develop an all-encompassing legal framework in deme",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.55843/icl2025cong117s",
"title": "RECALIBRATING LIBERTY AND SECURITY: HUMAN RIGHTS CHALLENGES IN THE AGE OF MASS SURVEILLANCE",
"authors": [
"Tereza SVOBODOVÁ"
],
"date": "2025-07-07",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.55843/icl2025cong117s",
"pdfUrl": "",
"doi": "10.55843/icl2025cong117s",
"abstract": "The accelerating proliferation of digital surveillance technologies has profoundly reshaped the delicate balance between individual freedoms and state security imperatives. This study examines how contemporary surveillance regimes, increasingly intensified by artificial intelligence (AI) and big data analytics, affect fundamental human rights—most notably the right to privacy. Building upon the historical development of privacy protections and the transformative legal shifts in the post-9/11 era, the paper demonstrates how national security narratives have normalized mass surveillance under the guise of safeguarding public order and counterterrorism. The legal frameworks of international human rights instruments, such as the European Convention on Human Rights (ECHR), the International Covenant on Civil and Political Rights (ICCPR), and the General Data Protection Regulation (GDPR), are assessed in light of expanding state and corporate surveillance practices. Particular attention is given to the discriminatory potential of algorithmic decision-making, predictive analytics, and facial recognition technologies, which disproportionately affect marginalized and vulnerable communities. Through a normative and comparative approach, the paper critically evaluates surveillance frameworks in the United States, the United Kingdom, Germany, and France, alongside key jurisprudence from the European Court of Human Rights and national constitutional courts. This comparative lens highlights both the strengths and shortcomings of existing oversight mechanisms and underscores the challenges of reconciling technological efficiency with democratic accountability. The findings reveal an intensifying tension between technological capabilities and foundational democratic principles. In response, the paper advances a multi-dimensional policy framework structured around four pillars: (1) ensuring the legality, legitimacy, and proportionality of all surveillance measures; (2) creat",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W4400257155",
"title": "Unveiling the Black Box: Bringing Algorithmic Transparency to AI",
"authors": [
"Gyandeep Chaudhary"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.5817/mujlt2024-1-4",
"pdfUrl": "https://journals.muni.cz/mujlt/article/download/36881/32877",
"doi": "https://doi.org/10.5817/mujlt2024-1-4",
"abstract": "Overall, algorithmic transparency is an important aspect of responsible AI development and deployment. Ensuring that AI systems are transparent and accountable will help build trust and confidence in these systems and ensure that they are used ethically and effectively. Artificial intelligence (AI) has emerged as a cutting-edge domain that is fundamentally redefining different areas of daily experiences, such as health care, transport, finance, education, and others. The systems are not created for making a judgment like human judgment of natural language, spotting patterns and problem-solving; rather AI produces machines that also have intelligence level same as that of human beings. AI having more influence over us, it is to be considered the ethical directions of these tools and see that they operate under principles of transparency and accountability. The element regarding algorithmic transparency, which means the process of understanding the functioning and explanation of how AI systems make their decisions is the one that is most crucial. The issue of algorithm transparency is of fundamental importance for many considerations. AI systems are not only supported by fairness but also by their non-discrimination. If we do not know how a system of AI arrives at the decisions made, it becomes impossible to determine if the provided results meet equal treatment for everybody. If used in delicate areas like recruitment, credit, and legal system- where the AI-machine must make choices which are life changing, then this aspect is very important. On top of fairness, algorithmic transparency is also an important factor for accountability. If we are ignorant about what an artificial intelligence algorithm does and what is the source of its decision-making process, we are unable to track and classify the mistakes or mishaps of the system. This has always mattered when central to the operation of systems with high stake, such as those used in self-driving vehicles or in health care. Algorithmic transparency may be reached using different instruments. The transparent AI systems can be made by a more transparent design, for example, the simple modelling tools, that use interpretable models. Another method is designing technologies and techniques that can help people why the artificial systems difficult to be decoded but easy to understand which they can utilize in making decisions. Therefore, algorithmic transparency is a key factor of the AI made responsibly and used by the society. It is crucial that AI machines are both transparent and accountable since this will lead to people building trust in the system and accepting its ethical and practical implications. This paper examines regulation of algorithmic transparency in the EU, specifically provisions under the General Data Protection Regulation (GDPR), it aims to situate analysis of the GDPR's provisions on explainability of AI systems within broader technology ethics and policy discourse. The paper's scope is limited to EU regulations applicable to AI data processing transparency.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "Masaryk University Journal of Law and Technology",
"language": "en"
},
{
"id": "https://openalex.org/W4402745186",
"title": "The Convergence of Artificial Intelligence and Privacy: Navigating Innovation with Ethical Considerations",
"authors": [
"CHRIS GILBERT",
"Mercy Abiola Gilbert"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.38124/ijsrmt.v3i9.45",
"pdfUrl": "https://www.ijsrmt.com/index.php/ijsrmt/article/download/45/16",
"doi": "https://doi.org/10.38124/ijsrmt.v3i9.45",
"abstract": "This article explores the complex relationship between artificial intelligence (AI) and privacy. While acknowledging AI's potential benefits, the authors emphasize the ethical implications of its data-driven nature. The article begins by outlining the privacy risks inherent in AI systems, including data breaches, surveillance, and the potential for bias and discrimination. It then delves into ethical considerations surrounding AI development, such as transparency, accountability, and the need to prioritize human values. Various frameworks for balancing innovation with privacy protection are discussed, including Privacy by Design principles and the General Data Protection Regulation (GDPR). It also examine case studies of privacy violations in AI systems, highlighting the real-world consequences of inadequate safeguards. Looking towards the future, the article identifies advancements in privacy-preserving AI technologies as a crucial area of research. It concludes by advocating for a comprehensive approach to AI governance that combines technological innovation with ethical and regulatory strategies, by stressing the importance of proactive measures to mitigate privacy risks and ensure that AI technologies are developed and deployed in a manner that respects.",
"topics": [
"gdpr_compliance",
"privacy_engineering",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.708,
"venue": "International Journal of Scientific Research and Modern Technology.",
"language": "en"
},
{
"id": "https://openalex.org/W4403648958",
"title": "Policies and regulations of artificial intelligence in healthcare, finance, agriculture, manufacturing, retail, energy, and transportation industry",
"authors": [
"Nitin Liladhar Rane",
"Jayesh Rane",
"Mallikarjuna Paramesha",
"Suraj Kumar Mallick"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.70593/978-81-981271-1-2_4",
"pdfUrl": "https://deepscienceresearch.com/dsr/catalog/download/2/29/330",
"doi": "https://doi.org/10.70593/978-81-981271-1-2_4",
"abstract": "The rapid evolution of artificial intelligence (AI) technologies has required to standardized policies and regulations to provide proper care, safeguard, and equity in the industry. This study revisits the field to identify the AI policy and regulation frameworks that nowadays are being implemented and their most relevant issues. AI is entering - or rather, already exists in - everything from health to finance, and across the globe regulators and governments are now looking at both the need for innovation and the requirement of oversight. Some notable programmes include the European Union's AI Act, where expects to classify AI systems by 'risk levels' and have more stringent requirements for high-risk applications. In the United States, guidelines around transparency, accountability, and debiasing. This reinforces the importance of public-private partnerships (PPPs) and a shared approach in formulating agile and future-proof regulations. The up-and-coming trends can be seen in regulatory sandboxes for AI pilots for developing AI innovations in a controlled environment and AI ethics boards driving corporate practices towards AI. It also reflects on the effects these regulations might have on innovation and the dynamics of the market, suggesting that, although difficult, regulation is necessary to support public trust and secure the sustainable development of AI technologies. Keywords: Policy, Regulation, Artificial intelligence, Decision making, Decision support system, Machine learning, Deep learning Citation: Rane, N. L., Paramesha, M., Rane, J., & Mallick, S. K. (2024). Policies and regulations of artificial intelligence in healthcare, finance, agriculture, manufacturing, retail, energy, and transportation industry. In Artificial Intelligence and Industry in Society 5.0 (pp. 67-81). Deep Science Publishing. https://doi.org/10.70593/978-81-981271-1-2_4 4.1 Introduction The runaway development pace of artificial intelligence (AI) technologies has provided impetus for profound changes across different industries; such a roll-out is naturally accompanied by co-evolution of the policy and regulatory landscape (Wischmeyer, & Rademacher, 2020; Hoffmann-Riem, 2020; de Almeida et al., 2021). As AI integrates into the health, financial, production, and transportation sectors, amongst others, so is the establishment of regulatory solid frameworks to oversee its deployment and reduce associated risks (Erdélyi, & Goldsmith, 2018; Lauterbach, 2019; Taeihagh, 2021;). The twin challenge for policymakers is encouraging innovation in the early stages while ensuring that AI systems meet ethical standards for safety and engender public trust (Wischmeyer, & Rademacher, 2020; Hoffmann-Riem, 2020; Paramesha et al., 2024a). Balancing creative responses to both challenges, therefore, really needs to be underpinned by a good grasp of AI's technological possibilities as well as its socio-economic effects from deployment. Policy-wise, regulatory environments around AI have been historically reactive, for example, setting standards in reaction to a specific issue rather than as proactive standard-setting. These approaches have led to a fragmented regulatory landscape, showing high inconsistency across jurisdictions and sectors. International organizations and national governments have recently undertaken different initiatives to clarify AI policies, thus recognizing the urgency of harmonized and forward-looking regulatory frameworks in this area. These frameworks should address central issues, such as data privacy, algorithm transparency, accountability, and how AI may deepen pre-existing inequalities (Manheim, & Kaplan, 2019; Capraro, et al., 2024; Rane et al., 2024a). Specifically, research on the policy and regulation of AI within the academic community has quickened its pace, engendering an enormous body of literature across legal studies, ethics, economics, and technology (Cath, 2018; Wong, 2021; Paramesha et al., 2024b; Rane et al., 2024b). The impact of different kinds of regulation on AI innovation and how practical various policy approaches have been probed using a raft of methodologies by researchers. This research contributes to the continuous discourse by conducting a careful literature review on AI policy and regulation in industry. Contributions of the present study: This study provides a comprehensive synthesis of literature available on AI policy and its regulation, with themes of broad consensus and divergence. This study uses sophisticated text-mining techniques to identify popular topics under discussion and their interrelations, attaining a granulated understanding of the current discourse. This study uses statistical methods to find out different clusters of related studies, pointing out emerging trends likely to receive significant attention in the future. 4.2 Methodology This research approach policy and regulation issues relevant to AI in the industry with a comprehensive review of the literature. The identification of academic articles, policy papers, and industry reports is done through databases such as Google Scholar, Scopus, and Web of Science. The literature search focused on thorough literature gathering guided by keywords like \"artificial intelligence,\" \"AI policy,\" \"AI regulation,\" \"industrial AI,\" and \"AI governance.\". Literature data is then fed into bibliometric software, VOSviewer, for co-occurrence analysis to establish how often the keywords appeared and how much they relate. By cluster analysis of the co-occurrence network, it is possible to further divide this literature into distinct groups regarding thematic similarities. Each cluster represents a particular aspect of AI policy and regulation and allows detailed examinations of subtopics: ethical issues, regulatory frameworks, and industry-specific challenges. This methodological approach gives a systematic and structured review of the existing body of knowledge, helping to deepen an understanding of the complex nature of AI governance in industry. 4.3 Results and discussions Co-occurrence and cluster analysis of the keywords The broader theme of the network also demonstrates an idea that \"artificial intelligence\" is vital to the frontier of research. Here, various nodes semantically similar with the central node are connected as shown in the Fig. 4.1, showing the applications of AI, which explains the interdisciplinary nature of AI. This is an important cluster in the network that deals with \"decision making\" and \"decision support system\". This family is tightly integrated with AI, means a bundle of important concepts are covered within this family like machine learning, deep learning, neural networks and reinforcement learning. These connections illustrate why AI is critical to the decision-making processes in a wide array of industries. When machine learning and deep learning algorithms are integrated into decision support systems, then the accuracy of predictions and the efficiency of problem-solving are increased by manifolds. Another large group relates to ethics, privacy, and regulation - which is significant. This cluster demonstrates the increasing attention to ethics in AI, data privacy, and regulation. The relationship with these terms and AI demonstrates the dialogue and inquiry about making AI technologies more robust which continues through the age. Fig. 4.1 Co-occurrence analysis of the keywords in literature The final execution with the sense of utmost responsibility. This cluster is about how governance shapes the social implications of AI. Example, the existence of the words \"public policy\", \"policy making,\" and \"laws and legislation\" is clear. The diagram also connects \"sustainable development\" and \"energy policy. Themes link this cluster to artificial intelligence, including energy efficiency, energy consumption, and sustainability. The connections demonstrated here are cases of how AI can make a real impact in this kind of sustainability; by helping to save energy and promote green policy. The powerful partnership of AI in energy management systems will go a long way towards addressing sustainability objectives. Another captivating bundle of topics belong to the intersection of \"healthcare policy\", \"public health\" and \"covid-19.\" Terms that appear in this cluster are related to health care delivery, information processing and clinical knowledge, which is relevant to artificial intelligence. This widespread application of such terminologies is representative of how prominently AI has come to the forefront in the health care sector - more so in the era of the Covid-19 pandemic. AI has helped with advancements in diagnostic tools, more streamlined management of health data and has provided invaluable help to public health projects. The network diagram shows in addition to a cluster of genetics, gene expression, and computational biology. The aim of this cluster is to focus on the AI application in biological and medical research. The relationships among these key words and \"artificial intelligence\" reinforce the role of AI both in elucidating genetic information and its regulation. AI-based algorithms help to better understand complex biological data and are in the vicinity of communities such as genomics and personalized medicine. In addition, the presence of the terms \"internet,\" \"social media,\" and \"students\" to the network hints at the rapid encroaching of AI into the arenas of digital technology and education. The onset of AI technologies in these fields has begun to change the way information is stored and shared; and affecting most areas in the society. The network diagram reveals the significance of cross-disciplinary research in the realm of AI. The interactions of fields like ethics, healthcare, energy policy, computational biology with each other clearly explain AI in its broadest contexts as well as the practical applications of them. A single-discipline approach will not work for the multi-faceted problems that AI presents. It is important to take the interdisciplinary approach, which our societies need to adopt anyway. Policy and regulations of artificial intelligence in industry Global regulatory landscape The regulatory landscapes of AI differ from country to country and region to region because they entail very different legal, cultural, and economic environments. The AI Act proposed, establish a broad framework for regulating AI within the European Union. In this sense, the legislation will categorize AI applications in terms of risk as minimal, limited, or high and apply more stringent requirements on the high-risk ones. It also means stringent testing, documentation, and transparency requirements to reduce the possible harms. In the United States case, AI regulation is more sector-specific and less centralized. Several federal agencies, such as the Food and Drug Administration (FDA) and the Federal Trade Commission (FTC), are responsible for AI applications in their domains. The National Institute of Standards and Technology (NIST) is also developing a voluntary framework that will guide the development and deployment of AI, outlining principles like transparency, fairness, and accountability. However, it is the more hands-on approach that China has pursued in AI policymaking. The concept is fully embodied in China's New Generation Artificial Intelligence Development Plan, which sets ambitious targets for AI leadership by 2030, coupled with regulations that manage data security, algorithmic transparency, and ethical standards. Ethical and safety considerations AI policy-making necessarily fares with ethical concerns (Vesnic-Alujevic et al., 2020; de Almeida et al., 2021; Paramesha et al., 2024c; Rane et al., 2024c). The ability of AI to further already existing or biased situations has put increased scrutiny on algorithmic fairness. Regulations now often require developers to implement the possibility of detecting and mitigating bias in AI systems. Under the new Act on AI, for example, periodic evaluations and activity documentation are required to ensure conformance to ethical standards by the EU. Another significant is for applications such as and necessary stringent and of AI systems to under the most and The in its related to AI-based medical that a need for using where for be with and AI systems often require of data privacy, and have of AI regulation 2018; et al., Rane et al., The European has high standards for data which how AI systems are to and data under the with data management impact and for It is the that similar for data through the Act and an impact on AI. These their from to and out of and transparency AI and transparency are the systems will public trust Almeida et al., 2021; et al., Rane et al., The new from regulators for AI developers to clearly explain how are by their this is very critical in areas such as the of of or with regulatory frameworks AI systems that make is and 2020; 2021; Rane et al., This and of the AI and allows for and accountability. International and AI is in it for the of regulatory standards (Erdélyi, & Goldsmith, 2018; de 2021; Rane et al., like International for and the Institute of and are to AI standards. These across and ethical considerations at and The AI by various a framework for the responsible development and of AI. These principles transparency, and as principles policy should at the national while for regulations and risks AI differ across which in for different regulatory in the health sector around of health and The has its regulatory for AI-based medical in which are to provide about safety and also to to the of in the the focus is on how they can and The standards on and deployment are on and to that they can in different environments. others, regulating ensuring this include the National Administration in the and the European New in AI regulation of the most critical in policy and regulation is transparency and the ability to provide et al., Taeihagh, 2021; Paramesha et al., AI systems, and using machine learning, are that how are This can be very in like health, or finance, where AI is the of to or AI trust in these systems. In that at this should establish frameworks that AI developers to make AI and on how within the AI are Another critical challenge is that of bias and in AI 2019; de Almeida et al., 2021). in most AI systems can be with that already present in society. such are not at they might further be by the AI algorithm and example, AI systems for or shown to groups than It is to regulations where and are in AI systems. This not of data and algorithmic fairness, for example, also within the that these technologies to ensure a broader AI and Another of in AI policy is related to the concerns of (Manheim, & Kaplan, 2019; et al., Paramesha et al., Rane et al., AI systems require of data to be concerns the and of data and cases have around among the need to the that data analysis has the need to This in stringent data policies like the of the European with increased data and for AI is regulatory regulatory processes often take their in find it to pace with the AI This may regulations that are or a to innovation by requirements on emerging technologies. more agile regulatory approaches that can to technological It may regulatory sandboxes within which new applications of AI be in a critical concerns in this are the economic and the of AI can through the of that are by very being to and economic they also in of and economic The will require policymakers to promote and for that will with relevant for an by AI, on the and development of social safety for the by the nature of AI development and deployment it in terms of policy and regulation. The and of AI technologies are this the need for and of the regulations of national regulatory which complex in of for and to a regarding the standards. International organizations and have to way to frameworks that ensure standards of Ethical considerations AI development and et al., 2021; et al., 2020; Rane et al., that AI systems are relevant in making and ethical regarding the of an AI have to make in situations to complex ethical and the public in guidelines to address these Another that gives to solid concerns the risks associated with AI 2020; et al., AI is to different of including data or that may its and in critical health, energy, or finance, this might have should standards and practices to AI systems from The is that of and governance of AI. on making AI more powerful and ensuring that these AI systems under and that their with will be This with distinct of accountability, to AI from 4.1 provides a structured of the various and associated with regulatory frameworks, as well as their on society. These include which and related to and and to broader and other more the the the increased and broader effects and other These regulations their final on economic of and The need this comprehensive analysis to the regulatory implications so that be to 4.1 of the various and associated with regulatory frameworks, as well as their on other efficiency - and - - and standards - in AI policy and regulations of the significant areas that in the AI policy has to be focused on is setting clearly of ethics and frameworks Wong, 2021). AI systems are being integrated into it is to ensure they in that and The establishment of ethical guidelines for AI is being in to issues of and transparency of AI decision-making from ethical is a need for safety standards in AI development 2018; de Almeida et al., 2021). AI has the risks to it through its and of therefore, that comprehensive safety be put into is a among policymakers of the need for setting standards that ensure AI systems will be and risks with Another critical affecting policy the economic implications of AI is a to and economic risks associated with the impact of on economic are that a of policies that can be put in to in and for new in the are being by both governments and also the to have policies to support while ensuring that AI economic are This for AI research and for ethical AI and regulation practices in the technology industry. governance of the regulation of AI AI systems are on of In the AI policy will further around data and to and data Another relevant in AI policy is increasing on and et al., The development of AI is not to it is a to different regulations across problems for and are guidelines and standards for AI. are across to help and AI technologies In the will be more and regarding the governance of AI that will to a much more approach by AI. policy will also be by the role of AI in critical such as healthcare, finance, and transportation these have specific regulatory requirements so that the development and applications of and in example, in healthcare, the of AI for and stringent and to to algorithms and systems need regulations of and and policymakers are out sector-specific guidelines for with particular issues related to AI in key of policy AI public and widespread AI technologies require in their fairness, and policymakers are to focus on to public trust through the nature of in AI decision-making processes and for and It AI ethics public and broad in AI to trust and ensure that such technologies the for public Another of AI policy in the will be and the of AI, public understanding of its implications is AI policies at in at at public at making of the and risks associated with these emerging technologies. This the of AI into the and for learning to each to in an and approaches in AI policy and its further regulation will have to be of innovation for more regulations to new and that regulatory sandboxes and that AI technologies within controlled These approaches provide regulators with the to and policies to ensure that regulations relevant and a technological The industry regulation and policy of AI has at the focus of governments and organizations As AI is in from healthcare, finance, and - the of regulatory has been more a The AI Act is the European to a risk of AI systems, and a of for high-risk applications. This framework to ensure transparency, accountability, and for in the for the regulation of AI. increased regulatory activity in the United States of the National AI Act to in AI by and China is developing AI to ensure technological with stringent data and algorithmic transparency regulation. By a they to secure innovation as well as AI However, The around how can AI be in such a way that it not in AI both as an economic and a a is developing on approaches to regulations related to AI across in to out an for AI ethics and by agile approaches to regulation, will be as and to these to a on AI and its for security, and Artificial Intelligence and its on in Capraro, & (2024). The impact of artificial intelligence on inequalities and policy artificial legal and and challenges. of the Society and de & S. Artificial intelligence a framework for and AI in the European Union. of the current legal framework of the 2021). of and J., & Goldsmith, artificial for a In of the on AI, and Society (pp. M., & Artificial intelligence risks and algorithmic regulation. European of Regulation, S. of Artificial International Hoffmann-Riem, Artificial intelligence as a challenge for and regulation. artificial intelligence, Lauterbach, Artificial intelligence and Policy, and J., & (2024). for and ethical by under the European Artificial Intelligence & & Kaplan, Artificial to and & M., & in artificial it is and how it AI & Paramesha, M., Rane, N. L., & Rane, Artificial Machine Deep and in and A Paramesha, M., Rane, & Rane, Artificial AI at Paramesha, M., Rane, & Rane, Artificial intelligence in challenges, and ethical at Paramesha, M., Rane, & Rane, artificial intelligence such as in transportation A comprehensive at Paramesha, M., Rane, & Rane, data artificial intelligence, machine learning, of and for intelligence. at N. and regulation of artificial intelligence and framework and at Rane, N. key in of and similar artificial intelligence in manufacturing, finance, retail, and industry. Rane, & Rane, deep learning with machine technological and challenges. at Rane, & Rane, Artificial Intelligence of and for and Rane, & Rane, Artificial intelligence and machine learning for and sustainable and at Rane, & Rane, Artificial intelligence, machine learning, and deep learning for analysis in to and at Rane, & Rane, Artificial Intelligence and Machine in and a and a Rane, Paramesha, M., & Rane, Intelligence through Artificial A at Rane, & Rane, Artificial Intelligence and Machine in and A and International Rane, Paramesha, M., & Rane, Artificial Machine and Deep for A International Rane, Paramesha, M., & Rane, Machine and Deep for A of and International should artificial of the Society and J., J., M., & The approach to artificial an analysis of policy, ethics, and regulation. and policies in artificial intelligence, & data issues in artificial intelligence deployment. Taeihagh, of artificial intelligence. Policy and the of privacy, and in the artificial intelligence age. L., & and ethical of artificial on European policy Policy, N. and in artificial intelligence of Policy & Rademacher, artificial intelligence Wong, and regulation of artificial intelligence. In Artificial Intelligence for International at (pp. International Publishing. the A framework for artificial intelligence. &",
"topics": [
"ai_governance",
"power_knowledge_asymmetry",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "s2:793d37c43de46227664f4a83a895d3d72174e2c6",
"title": "Integrating ISO 27001 and Indonesia's Personal Data Protection Law for Data Protection Requirement Model",
"authors": [
"Arya Adhi Nugraha",
"Asyahri Hadi Nasyuha"
],
"date": "2024-06-14",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/793d37c43de46227664f4a83a895d3d72174e2c6",
"pdfUrl": "",
"doi": "10.51519/journalisi.v6i2.754",
"abstract": "This research explores the integration of ISO/IEC 27001:2022 with Indonesia's Personal Data Protection (PDP) Law to establish a robust framework for data protection and information security within organizations operating in Indonesia. The research addresses the challenges of aligning the comprehensive information security management systems (ISMS) standard of ISO/IEC 27001:2022 with the specific legal requirements of the PDP Law, which governs personal data collection, processing, and protection. Employing the Action Design Research (ADR) methodology, the study involves a thorough review of existing literature, consultations with domain experts, and the development of a structured framework for integration. Key findings highlight the complementary nature of ISO/IEC 27001:2022's risk-based approach and the PDP Law's emphasis on data subject rights, consent management, and breach notification. The integration framework provides organizations with a unified approach to meet both international standards and local regulatory requirements, enhancing overall data protection. The research concludes with insights and recommendations for organizations seeking to navigate the complex landscape of data protection compliance, emphasizing the importance of harmonizing security measures with legal mandates to build a comprehensive and effective data protection strategy.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"data_breach_incident"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.708,
"venue": "Journal of Information Systems and Informatics",
"language": "en"
},
{
"id": "s2:15543bf1501b6ee853084c65fcab570d82b42174",
"title": "Citizen-Led AI Audit Platform for Transparency and Accountability in Automated Decision-Making",
"authors": [
"Pradeep A. Patil",
"R. Jadhav",
"Prajakta Jagtap",
"Kartik Dhanaji Thorat",
"H. Patil"
],
"date": "2025-10-25",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/15543bf1501b6ee853084c65fcab570d82b42174",
"pdfUrl": "",
"doi": "10.65521/ijacect.v14i1.751",
"abstract": "Artificial Intelligence (AI) and automated decision-making systems are increasingly embedded in critical areas of governance such as housing allocation, welfare distribution, recruitment, healthcare, and immigration. While these systems promise efficiency and scalability, they often operate as opaque “black boxes,” producing decisions that lack explainability or recourse for affected citizens. This opacity undermines public trust and accountability in digital governance. \nThis review paper examines global efforts toward Responsible AI and highlights the urgent need for citizen-led auditing mechanisms that operationalize fairness, transparency, and accountability in practice. Drawing insights from recent literature on algorithmic transparency, fairness auditing, and privacy-preserving governance frameworks, the paper identifies key gaps—namely the absence of citizen-sourced evidence pipelines, cross-domain bias mapping, and measurable audit effectiveness.A conceptual framework and layered functional architecture are proposed to integrate citizen reporting, NLP-based anonymization, structured metadata storage, and visualization dashboards for systemic bias detection. The study bridges theoretical Responsible-AI principles with practical citizen-centric accountability models, offering a scalable foundation for participatory and ethical AI governance.",
"topics": [
"ai_governance",
"power_knowledge_asymmetry",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "International Journal on Advanced Computer Engineering and Communication Technology",
"language": "en"
},
{
"id": "s2:e9c37ff927bcd58e56a0d97bdeacf1c03f0c9908",
"title": "Privacy-Secure and Decentralized Biometric Authentication Models Using Federated Learning Frameworks",
"authors": [
"M. P",
"K. Mahalakshmi"
],
"date": "2024-12-27",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/e9c37ff927bcd58e56a0d97bdeacf1c03f0c9908",
"pdfUrl": "",
"doi": "10.1109/ICSCAN62807.2024.10894284",
"abstract": "A biometric identifier, in contrast to other identifiers used for authentication, is a quantitative evaluation of an individual's physical attributes that is successfully used to confirm or validate the identification. Because of its remarkable and consistent texture variation, iris recognition is thought to be the most dependable biometric recognition. Concerns about security, authentication, and identification are growing in importance across all domains as technology advances daily. High-security applications use these unique patterns for iris recognition. To increase the security of biometric applications without jeopardizing individual privacy, this research suggests a novel FL technique for privacy-preserving iris detection. Traditional biometric systems rely on centralised data storage and processing, which threatens data security and misuse. Federated Learning: decentralized model training that allows multiple federated clients (like mobile devices or edge servers) to collaboratively train a global model without sharing their raw iris data. We explore how this architecture can be applied to iris detection systems, maintaining accuracy while mitigating privacy risks. Our method ensures that iris features are learned locally on individual devices, and only encrypted model updates are shared with the central server. To strengthen privacy, we incorporate differential privacy and secure aggregation techniques to prevent data leakage during model training. Experimental results demonstrate the effectiveness of the proposed framework in maintaining high detection accuracy, low communication overhead, and robust privacy guarantees.",
"topics": [
"biometric_surveillance",
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.708,
"venue": "2024 International Conference on System, Computation, Automation and Networking (ICSCAN)",
"language": "en"
},
{
"id": "https://openalex.org/W4411807490",
"title": "EL IMPACTO DE LA INTELIGENCIA ARTIFICIAL EN LOS DERECHOS FUNDAMENTALES EN LAS RELACIONES LABORALES: regulación vigente y nuevos desafíos",
"authors": [
"Ana Rosa Rodriguez",
"Silvina Rigali"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.51799/2763-8685v5n1013",
"pdfUrl": "https://doi.org/10.51799/2763-8685v5n1013",
"doi": "https://doi.org/10.51799/2763-8685v5n1013",
"abstract": "This article analyzes the impact of artificial intelligence (AI) on fundamental rights within labor relations, in a context marked by increasing automation, digital surveillance, and intensive use of personal data. Based on the hypothesis that, without guarantees of privacy and cybersecurity, fair working conditions and an equitable digital market cannot be sustained, the paper examines the ethical and regulatory challenges posed by the integration of algorithmic technologies and neurotechnologies in the workplace. Special attention is given to the European Union’s Artificial Intelligence Act (AI Act) and the General Data Protection Regulation (GDPR), as key legal frameworks seeking to balance innovation with the protection of human rights. Through a qualitative methodology grounded in legal and bibliographic analysis and case studies, the study highlights the urgent need to establish boundaries on practices such as emotion recognition, mass biometric surveillance, and opaque automated decision-making. The article underscores the importance of strengthening transparency, human oversight, and the development of neuro-rights as emerging dimensions of protection against the new risks posed by AI in the workplace.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"biometric_surveillance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "Latin American Journal of European Studies",
"language": "en"
},
{
"id": "https://openalex.org/W2940592891",
"title": "Personal data protection – where to start?",
"authors": [
"Tomasz Osiej"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.24292/01.ot.300319.08",
"pdfUrl": "https://www.journalsmededu.pl/index.php/ophthatherapy/article/download/510/469",
"doi": "https://doi.org/10.24292/01.ot.300319.08",
"abstract": "The present article focuses on the main General Data Protection Regulation requirements for private medical practices. It starts with description of 2 basic capacities in which an entity processing personal data can act, i.e. the controller or processor. Then, aforementioned roles are allocated to the physicians depending on the nature of their work (hospital or private medical practice), together with the description of legal basis for personal data processing in healthcare sector. The last part contains the most important elements of data protection that any physician should start with. These are: implementation of adequate technical and organisational security measures, provision of accurate privacy notice to patients as well as introduction of basic personal data documentation, i.e. the records of processing activities and personal data breach notification procedure",
"topics": [
"gdpr_compliance",
"data_anonymization",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.708,
"venue": "OphthaTherapy Therapies in Ophthalmology",
"language": "en"
},
{
"id": "https://openalex.org/W3089343644",
"title": "Pozycja ustrojowa organu nadzorczego ochrony danych osobowych na przykładzie Polski",
"authors": [
"Magdalena Gholeh"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.15804/ppk.2019.04.09",
"pdfUrl": "http://czasopisma.marszalek.com.pl/images/pliki/ppk/50/ppk5009.pdf",
"doi": "https://doi.org/10.15804/ppk.2019.04.09",
"abstract": "Independent data protection authorities are of critical importance to the effective protection of personal data. Even under the previous Directive EU Member States were obligated to provide a designated supervisory authority. The fundamental reform of EU data protection law and adoption of General Data Protection Regulation has introduced a number of changes in the data protection law area. It also affected the provisions on national data protection authorities. To adapt to the new regulatory regime Polish legislator has decided to establish a new supervisory authority. The President of Personal Data Protection Office has replaced the previous Inspector General for Personal Data Protection. However it needs to be noted that current provisions raised questions about the position of The President in the whole regulatory framework. Therefore the aim of this paper is to review current law and to define the legal position of Polish data protection authority.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "Przegląd Prawa Konstytucyjnego",
"language": "pl"
},
{
"id": "arxiv:2103.13546",
"title": "Benchmarking Modern Named Entity Recognition Techniques for Free-text Health Record De-identification",
"authors": [
"Abdullah Ahmed",
"Adeel Abbasi",
"Carsten Eickhoff"
],
"date": "2021-03-25",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2103.13546v1",
"pdfUrl": "https://arxiv.org/pdf/2103.13546v1",
"doi": "",
"abstract": "Electronic Health Records (EHRs) have become the primary form of medical data-keeping across the United States. Federal law restricts the sharing of any EHR data that contains protected health information (PHI). De-identification, the process of identifying and removing all PHI, is crucial for making EHR data publicly available for scientific research. This project explores several deep learning-based named entity recognition (NER) methods to determine which method(s) perform better on the de-identification task. We trained and tested our models on the i2b2 training dataset, and qualitatively assessed their performance using EHR data collected from a local hospital. We found that 1) BiLSTM-CRF represents the best-performing encoder/decoder combination, 2) character-embeddings and CRFs tend to improve precision at the price of recall, and 3) transformers alone under-perform as context encoders. Future work focused on structuring medical text may improve the extraction of semantic and syntactic information for the purposes of EHR de-identification.",
"topics": [
"sector_healthcare",
"pii_entity_types",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:croris.hr:Publication/1759476",
"title": "Trends in Artificial Intelligence regulation: an Analysis of Human Capital Management Provider Compliance",
"authors": [
"Tuškan, Dorotea"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:croris.hr:Publication/1759476",
"pdfUrl": "",
"doi": "",
"abstract": "This paper examines the integration of AI within human resource (HR) processes, exploring real-world applications and potential future developments. It identifies prominent human capital management (HCM) tool providers that incorporate AI solutions and evaluates their publicly available internal policies against relevant legislative frameworks, particularly emphasizing the EU AI Act. The research aims to identify emerging trends in AI regulation, assess awareness of regulatory obligations, and determine the level of compliance with established legal and ethical standards. AI-powered HR solutions primarily enhance existing digital tools rather than revolutionary innovations. From a regulatory perspective, legislative bodies are tasked with balancing the imperative of individual rights protection with advancing technological capabilities, particularly as numerous AI-driven HR practices remain subject to legal ambiguity. While most providers acknowledge the necessity of AI regulation, the scope of their commitment varies significantly. Entities such as Microsoft and SAP have implemented more comprehensive policy frameworks that align with the stipulations of the AI Act and UNESCO's recommendations on the ethics of AI. The scope of this paper is limited to global HCM leaders operating within the European market, encompassing vendors with direct operational presence or those who recognise EU regulatory requirements. In light of the dynamic evolution of AI legislation globally, future research should extend to encompass regulatory frameworks in other regions, notably Asia, where AI development is advancing rapidly. Further analysis is also warranted to examine the strategies employed by smaller companies and startups, often constrained by limited compliance resources, as they navigate AI governance challenges. Furthermore, a critical examination of the interplay between AI and the General Data Protection Regulation (GDPR) across diverse HR practices is essential to explai",
"topics": [
"gdpr_compliance",
"ai_governance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od_____10594::7fe21ee9e747ac2b5de86c618cbaef2f",
"title": "A Privacy-preserving and Communication-Efficient Federated Learning solution for Industrial Applications",
"authors": [
"MOHAMMADI, MOHAMMADREZA#idabnull"
],
"date": "",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od_____10594::7fe21ee9e747ac2b5de86c618cbaef2f",
"pdfUrl": "",
"doi": "",
"abstract": "There has been a lot of interest in privacy-preserving federated learning because of its potential to allow collaborative model training without compromising participants' privacy. When it comes to federated learning that respects users' privacy, this thesis examines a wide range of possible protection and attack tactics. First, I introduce the idea of privacy-protecting federated learning and discuss its structure, benefits, and drawbacks. Differential privacy, secure aggregation, and homomorphic encryption are only some of the defensive mechanisms I cover next to keep participants' information private. In addition, I look at the attack methods, such as membership inference and model inversion, that potentially jeopardize participants' privacy in privacy-preserving federated learning. I examine the result of model inversion attack and the measures taken to counter them. In this thesis, I consider three distinct industrial use cases from the DAIS project which will be used in real-world applications in a near future and implement a federated learning system for them while keeping in mind the need for privacy in federated learning environments. As a further step, I suggest a new client selection method based on each client's amount of data to improve the federated learning framework's accuracy and the efficacy of its communications. Also, I propose an innovative method, Parameter Randomization, to enhance the privacy and communication efficiency of federated learning systems. By introducing these two approaches, this thesis gives a thorough explanation of the field of privacy-preserving and communication-efficient federated learning and emphasizes the need for robust defense and mitigation mechanisms to protect participant privacy against attacks while keeping the accuracy of the models as high as possible.",
"topics": [
"privacy_engineering",
"llm_privacy_attacks",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII",
"Solutions Market"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "doaj:6381b7a46e224a808558f51aa7623db1",
"title": "THE ADOPTION AND HARMONISATION OF REGULATION (EU) 2024/1689 (AI ACT) AND REGULATION (EU) 2018/1725 (EUDPR): CHALLENGES AND BEST PRACTICES",
"authors": [
"Emilian MATEICIUC"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://cks.univnt.ro/download/cks_2025_articles%252F3_CKS_2025_PUBLIC_LAW%252FCKS_2025_PUBLIC_LAW_004.pdf",
"pdfUrl": "https://cks.univnt.ro/download/cks_2025_articles%252F3_CKS_2025_PUBLIC_LAW%252FCKS_2025_PUBLIC_LAW_004.pdf",
"doi": "",
"abstract": "The adoption of Regulation (EU) 2024/1689 (AI Act) represents a significant advancement in the European Union's regulatory approach to artificial intelligence, aiming to balance technological innovation with the protection of fundamental rights. This paper critically examines the interplay between the AI Act and Regulation (EU) 2018/1725 (EUDPR), highlighting challenges and proposing best practices for their effective harmonization. The research identifies key intersections and potential conflicts between the two regulations, particularly regarding data processing, transparency, and algorithmic accountability. A primary concern is reconciling the AI Act's rigorous requirements for monitoring and transparency of high-risk AI systems with the EUDPR's strict principles on data minimization and retention. These conflicting mandates present substantial operational and legal challenges for EU institutions, private organizations, and end-users. Drawing from lessons learned in implementing GDPR and EUDPR, the study provides practical recommendations to enhance compliance, such as the introduction of unified certification frameworks, dedicated support resources for SMEs, and clear interpretative guidelines from supervisory bodies. Additionally, the paper emphasizes the importance of coordinated enforcement mechanisms and flexible regulatory frameworks capable of adapting to rapid technological advancements. Ultimately, the paper concludes that the EU's distinct regulatory approach, centred on safeguarding fundamental rights and promoting transparent AI technologies, positions Europe as a global pioneer. However, its success depends on effectively managing the harmonization between overlapping regulations. The insights and recommendations presented offer practical pathways for policymakers and stakeholders to navigate the complexities of implementing these regulations, fostering an environment where innovation thrives alongside robust protection of individual rights.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.708,
"venue": "Challenges of the Knowledge Society",
"language": "en"
},
{
"id": "hal:5405200",
"title": "EUROCOMPLY: Enabling Zero-Touch AI Compliance Auditing via LLM-based Agentic AI",
"authors": [
"Mazene Ameur",
"Bouziane Brik",
"Adlen Ksentini"
],
"date": "2025-12-15",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05405200v1",
"pdfUrl": "https://hal.science/hal-05405200/document",
"doi": "",
"abstract": "In this paper, we present EUROCOMPLY, a novel framework designed to automate regulatory compliance verification in Artificial Intelligence and Machine Learning (AI/ML) systems for the telecommunications sector. With the increasing adoption of AI/ML, ensuring adherence to the European AI Act (EU AI Act) and General Data Protection Regulation (GDPR) has become critical to avoid deployment delays and legal penalties. EUROCOMPLY leverages Agentic AI to inspect datasets and AI/ML pipelines for alignment with the EU AI Act, the GDPR, and the 3rd Generation Partnership Project (3GPP) AI/ML-related standards. The framework employs a dual-mode retrieval architecture combining vector-based and graph-based retrieval for enhanced regulatory interpretation. We validate EUROCOMPLY on 20 telecom use cases across four realistic datasets, demonstrating high faithfulness and strong performance through expert assessments and LLM-as-a-Judge evaluations.",
"topics": [
"gdpr_compliance",
"ai_governance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "hal:2872471",
"title": "Cross-Border Data Flows, the GDPR, and Data Governance (29 Wash. Int'l L.J. 485 (2020)",
"authors": [
"W. Gregory Voss"
],
"date": "2020-06-17",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02872471v1",
"pdfUrl": "https://hal.science/hal-02872471/document",
"doi": "",
"abstract": "Today, cross-border data flows are an important component of international trade and an element of digital service models. However, they are impeded by restrictions on cross-border personal data transfers and data localization legislation. This Article focuses primarily on these complexities and on the impact of the new European Union (\"EU\") legislation on personal data protection-the GDPR. First, this Article introduces its discussion of these flows by placing them in their economic and geopolitical setting, including a discussion of the results of a lack of international harmonization of law in the area. In this framework, rule overlap and rival standards are relevant. Once this situation is established, this Article turns to an analysis of the legal measures that have filled the gap left by the lack of international regulation and the failure to harmonize law: extraterritorial laws in the European Union (regional legislation) and the United States (state legislation);and data localization laws in China and Russia. Specific provisions restricting cross-border personal data transfers are detailed under EU legislation, as are the international agreements that have been invaluable in allowing flows between the United States and the European Union to continue—first the Safe Harbor, and now the Privacy Shield. Finally, in this context, the role of data governance is investigated, both in the context of data controllers’ accountability for the actions of other actors in global supply chains under EU law and under the Privacy Shield. Thus, this Article goes beyond the law itself, to place requirements in the context of the globalized business world of data flows, and to suggest ways that companies may improve their compliance position worldwide.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "Washington International Law Journal",
"language": "en"
},
{
"id": "hal:4785519",
"title": "The AI Act: the evolution of \"trustworthy AI\" from policy documents to mandatory regulation",
"authors": [
"Mélanie Gornet"
],
"date": "2024-11-01",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04785519v1",
"pdfUrl": "https://hal.science/hal-04785519/document",
"doi": "",
"abstract": "What with the dangers of artificial intelligence for individuals and society, and the rapid evolution of these technologies, Europe has decided to take the lead by imposing strict requirements for the placing on the market of \"AI systems\". This new European law, adopted in the summer of 2024, is better know as \"the AI Act\". The AI Act is based on a hierarchy of risks, where riskier systems will be subject to stricter obligations. While the AI Act is not the first law in Europe to be based on risk -the General Data Protection Regulation (GDPR) and subsequent laws on digital technologies have already started this trend -it is the first to take it to such a level. But the AI Act also draws on the concept of \"trustworthy AI\", a term coined by policy documents that preceded it, and according to which AI must notably be ethical and technically robust. In this work, we retrace the story of the AI Act, in order to understand the origin of its main concepts and structure. We also take a look at the final version of the text, its hierarchy of AI systems and the corresponding obligations, as well as the governance ecosystem it puts in place to ensure that these rules are properly implemented. The picture we draw shows a regulation that is quite unique in the European legal landscape, despite its many roots and inspirations.",
"topics": [
"gdpr_compliance",
"ai_governance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "hal:2554707",
"title": "Navigating EU Privacy and Data Protection Laws",
"authors": [
"W. Gregory Voss",
"Katherine Woodcock"
],
"date": "2016-01-19",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02554707v1",
"pdfUrl": "",
"doi": "",
"abstract": "This handbook presents various concepts for EU privacy and data protection law in a comprehensible manner, providing analysis of existing and practical advice on how to approach data policy compliance. With global businesses and companies struggling to meet varying EU national privacy compliance laws, this book will be a useful primer to guide academics, practitioners, law students, and business professionals in understanding data privacy compliance, and provide additional supplemental resources on specific national legislation. This book is available for purchase at http://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=210870571&term=5210298. Content includes: -- an introduction to EU Privacy & Data Protection legislation and treaties (including key terms and general principles) -- applicability of the legislation -- compliance steps -- provisions related to human resources -- provisions related to customers and marketing -- development of new technologies and the application of the law to them (biometrics, facial recognition, gps, geo-location, cloud computing, big data, IoT, etc.) -- relevant elements of the proposed General Data Protection Regulation -- data protection authority resources -- glossary of terms -- quick reference guide to Article 29 Data Protection Working Party documentation (advisory guidance)",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:iris.unibocconi.it:11565/4074069",
"title": "Constitutional Safeguards in the Age of AI. A Study on the Fundamental Rights Impact Assessment of Facial Recognition Technology",
"authors": [
"PAOLUCCI, FEDERICA"
],
"date": "2025-06-26",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:iris.unibocconi.it:11565/4074069",
"pdfUrl": "",
"doi": "",
"abstract": "This thesis explores the regulation of Facial Recognition Technology (FRT) as a focal point for analysing the profound challenges posed by Artificial Intelligence (AI) to constitutional principles and fundamental rights in the digital age. By positioning FRT at the intersection of technological innovation and legal frameworks, the study examines how the adoption of this technology, particularly in law enforcement and public surveillance, amplifies risks to privacy, data protection, freedom of expression and assembly, and, especially, access to effective remedies. The research introduces the Fundamental Rights Impact Assessment (FRIA), a methodological tool designed to anticipate and mitigate the risks posed by high-risk AI systems. The FRIA framework represents a critical innovation, extending constitutional safeguards to digital technologies by operationalizing rights protection in a structured, preemptive manner. This model is applied to the specific context of biometric systems, demonstrating its capacity to address systemic risks, including algorithmic bias, surveillance creep, and the chilling effect on democratic freedoms. Through an in-depth review of the European Union’s regulatory landscape, the thesis evaluates the interaction between the AI Act, the General Data Protection Regulation (GDPR), and the Law Enforcement Directive (LED). It underscores the fragmented and reactive nature of current frameworks, particularly in their ability to address the opacity, accountability, and societal impact of FRT. Case studies, in particular based on the case law of the Court of Justice of the European Union and of the European Court of Human Rights, and legal analysis reveal critical gaps in procedural safeguards, judicial oversight, and the provision of effective remedies for individuals affected by the deployment of biometric technologies. By situating FRT within the broader paradigm of fundamental rights, the thesis interrogates the tension between the harmonisation",
"topics": [
"gdpr_compliance",
"biometric_surveillance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.708,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2953664570",
"title": "A System of Governance for Artificial Intelligence through the Lens of Emerging Intersections between AI and EU Law",
"authors": [
"Gabriele Mazzini"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3369266",
"pdfUrl": "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3369266",
"doi": "",
"abstract": "The work provides an overview and a comment of the Communication on Artificial Intelligence (AI) adopted by the European Commission in April 2018. By offering a bird’s-eye view of those law and policy areas potentially relevant for or affected by AI, the AI Communication sets the stage for understanding how pervasively and extensively AI is likely to be mainstreamed in our economies and societies. Whether it is about safety of products, liability, consumer protection, personal data protection or the foundational values, principles and rights on which the European project is based on, AI is very rapidly cutting across domains. The work identifies and investigates some of the many intersections between AI and EU law. Two main “disrupting” trends emerge.\r\n\r\nAccording to the first trend, AI seems to exercise some pressure on existing regulatory frameworks, such as in the areas of product safety, liability and consumer protection.\r\n\r\nAs regards product safety, the main concerns seem to revolve around the unpredictability risk of AI. While certain factual characteristics (possibly limitations) of AI as it functions today cannot and should not be denied, the policy debate on AI safety should focus on what potential risks brought about by AI (or rather by specific AI applications) can be considered as socially acceptable when weighed against potential benefits. Even though the challenges posed by AI may generate some pressure on the existing EU product safety frameworks, it seems that EU safety law as a broader normative field has at its disposal a varied set of regulatory tools and approaches that can be relevant sources of inspiration and reference for a discussion on the safety of AI-powered products.\r\n\r\nIn the field of product liability, although one should note that the Product Liability Directive (PLD) is not necessarily the only tool that can be invoked by victims in case of risks and damages linked to AI-powered products, there seem to be elements suggesting that AI (in general or with regard to certain of its product specific applications) may put under stress the continued suitability of the technology neutral design of the PLD - or at least some provisions thereof - to the extent that the PLD is expected to apply, in its current form, to both “smart” and “non-smart” products.\r\n\r\nThe protection of consumers in the context of profiling and targeting practices in the business-to-consumers transactions is an area where the General Data Protection Regulation (GDPR) is particularly relevant. To the extent GDPR rules effectively enhance the data subjects’ empowerment vis-a-vis traders and/or curtail the ability of traders to engage in manipulative and unfair practices, then there may be less need for a fine-tuning of dedicated consumer law instruments (such as the Unfair Commercial Practices Directive, the Consumer Rights Directive and the Directive on Unfair Terms in Consumer Contracts) in order to take account of the specificities of commercial transactions mediated by sophisticated algorithms. At the same time, consumer protection could be an interesting testing ground for the potential of AI to empower consumers and civil society in general: the very same tools, techniques and methods used by companies to pursue their commercial interests could also serve the purpose to re-balance the traditional asymmetry of information, power and knowledge impacting negatively on consumers.\r\n\r\nContrary to what happens in the legal domains mentioned above, a different “disrupting” trend emerges in the field of the protection of personal data. Here, the several intersections between AI and the GDPR can essentially be framed in terms of the law disrupting certain technological uses and applications of AI. Due to the fact that AI uses and applications in the context of commercial transactions, and, more generally, of the algorithm-mediated economic, social and political life of individuals extensively rely on and process personal data, the GDPR emerges as a key piece of legislation in the space. While the data protection authorities and the courts will certainly specify and fine-tune its principles and provisions as appropriate, the GDPR presents itself as a robust framework poised to capture and effectively curb at least those uses and applications of AI that appear most egregious and intolerable in light of the degree of legal protection for individual rights and freedoms that is currently expected by citizens in our European society.\r\n\r\nThe work argues that, even if each legal or policy area where AI surfaces is confronted with distinct normative questions that may not necessarily be relevant for other areas, a connecting tissue is needed. This should take the form of a system of AI governance or cabine de regie which should combine - on an ongoing basis - up-to-date scientific and technical knowledge, internal legal and policy expertise specific to each sector and the authority to impart policy direction and to arbitrate, across the board, between the societal opportunities and the societal concerns that underlie the composite interaction between AI and the law.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"ai_governance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.708,
"venue": "SSRN Electronic Journal",
"language": "en"
},
{
"id": "doaj:1116db97bfbd45fcaab7ee5bd47bdb76",
"title": "Impacts of Data Synthesis: A Metric for Quantifiable Data Standards and Performances",
"authors": [
"Gunjan Chandra",
"Pekka Siirtola",
"Satu Tamminen",
"Mikael J. Knip",
"Riitta Veijola",
"Juha Röning"
],
"date": "2022",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2306-5729/7/12/178",
"pdfUrl": "",
"doi": "10.3390/data7120178",
"abstract": "Clinical data analysis could lead to breakthroughs. However, clinical data contain sensitive information about participants that could be utilized for unethical activities, such as blackmailing, identity theft, mass surveillance, or social engineering. Data anonymization is a standard step during data collection, before sharing, to overcome the risk of disclosure. However, conventional data anonymization techniques are not foolproof and also hinder the opportunity for personalized evaluations. Much research has been done for synthetic data generation using generative adversarial networks and many other machine learning methods; however, these methods are either not free to use or are limited in capacity. This study evaluates the performance of an emerging tool named synthpop, an R package producing synthetic data as an alternative approach for data anonymization. This paper establishes data standards derived from the original data set based on the utilities and quality of information and measures variations in the synthetic data set to evaluate the performance of the data synthesis process. The methods to assess the utility of the synthetic data set can be broadly divided into two approaches: general utility and specific utility. General utility assesses whether synthetic data have overall similarities in the statistical properties and multivariate relationships with the original data set. Simultaneously, the specific utility assesses the similarity of a fitted model’s performance on the synthetic data to its performance on the original data. The quality of information is assessed by comparing variations in entropy bits and mutual information to response variables within the original and synthetic data sets. The study reveals that synthetic data succeeded at all utility tests with a statistically non-significant difference and not only preserved the utilities but also preserved the complexity of the original data set according to the data standard established in this study. Therefore, synthpop fulfills all the necessities and unfolds a wide range of opportunities for the research community, including easy data sharing and information protection.",
"topics": [
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"User Behavior / PII Communities"
],
"relevanceScore": 0.696,
"venue": "Data",
"language": "en"
},
{
"id": "europepmc:40950971",
"title": "Possibilities for secondary data use of electronic health records with WiseSpace de-identification.",
"authors": [
"Vovk O",
"Ghasempour A",
"Piho G",
"Ross P."
],
"date": "2025-08-29",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3389/fmed.2025.1639342",
"pdfUrl": "https://europepmc.org/articles/PMC12426038?pdf=render",
"doi": "10.3389/fmed.2025.1639342",
"abstract": "Introduction
The secondary use of Electronic Health Records (EHRs) holds significant potential for advancing research, public health, and innovation. However, data sharing is often limited by privacy regulations, requirements, and technical complexity. This study introduces Design Science (DS) research on the evidence-based design of WiseSpace-a tool specifically tailored to address these challenges by enabling the secure, regulation-compliant de-identification of healthcare data, particularly for non-technical users.Methods
The research utilizes DS methodology to develop and evaluate the de-identification solution. This approach includes problem investigation through literature review, existing method and tool evaluation, and expert interviews; treatment design based on the identified challenges; treatment validation; and treatment implementation.Results
WiseSpace provides tools for personal, identifiable health data detection, de-identification, and re-identification as well as risk assessment. The tool supports common health data standards and its intuitive user interface allows healthcare professionals, individuals, and researchers to perform data management-related tasks without requiring technical expertise.Discussion
WiseSpace addresses critical gaps in existing anonymization solutions by providing domain-specific support for healthcare data and ensuring compliance with the General Data Protection Regulation (GDPR) and the European Health Data Space (EHDS). It offers automation and risk mitigation solutions and simplifies workflow, enabling secondary data use. Use cases demonstrate the solution's utility for organizations and individuals.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "Frontiers in Medicine",
"language": "de"
},
{
"id": "doaj:03126b153b064aad832d9d0aa226f1a7",
"title": "The confirmed, indeed reinforced, Centrality of the GDPR for the Protection of Workers’ Personal Rights in the light of subsequent EU Legislative Acts",
"authors": [
"Anna Trojsi"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://illej.unibo.it/article/view/20873",
"pdfUrl": "",
"doi": "10.6092/issn.1561-8048/20873",
"abstract": "The aim of this research is to demonstrate that the centrality of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), in its protective function of workers’ personal rights within the Member States of the European Union, is confirmed by the subsequent EU legislative acts (Regulations and Directives) of interest to Labour Law. Such as: at a general level, the EU Regulations of the “European strategy for data”, adopted in 2022-2023 (Data Governance Act – DGA, Digital Markets Act – DMA, Digital Services Act – DSA, Data Act – DA), as well as the previous EU “Directive Open Data” 2019/1024; among EU acts specifically concerning the labour area, for example, Directive (EU) 2019/1937 on whistleblowing and Directive (EU) 2023/970 on equal pay for equal work between men and women through pay transparency. Special attention will be paid, in this perspective, to the Regulation (EU) 2024/1689 (Artificial Intelligence Act) and to the Directive (EU) 2024/2831 on platform work.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.696,
"venue": "Italian Labour Law e-Journal",
"language": "en"
},
{
"id": "doaj:091af61ccdea48bf9c1fe7e33c3a1e7e",
"title": "A Privacy-Preserving Scheme for a Traffic Accident Risk Level Prediction System",
"authors": [
"Pablo Marcillo",
"Gabriela Suntaxi",
"Myriam Hernández-Álvarez"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2076-3417/14/21/9876",
"pdfUrl": "",
"doi": "10.3390/app14219876",
"abstract": "Due to the expansion of Artificial Intelligence (AI), especially Machine Learning (ML), it is more common to face confidentiality regulations about using sensitive data in learning models generally hosted in cloud environments. Confidentiality regulations such as HIPAA and GDPR seek to guarantee the confidentiality and privacy of personal information. Input and output data of a learning model may include sensitive data that must be protected. Adversaries could intercept and exploit this data to infer more sensitive data or even to determine the structure of the prediction model. To guarantee data privacy, one option could be encrypting data and making inferences over encrypted data. This strategy would be challenging for learning models that now must receive encrypted data, make inferences over encrypted data, and deliver encrypted data. To address this issue, this paper presents a privacy-preserving machine learning approach using Fully Homomorphic Encryption (FHE) for a model that predicts risk levels of suffering a traffic accident. Despite the limitations of experimenting with FHE on machine learning models using a low-performance computer, limitations that are undoubtedly overcome by using high-performance computational infrastructure, we built some encrypted models. Among the encrypted models based on Decision Trees, Random Forests, XGBoost, and Fully Connected Neural Networks (FCNN), the model based on FCNN reached the highest accuracy (80.1%) for the lowest inference time (8.476 s).",
"topics": [
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "doaj:09a5eaced86b4197b500758b1bc1e446",
"title": "DATA SUBJECT ACCESS REQUEST: WHAT INDONESIA CAN LEARN AND OPERATIONALISE IN 2024?",
"authors": [
"Muhammad Deckri Algamar",
"Noriswadi Ismail"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "https://jcli-bi.org/index.php/jcli/article/view/171",
"pdfUrl": "",
"doi": "10.21098/jcli.v2i3.171",
"abstract": "The enactment of the Indonesian Personal Data Protection (PDP) Law is in line with the nation’s position as the most promising digital economy in Southeast Asia. The PDP Law, amongst others, introduces Data Subject Access Request (DSAR), a cornerstone mechanism to exercise data subject rights mirroring the European Union General Data Protection Regulation (GDPR). However, major causes of DSAR failure are predominantly triggered by resource constraint, lack of fundamental understanding, and technical gap when responding to such requests. In practice, DSAR management is time consuming and taxing since organisations shall manage numerous and complex requests within a tight timeline. By way of comparative analysis, we explore the concept of data subject rights, specifically the Rights to Access. Through observations and constructive responses by global data protection professionals, academics and non-lawyers, this paper alluded that similar failure scenario might occur in Indonesia when PDP Law grace period ended in 2024 – if the causes are not addressed and mitigated. Apropos, in safeguarding data subjects’ right, we assert that DSAR under the PDP law might bring disproportionate impracticality, hence there is demand for a robust consultation and holistic regulatory implementation. We also propose to consider a harmonized DSAR ASEAN framework for future proofing cross-border payment, in 2024 and beyond.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "Journal of Central Banking Law and Institutions",
"language": "en"
},
{
"id": "doaj:0be09c01a28a4dbaa61f1c91dcd216ea",
"title": "Data ethics and digital sustainability: Bridging legal data protection compliance and ESG for a responsible data-driven future",
"authors": [
"Prof. Dr. Paolo Balboni",
"Kate Elizabeth Francis"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "http://www.sciencedirect.com/science/article/pii/S2666659624000258",
"pdfUrl": "",
"doi": "10.1016/j.jrt.2024.100099",
"abstract": "Despite being the most comprehensive data protection law in the world, Europe's General Data Protection Regulation (GDPR) has failed to ensure that data is processed in an ethical and sustainable manner. This is because the law does not regulate what is good and even lawful activities may lead to harms. At the same time, data ethics requires clear guidelines that can be adopted by organizations. To address this, the authors propose situating data protection within the Corporate Social Responsibility (CSR) and Environmental, Social, and Governance (ESG) paradigms. This incentivizes the adoption of ethical practices thanks to the potential for organizations to improve their ESG ratings. To this end, the Maastricht University Data Protection as a Corporate Social Responsibility Framework is provided as a solution. The Framework provides actionable and auditable controls with the ultimate aim of promoting responsible data practices that benefit not only businesses, but also individuals and society.Novelty and contribution to knowledge: This paper builds upon the work illustrated in Data Protection as a Corporate Social Responsibility (Edward Elgar, 2023) to provide an overview of the need for taking an ethical approach to data protection and cybersecurity compliance. It provides new insights into the relationship between ethics and data protection law and makes new connections between ESG and data protection. Essentially, it delves deeper into the potential for framing data protection under ESG to act as an incentive for virtuous data protection compliance to be achieved by companies.",
"topics": [
"gdpr_compliance",
"sector_legal"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.696,
"venue": "Journal of Responsible Technology",
"language": "en"
},
{
"id": "doaj:342ea40bcb834f7bb972be730953f4fa",
"title": "A Self-Sovereign Identity Based on Zero-Knowledge Proof and Blockchain",
"authors": [
"Mohameden Dieye",
"Pierre Valiorgue",
"Jean-Patrick Gelas",
"El-Hacen Diallo",
"Parisa Ghodous",
"Frederique Biennier",
"Eric Peyrol"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/10105959/",
"pdfUrl": "",
"doi": "10.1109/access.2023.3268768",
"abstract": "Systems for generating and managing digital identities are in the process of being transformed to improve data sharing security and increase decentralization. Addressing both issues, a theoretical solution to create and manage Self-Sovereign Identities (SSI) is proposed using two Zero-Knowledge Proof (ZKP) protocols based on the discrete logarithm difficulty. Automorphism group properties are introduced to link several identities, their identifiers and attributes to produce a proof. The proposed SSI protocol does not encounter the problem of reusing the same secret key as in the case of the initial ZKP Schnorr protocol. The designed protocol ensures minimal disclosure of information to a single trusted third party. In addition, it allows zero disclosure of information to service providers requiring proof of authentication or identification. Such a SSI protocol is compliant with Electronic IDentification And Trust Services (eIDAS) as well as General Data Protection Regulation (GDPR) regulations.",
"topics": [
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "doaj:fc31dcc1e2fb41f19c7d777a5bd04a3b",
"title": "Measuring the impact of spatial perturbations on the relationship between data privacy and validity of descriptive statistics",
"authors": [
"Kelly Broen",
"Rob Trangucci",
"Jon Zelner"
],
"date": "2021",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1186/s12942-020-00256-8",
"pdfUrl": "",
"doi": "10.1186/s12942-020-00256-8",
"abstract": "Abstract Background Like many scientific fields, epidemiology is addressing issues of research reproducibility. Spatial epidemiology, which often uses the inherently identifiable variable of participant address, must balance reproducibility with participant privacy. In this study, we assess the impact of several different data perturbation methods on key spatial statistics and patient privacy. Methods We analyzed the impact of perturbation on spatial patterns in the full set of address-level mortality data from Lawrence, MA during the period from 1911 to 1913. The original death locations were perturbed using seven different published approaches to stochastic and deterministic spatial data anonymization. Key spatial descriptive statistics were calculated for each perturbation, including changes in spatial pattern center, Global Moran’s I, Local Moran’s I, distance to the k-th nearest neighbors, and the L-function (a normalized form of Ripley’s K). A spatially adapted form of k-anonymity was used to measure the privacy protection conferred by each method, and its compliance with HIPAA and GDPR privacy standards. Results Random perturbation at 50 m, donut masking between 5 and 50 m, and Voronoi masking maintain the validity of descriptive spatial statistics better than other perturbations. Grid center masking with both 100 × 100 and 250 × 250 m cells led to large changes in descriptive spatial statistics. None of the perturbation methods adhered to the HIPAA standard that all points have a k-anonymity > 10. All other perturbation methods employed had at least 265 points, or over 6%, not adhering to the HIPAA standard. Conclusions Using the set of published perturbation methods applied in this analysis, HIPAA and GDPR compliant de-identification was not compatible with maintaining key spatial patterns as measured by our chosen summary statistics. Further research should investigate alternate methods to balancing tradeoffs between spatial data privacy and preservation of key patterns in public health data that are of scientific and medical importance.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "International Journal of Health Geographics",
"language": "en"
},
{
"id": "doaj:86ee777742b140e58fae6c8195432c2f",
"title": "Schrems II: Everything is Illuminated?",
"authors": [
"Róisín Áine Costello"
],
"date": "2020",
"platform": "doaj",
"sourceUrl": "https://www.europeanpapers.eu/en/europeanforum/schrems-II-everything-is-illuminated",
"pdfUrl": "",
"doi": "10.15166/2499-8249/396",
"abstract": "(Series Information) European Papers - A Journal on Law and Integration, 2020 5(2), 1045-1059 | European Forum Insight of 15 October 2020 | (Table of Contents) I. Introduction. - II. Schrems I and the background to Schrems II. - III. The judgment of the Court of Justice in Schrems II. - IV. Clarity, compromise and coming challenges. - V. Conclusion. | (Abstract) The decision in Schrems II delivered by the Court of Justice in July 2020 (judgment of 16 July 2020, case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems) was, in many ways, foreseeable given the scheme and recent history of the Union's privacy and data protection jurisprudence. Despite this, the decision has significant and far-reaching implications both for the protective standards afforded to personal data which are the subject of international data transfers and the role and responsibilities of data controllers where such transfers take place. More fundamentally, the decision also raises a series of further questions about the scope and reach of European data protection standards, the interpretation of the general Data Protection Regulation (GDPR) and the prospects of the United Kingdom in seeking an adequacy decision as a third country following Brexit.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.696,
"venue": "European Papers",
"language": "en"
},
{
"id": "europepmc:PPR1159800",
"title": "FedXGB-OptDP: A Privacy-Optimised Federated XGBoost Framework with Differential Privacy for IID and Non-IID healthcare data",
"authors": [
"SASIREKHA B",
"GUNAVATHI C."
],
"date": "2026-02-27",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-8425166/v1",
"pdfUrl": "https://doi.org/10.21203/rs.3.rs-8425166/v1",
"doi": "10.21203/rs.3.rs-8425166/v1",
"abstract": "Abstract The rapid growth of sensitive healthcare data results in a significant need for machine learning systems capable of providing accurate predictions while safeguarding patient privacy. Due to rapid growth, current privacy-preserving federated tree models face significant computational expenses, inadequate noise allocation methodologies, and losses in accuracy while maintaining a trade-off between privacy and utility in both IID and non-IID scenarios. To overcome the challenges, a privacy-focused extension of the Federated XGBoost architecture, FedXGB-OptDP, has been developed. It integrates Hybrid optimisation techniques along with the regularisation. A Depth-Adaptive Differential privacy (DAD), Noise–Aware Regularisation (NAR), and a hybrid optimisation technique such as Genetic Algorithm (GA) and Bayesian TPE search. The DAD-NAR is essential for adaptively regulating the allocation of privacy budgets across tree depths, using calibrated Laplace Noise, and implementing noise-aware node dropout-ensures that model stability throughout training while safeguarding privacy. Each client executes GA-driven federated feature selection when combined with TPE–based hyperparameter optimisation, facilitating efficient learning while maintaining data privacy. Global aggregation is achieved through consensus-driven feature voting and weighted averaging of hyperparameters, eliminating the necessity for complex cryptographic techniques such as Homomorphic Encryption (HE) or Secure Multi-Party Computation (SMPC). Experiments performed on five datasets across both IID and Non-IID configurations demonstrate that our model consistently achieves high levels (up to 95–96%) while ensuring robust privacy safeguards. It exceeds the performance of centralised XGBoost and prominent federated baselines, including PrivaTree, FedXHDP, and FedBoost. Overall, the results show that adaptive differential privacy, when integrated with optimisation, substantially enhances th",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "",
"language": "de"
},
{
"id": "europepmc:PPR1155368",
"title": "TrustDS: A Policy-First, Privacy-Preserving Framework for Interoperable Marketplace Data Exchange Across Edge and Multi-Cloud Environments",
"authors": [
"Dockara TR",
"Malhotra M."
],
"date": "2026-02-16",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-8768420/v1",
"pdfUrl": "https://doi.org/10.21203/rs.3.rs-8768420/v1",
"doi": "10.21203/rs.3.rs-8768420/v1",
"abstract": "
Abstract We present TrustDS, a policy-first, privacy-preserving framework for interoperable data exchange across edge and multi-cloud environments and commercial data marketplaces. TrustDS compiles human-readable consent, licensing, and governance policies into an execution directed acyclic graph (DAG) that schedules privacy-enhancing technologies (PETs) such as differential privacy (DP), secure multi-party computation (SMPC), and trusted execution environments (TEEs) under explicit latency, utility, and cost budgets. We formalize policy admissibility, state a safety property for admissible plans, and provide a revocation protocol that enforces dynamic consent revocation within a configured Δt under standard liveness assumptions. A cost-aware planner co-optimizes operator placement across edge and cloud regions to minimize latency while respecting egress constraints and utility targets. We empirically demonstrate TrustDS using marketplace microdata and authoritative public microdata accessed through AWS Data Exchange/AWS Marketplace, Google BigQuery Public Datasets (and Analytics Hub), and Snowflake Marketplace listings, anchored to primary publishers (e.g., NYC TLC, CDC, CFPB, and U.S. Census). Across five representative workloads, TrustDS improves median end-to-end latency by 13–30% versus centralized transfer and governed clean-room baselines while maintaining verifiable policy compliance, with revocation propagation below 120 ms in the proof-of-concept and median audit-ledger lag of 130 ms. We provide a reproducible workload specification, policy library, and evidence schema to support independent verification and repeatable comparisons.
",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "",
"language": "de"
},
{
"id": "doaj:baff3ac0de71415897adf5d2ea0f3762",
"title": "BlockIntelChain: a blockchain-based cyber threat intelligence sharing architecture",
"authors": [
"Alaa Tolah"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1038/s41598-025-29152-6",
"pdfUrl": "https://europepmc.org/articles/PMC12764993?pdf=render",
"doi": "10.1038/s41598-025-29152-6",
"abstract": "Abstract The exponential growth of sophisticated cyber threats in Internet of Things (IoT) environments has exposed fundamental weaknesses in existing Cyber Threat Intelligence (CTI) platforms, including centralized architectures, trust deficits, privacy vulnerabilities, and single points of failure. To overcome these limitations, this paper proposes BlockIntelChain, a blockchain-based framework for secure, scalable, and collaborative CTI sharing across distributed IoT networks. The system integrates a hybrid consensus mechanism that combines Proof-of-Stake with reputation-based validator selection, supported by a multi-layered privacy framework employing Differential Privacy (DP), Zero-Knowledge Proofs (ZKP), Homomorphic Encryption, and Secure Multi-Party Computation. BlockIntelChain further embeds Federated Learning (FL) to enable distributed model training directly on IoT edge nodes without exposing raw threat telemetry. Comprehensive evaluations on real-world Malware Information Sharing Platform (MISP) datasets show that BlockIntelChain achieves 923 Transactions per Second at 500 nodes with 99.6% consensus success, while maintaining resilience against 51% and Byzantine attacks tolerating up to 33% malicious validators. Privacy analysis confirms an optimized utility–privacy trade-off, with DP (ε = 0.1) preserving 92% data utility and ZKP achieving 94% verification accuracy. The FL-based models outperform centralized baselines, reaching 96.4% accuracy for IoT malware classification, 94.7% for phishing detection, and 95.2% for network anomaly identification. Economic modeling validates sustainability through contributor growth (156 → 1,245 in 12 months) and improved contribution quality (0.73 → 0.92). The proposed framework directly benefits Security Operation Centers and edge-deployed IoT systems by enabling real-time threat intelligence exchange with strong security, privacy, and efficiency. Comparative benchmarking demonstrates BlockIntelChain’s superiority over MISP, ThreatConnect, and IBM X-Force in decentralization, privacy, and cost efficiency, positioning it as a transformative solution for next-generation privacy-aware CTI ecosystems.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "Scientific Reports",
"language": "en"
},
{
"id": "europepmc:40848286",
"title": "PRISM: privacy-preserving rare disease analysis using fully homomorphic encryption.",
"authors": [
"Akkaya G",
"Erdoğmuş N",
"Akgün M."
],
"date": "2025-10-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1093/bioinformatics/btaf468",
"pdfUrl": "https://europepmc.org/articles/PMC12512125?pdf=render",
"doi": "10.1093/bioinformatics/btaf468",
"abstract": "Motivation
Rare diseases affect millions of people worldwide, yet their genomic foundations remain poorly understood due to limited patient data and strict privacy regulations, such as the General Data Protection Regulation (GDPR) (https://gdpr.eu/tag/gdpr/) in March 2025. These restrictions can hinder the collaborative analysis of genomic data necessary for uncovering disease-causing variants.Results
We present PRISM, a novel privacy-preserving framework based on fully homomorphic encryption (FHE) that facilitates rare disease variant analysis across multiple institutions without exposing sensitive genomic information. To address the challenges of centralized trust, PRISM is built upon a Threshold FHE scheme. This approach decentralizes key management across participating institutions and ensures no single entity can unilaterally decrypt sensitive data. Our method filters disease-causing variants under recessive, dominant, and de novo inheritance models entirely on encrypted data. We propose two algorithmic variants: a multiplication-intensive (MUL-IN) approach and an addition-intensive (ADD-IN) approach. The ADD-IN algorithms minimize the number of costly multiplication operations, enabling up to a 17× improvement in runtime for recessive/dominant filtering and 22× for de novo filtering, compared to MUL-IN methods. While ADD-IN produces larger ciphertexts, efficient parallelization via SIMD and multithreading allows it to handle millions of variants in reasonable time. To the best of our knowledge, this is the first study that utilizes FHE for privacy-preserving rare disease analysis across multiple inheritance models, demonstrating its practicality and scalability in a single-cloud setting.Availability and implementation
The source code and the data used in this work can be found in https://github.com/mdppml/PRISM.git.",
"topics": [
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "Bioinform.",
"language": "de"
},
{
"id": "europepmc:39846076",
"title": "Anonymize or synthesize? Privacy-preserving methods for heart failure score analytics.",
"authors": [
"Johann TI",
"Otte K",
"Prasser F",
"Dieterich C."
],
"date": "2024-11-20",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1093/ehjdh/ztae083",
"pdfUrl": "https://europepmc.org/articles/PMC11750188?pdf=render",
"doi": "10.1093/ehjdh/ztae083",
"abstract": "Aims
Data availability remains a critical challenge in modern, data-driven medical research. Due to the sensitive nature of patient health records, they are rightfully subject to stringent privacy protection measures. One way to overcome these restrictions is to preserve patient privacy by using anonymization and synthetization strategies. In this work, we investigate the effectiveness of these methods for protecting patient privacy using real-world cardiology health records.Methods and results
We implemented anonymization and synthetization techniques for a structure data set, which was collected during the HiGHmed Use Case Cardiology study. We employed the data anonymization tool ARX and the data synthetization framework ASyH individually and in combination. We evaluated the utility and shortcomings of the different approaches by statistical analyses and privacy risk assessments. Data utility was assessed by computing two heart failure risk scores on the protected data sets. We observed only minimal deviations to scores from the original data set. Additionally, we performed a re-identification risk analysis and found only minor residual risks for common types of privacy threats.Conclusion
We could demonstrate that anonymization and synthetization methods protect privacy while retaining data utility for heart failure risk assessment. Both approaches and a combination thereof introduce only minimal deviations from the original data set over all features. While data synthesis techniques produce any number of new records, data anonymization techniques offer more formal privacy guarantees. Consequently, data synthesis on anonymized data further enhances privacy protection with little impacting data utility. We share all generated data sets with the scientific community through a use and access agreement.",
"topics": [
"data_anonymization",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "",
"language": "de"
},
{
"id": "https://openalex.org/W4313011087",
"title": "Datenschutz der katholischen Kirche im Spannungsfeld zwischen kirchlicher Selbstbestimmung und europäischem Datenschutzrecht",
"authors": [
"Michaela Hermes"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "http://doi.org/10.3790/978-3-428-58732-2",
"pdfUrl": "",
"doi": "https://doi.org/10.3790/978-3-428-58732-2",
"abstract": "Abstract Das europäische Datenschutzrecht ist mit Einführung der Datenschutz-Grundverordnung (DSGVO) im Jahr 2018 auf ganz neue Füße gestellt worden. Obwohl man im Kontext des Datenschutzes nicht als erstes an die Kirchen denkt, haben diese – so auch die katholische Kirche – parallel dazu ein eigenes Datenschutzreglement aufgesetzt. Dadurch gewinnt der bisher schon bestehende Dualismus von Staat und Kirche auf nationalstaatlicher Ebene eine weitere, eine europäische, Dimension hinzu. Welchen Spielraum gewährt die DSGVO für das kirchliche Selbstbestimmungsrecht? Wie stark ist der Harmonisierungsdruck der DGSVO auf die katholische Kirche? Die Arbeit widmet sich der rechtlichen Umsetzung einer DSGVO-konformen Ausgestaltung und der Durchsetzung des katholischen Datenschutzrechts. Hierbei schlägt die Arbeit die Brücke vom deutschen Verfassungsrecht zum europäischen Rechtsrahmen für den Datenschutz und vertieft dann die Umsetzung im Kirchenrecht bzw. kirchlichen Datenschutzrecht.»Data Privacy in the Catholic Church at the Crossroads of the Freedom of Religious Societies and European Data Privacy Regulations«: With the introduction of the General Data Protection Regulation (GDPR) the European Data Privacy framework has been revamped. This book describes the implementation of the European Data Privacy rules within the Catholic church. Against the backdrop of the German constitutional framework the author puts this in the context of the European Data Privacy legal framework and describes the specifics of the implementation within the Data Privacy regime of the Catholic church.",
"topics": [
"gdpr_compliance",
"enterprise_privacy_ops"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "DUNCKER UND HUMBLOT eBooks",
"language": "de"
},
{
"id": "https://openalex.org/W3217003479",
"title": "Sekundäre Nutzung von hausärztlichen Routinedaten ist machbar – Bericht vom RADAR Projekt",
"authors": [
"Johannes Hauswaldt",
"Thomas Bahls",
"Arne Blumentritt",
"Iris Demmer",
"Johannes Drepper",
"Roland Groh",
"Stephanie Heinemann",
"Wolfgang Hoffmann",
"Valérie Kempter",
"Johannes Pung",
"Otto Rienhoff",
"Falk Schlegelmilch",
"Philipp Wieder",
"Ramin Yahyapour",
"Eva Hummers"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1055/a-1676-4020",
"pdfUrl": "http://www.thieme-connect.de/products/ejournals/pdf/10.1055/a-1676-4020.pdf",
"doi": "https://doi.org/10.1055/a-1676-4020",
"abstract": "Objectives It is difficult to obtain longitudinal 'real world' data from ambulatory medical care in Germany in a systematic way. Our vision is a large German research data repository featuring representative, anonymized patient and outpatient health care data, longitudinal, continuously updated and across different providers, offering a perspective of linking secondary care data or additional data obtained from research cohorts, for example patient reported data or biodata, and will be accessible for other researchers. Here we report specific methods and results from the RADAR project.Methods Survey of legislation, design of technical processes and organisational solutions, with a feasibility study to evaluate technical and content functionality, acceptability and performance fitness for health services research questions.Results In 2016, a multi-disciplinary scientific team initiated the development of a privacy protection and IT security concept for data exported from the electronic medical records (EMR) of physicians' practices in line with the European General Data Protection Regulation. Technical and organisational requirements for lawful research infrastructure were developed and executed for use in a specific case, namely ̒oral anticoagulation'. In 7 Lower Saxonian general practices, 100 patients were selected by their physician and their data - reduced to 40 essential data fields - extracted from EMR via a mandatory software interface after informed consent. Still in the practice, the data were split into identifying or medical data. These were encrypted and transferred either to a trusted third party (TTP) or to a data repository, respectively. 75 patients who met our inclusion criteria (minimum of one year of oral anticoagulation treatment) received a quality-of-life questionnaire via the TTP. Of the 66 returns, 63 responses were then linked to the EMR data in the repository.Conclusion Results from RADAR project proved the technical and organisational feasibility of lawful, pseudonymised data acquisition and the linkage of questionnaires to EMR data. The protecting concepts privacy by design and data minimization (Art. 25 GDPR with Recital 78) were implemented. Without informed consent, secondary use of routine data from ambulatory care which are sufficiently anonymized but still meaningful is all but impossible under current German law.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "Das Gesundheitswesen",
"language": "de"
},
{
"id": "s2:0de69dfe766375061ab0a267d281da8a6ce4bbe6",
"title": "Federated Boosted Decision Trees with Differential Privacy",
"authors": [
"Samuel Maddock",
"Graham Cormode",
"Tianhao Wang",
"C. Maple",
"S. Jha"
],
"date": "2022-10-06",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/0de69dfe766375061ab0a267d281da8a6ce4bbe6",
"pdfUrl": "http://wrap.warwick.ac.uk/169990/1/WRAP-federated-boosted-decision-trees-differential-privacy-2022.pdf",
"doi": "10.1145/3548606.3560687",
"abstract": "There is great demand for scalable, secure, and efficient privacy-preserving machine learning models that can be trained over distributed data. While deep learning models typically achieve the best results in a centralized non-secure setting, different models can excel when privacy and communication constraints are imposed. Instead, tree-based approaches such as XGBoost have attracted much attention for their high performance and ease of use; in particular, they often achieve state-of-the-art results on tabular data. Consequently, several recent works have focused on translating Gradient Boosted Decision Tree (GBDT) models like XGBoost into federated settings, via cryptographic mechanisms such as Homomorphic Encryption (HE) and Secure Multi-Party Computation (MPC). However, these do not always provide formal privacy guarantees, or consider the full range of hyperparameters and implementation settings. In this work, we implement the GBDT model under Differential Privacy (DP). We propose a general framework that captures and extends existing approaches for differentially private decision trees. Our framework of methods is tailored to the federated setting, and we show that with a careful choice of techniques it is possible to achieve very high utility while maintaining strong levels of privacy.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "Conference on Computer and Communications Security",
"language": "en"
},
{
"id": "s2:10a2322846e77805acf0d0fa4102902ab018a1c5",
"title": "Characterizing Browser Fingerprinting and its Mitigations",
"authors": [
"Alisha Ukani"
],
"date": "2023-10-12",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/10a2322846e77805acf0d0fa4102902ab018a1c5",
"pdfUrl": "",
"doi": "10.48550/arXiv.2311.12197",
"abstract": "People are becoming increasingly concerned with their online privacy, especially with how advertising companies track them across websites (a practice called cross-site tracking), as reconstructing a user's browser history can reveal sensitive information. Recent legislation like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act have tried to limit the extent to which third parties perform cross-site tracking, and browsers have also made tracking more difficult by deprecating the most-common tracking mechanism: third-party cookies. However, online advertising companies continue to track users through other mechanisms that do not rely on cookies. This work explores one of these tracking techniques: browser fingerprinting. We detail how browser fingerprinting works, how prevalent it is, and what defenses can mitigate it.",
"topics": [
"linkability_tracking",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.696,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "arxiv:2503.11947",
"title": "Ethical AI for Young Digital Citizens: A Call to Action on Privacy Governance",
"authors": [
"Austin Shouli",
"Ankur Barthwal",
"Molly Campbell",
"Ajay Kumar Shrestha"
],
"date": "2025-03-15",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2503.11947v4",
"pdfUrl": "https://arxiv.org/pdf/2503.11947v4",
"doi": "10.1002/spy2.70202",
"abstract": "The rapid expansion of Artificial Intelligence (AI) in digital platforms used by youth has created significant challenges related to privacy, autonomy, and data protection. While AI-driven personalization offers enhanced user experiences, it often operates without clear ethical boundaries, leaving young users vulnerable to data exploitation and algorithmic biases. This paper presents a call to action for ethical AI governance, advocating for a structured framework that ensures youth-centred privacy protections, transparent data practices, and regulatory oversight. We outline key areas requiring urgent intervention, including algorithmic transparency, privacy education, parental data-sharing ethics, and accountability measures. Through this approach, we seek to empower youth with greater control over their digital identities and propose actionable strategies for policymakers, AI developers, and educators to build a fairer and more accountable AI ecosystem.",
"topics": [
"ai_governance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2104.06523",
"title": "A Review of Anonymization for Healthcare Data",
"authors": [
"Iyiola E. Olatunji",
"Jens Rauch",
"Matthias Katzensteiner",
"Megha Khosla"
],
"date": "2021-04-13",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2104.06523v1",
"pdfUrl": "https://arxiv.org/pdf/2104.06523v1",
"doi": "10.1089/big.2021.0169",
"abstract": "Mining health data can lead to faster medical decisions, improvement in the quality of treatment, disease prevention, reduced cost, and it drives innovative solutions within the healthcare sector. However, health data is highly sensitive and subject to regulations such as the General Data Protection Regulation (GDPR), which aims to ensure patient's privacy. Anonymization or removal of patient identifiable information, though the most conventional way, is the first important step to adhere to the regulations and incorporate privacy concerns. In this paper, we review the existing anonymization techniques and their applicability to various types (relational and graph-based) of health data. Besides, we provide an overview of possible attacks on anonymized data. We illustrate via a reconstruction attack that anonymization though necessary, is not sufficient to address patient privacy and discuss methods for protecting against such attacks. Finally, we discuss tools that can be used to achieve anonymization.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "Big Data",
"language": "en"
},
{
"id": "openaire:10.5121/cseij.2025.15501",
"title": "SECURE INTEGRATION OF LLMS WITH PRODUCTION DATABASES THROUGH CONTEXT BASED DATA ANONYMIZATION",
"authors": [
"Hassane Tahir",
"Patrick Brezillon"
],
"date": "2025-10-28",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5121/cseij.2025.15501",
"pdfUrl": "",
"doi": "10.5121/cseij.2025.15501",
"abstract": "The integration of Large Language Models (LLMs) with production databases introduces powerful capabilities for natural language querying and intelligent data access. However, this fusion also raises critical concerns around privacy, ethics, and compliance. In this work, we investigate possible approaches for designing a context-based framework that secures anonymization in LLMs. Our research explores how organizational, functional, technical, and social contexts can be embedded into anonymization strategies to enforce role-based access, ethical safeguards, and social sensitivity. Social context specifically involves cultural sensitivity, ethical implications, and the societal effects of exposing or obscuring information, ensuring that anonymization extends beyond compliance to address broader human-centered considerations. By combining schema-aware controls with differential privacy, the framework reduces risks of data leakage and re-identification. The approach is evaluated through a case study in finance, demonstrating effectiveness in balancing utility with privacy. Moreover, we highlight open challenges such as latency, bias mitigation, and integration with regulatory frameworks like GDPR (General Data Protection Regulation) and HIPAA (Health Insurance Portability and Accountability Act). Ultimately, this work contributes a systematic foundation for trustworthy LLM adoption in sensitive enterprise environments.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "Computer Science & Engineering: An International Journal",
"language": "en"
},
{
"id": "openaire:10.69554/ybqg1798",
"title": "European data protection laws: Learnings and implications for Indian business",
"authors": [
"R. Rajesh Babu",
"Suren Sista"
],
"date": "2017-04-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.69554/ybqg1798",
"pdfUrl": "",
"doi": "10.69554/ybqg1798",
"abstract": "India’s data protection law is grossly inadequate in terms of personal data protection and privacy. While India is contemplating a separate law on personal data protection, this subject is currently dealt with by various laws. Irrespective of the inadequacies, laws of other countries, specifically the GDPR, have direct bearing on the processing and handling of personal data in India given their exterritorial scope. This paper explores the implication of the EU General Data Protection Regulation (GDPR) on Indian business. The paper reviews the state of data protection laws in India, followed by a review of GDPR and the implications of GDPR for Indian business. The paper argues that since India aims to be counted among the best, it would be wise to ensure that data protection laws are in sync with the best practices from across the world to maintain business competitiveness and ensure a level of personal data protection for its citizens.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::7ead96aafbd228f67fa52810ba685a6a",
"title": "Comprehensive Prior Art Disclosure: Y.I.N. Mazari Ordering — Extensions, Variations, and Future Applications for Verifiable Differential Privacy.",
"authors": [
"Mazari, Ilyes Tarik"
],
"date": "2025-12-06",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.17841341",
"pdfUrl": "",
"doi": "10.5281/zenodo.17841341",
"abstract": "This document provides a comprehensive prior art disclosure for the Y.I.N. Mazari Ordering, a fundamental primitive for achieving verifiable differential privacy in federated learning systems. The Y.I.N. Mazari Ordering establishes that for efficient cryptographic verification of differential privacy compliance, zero-knowledge proofs must be generated before encryption, not after. This disclosure documents extensions, variations, and applications of the ordering across: (1) all cryptographic primitives including post-quantum schemes, (2) all zero-knowledge proof systems, (3) diverse application domains including financial services, healthcare, and emerging technologies, and (4) various architectural configurations and trust models. The disclosure is published in the spirit of scientific contribution while establishing prior art for the described variations. Associated patent applications: U.S. Provisional Patent No. 63/923,348, U.S. Patent Application No. 19/399,646, and U.S. Continuation Application No. 19/403,244. Keywords: Verifiable Differential Privacy, Federated Learning, Zero-Knowledge Proofs, Homomorphic Encryption, Y.I.N. Mazari Ordering, Privacy-Preserving Machine Learning, Prior Art Disclosure",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.55606/eksekusi.v3i2.1815",
"title": "Perbandingan Penerapan Prinsip Transparansi Antara Indonesia dengan Irlandia dalam Hal Terjadinya Kegagalan Pelindungan Data Pribadi",
"authors": [
"null Marsya Iffah Erisar Raib",
"null Sinta Dewi Rosadi",
"null Amelia Cahyadini"
],
"date": "2025-03-15",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.55606/eksekusi.v3i2.1815",
"pdfUrl": "",
"doi": "10.55606/eksekusi.v3i2.1815",
"abstract": "The implementation of the principle of transparency in personal data protection is a crucial aspect in ensuring data subjects right to information relating to the processing of their data. Indonesia has enacted the Personal Data Protection Law (PDP Law) as a legal framework to protect citizens personal data. However, the implementation of the transparency principle in the PDP Law still faces various challenges, including the lack of notification data breach. This research aims to analyze the implementation of the principle of transparency in the event of personal data breach in Indonesia by taking the practice in Ireland as a benchmark for comparison. Ireland, as part of the European Union that adopted the General Data Protection Regulation (GDPR), has a higher level of a transparency and more rigorous enforcement mechanisms. In this research, the author uses a normative juridical method with a descriptive-analytical approach and collects data through literature study and semi-structured interviews. The results of this research show that although the PDP Law regulates the obligation regarding transparency in the event of a data breach, its implementation has proven to be ineffective due to the lack of awareness of data controllers and the absence of implementing regulations. This contrasts with Ireland, which has a better implementation as it is equipped with several supporting factors, including the existence of an independent authority. Therefore, it is necessary to strengthen regulations, establish independent supervisory institutions, and increase the awareness and compliance of data controllers to achieve a more optimum protection of personal data.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::06e24e45e116322ae43e3f717d625418",
"title": "Collection and Use of Digital Mobility Data, Challenges in Their Anonymization, and Alternative Strategies",
"authors": [
"Beckert, Bernd",
"Metzger, Frederik M."
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.24406/publica-5338",
"pdfUrl": "",
"doi": "10.24406/publica-5338",
"abstract": "Digital mobility data, which consist of geolocation or movement information, pose a dual challenge: they require protection under measures like the General Data Protection Regulation (GDPR) due to their personal nature, yet they hold significant value for applications such as traffic planning, smart mobility services, and retail strategies, among others. This overview article explores the conflict between the need for privacy and the potential benefits of utilizing mobility data. It provides a comprehensive overview of data collection from smartphones, mobile networks, and connected vehicles, and outlines anonymization methods: data cropping, data generalization, and data perturbation; as well as pseudonymization. The presentation of mobility data use shows that anonymization measures are often insufficient. Although anonymization is applied, two major challenges remain: first, due to their dense collection points, mobility data are highly vulnerable when being intersected with secondary datasets. Second, unique time and spatial patterns make mobility data easily backtraceable to individuals. We conclude by proposing alternative strategies, such as cryptographic pseudonymization, data sharing platforms, and data trustees, as technical and institutional solutions for privacy-preserving mobility data approaches.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.22214/ijraset.2024.64230",
"title": "Privacy-Enhancing Technologies (PETs) and Application Security",
"authors": [
"Samikya Reddy Balguri"
],
"date": "2024-09-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.22214/ijraset.2024.64230",
"pdfUrl": "https://doi.org/10.22214/ijraset.2024.64230",
"doi": "10.22214/ijraset.2024.64230",
"abstract": "Abstract: This article explores the critical component in safeguarding personal information in the digital age. This comprehensive exploration delves into the definition, scope, and key characteristics of PETs, examining their crucial role in modern data protection. The article discusses fundamental PET categories, including data encryption and anonymization/pseudonymization techniques, and their implementation in application security. It highlights the importance of Privacy Impact Assessments, Privacy by Design principles, and strong access controls in effectively integrating PETs into security strategies. By addressing the challenges of balancing data utility with privacy protection, PETs offer organizations a pathway to compliance with stringent data protection regulations while building trust with users and gaining a competitive edge in an increasingly privacy-conscious market.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "International Journal for Research in Applied Science and Engineering Technology",
"language": "en"
},
{
"id": "openaire:10.9734/cjast/2023/v42i374245",
"title": "Steps for Security and Privacy Protection in NLP-based Marking Systems",
"authors": [
"Tahirou Djara",
"Carlos Amoussou"
],
"date": "2023-10-19",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.9734/cjast/2023/v42i374245",
"pdfUrl": "https://journalcjast.com/index.php/CJAST/article/download/4245/8458",
"doi": "10.9734/cjast/2023/v42i374245",
"abstract": "This paper provides an overview of the methods and techniques used to ensure the security and privacy protection of Natural Language Processing (NLP) based test scoring systems. NLPs improve the accuracy and efficiency of correction systems. However, these systems process sensitive data such as student responses, which raises security and privacy concerns. We examine the components of such a system and then propose measures such as access controls, homomorphic encryption, firewalls and blockchain mixed together to secure the system. Next, we safeguard privacy through methods such as differential privacy protection, anonymization and pseudonymization of data. In addition, we insist on the integration of a browser monitoring module to detect any cheating during composition. In this article we partly present a system called \"GestStudent New Generation\" in which we integrate most of the security concepts to secure the whole system and guarantee privacy protection. Finally, we conclude by stressing the importance of continuous evaluation of these security and privacy measures to ensure the trust and reliability of NLP-based examination marking systems.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "Current Journal of Applied Science and Technology",
"language": "en"
},
{
"id": "openaire:50|datacite____::070e34657de9caa72bea1c4a115df1fa",
"title": "Prelucrarea datelor cu caracter personal în scopuri statistice și respectarea Regulamentului General privind Protecția Datelor (GDPR)",
"authors": [
"Dobrilă M.-C."
],
"date": "2024-05-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.11654088",
"pdfUrl": "",
"doi": "10.5281/zenodo.11654088",
"abstract": "Processing Of Personal Data For Statistical Purposes AndCompliance With The General Data Protection Regulation (GDPR). The articleanalyzes the framework for the protection of personal data that are processed forstatistical purposes: a general framework for the protection of personal data,represented by the General Data Protection Regulation (GDPR), and a specificframework for the protection of collected data for statistical purposes (such as theEuropean Statistics Regulation or the Regulation on access to confidential data forscientific purposes). The principles of the GDPR regarding the protection of personaldata are applicable to any information relating to an identified or identifiable naturalperson.The article analyzes whether the General Data Protection Regulation applies tothe processing of data for statistical purposes and what is the solution when thenatural person cannot be identified. Processing for statistical purposes means anyoperation of collecting and processing personal data with the purpose of obtainingstatistical results. The General Data Protection Regulation is applicable in the caseof data processing for statistical purposes and guarantees are required to protect therights of the natural person, but in the case of data processing for statistical purposes,the result of the processing is not personal data, but aggregated data and the data arenot used in relation to a specific natural person. The processing of personal data forstatistical purposes requires the existence of adequate guarantees for the rights andfreedoms of the data subject, including taking the necessary measures (which mayinclude anonymization, pseudonymization) to respect the principle of dataminimization.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::048998a65221d421d3b71968c024fa3b",
"title": "Report on data protection, privacy & ethical impact",
"authors": [
"Giovanni Maria Riccio, Adriana Peduto"
],
"date": "2022-11-03",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.7293222",
"pdfUrl": "",
"doi": "10.5281/zenodo.7293222",
"abstract": "This deliverable consists of a report to frame the most relevant EU legal framework and to outline some recommendations in the assessment of the impact of the rescue operations in relation to the ASSISTANCE technology on privacy and data protection. The document, starting from the analysis already proposed in the D.8.1, provides an overview on the relevant legal framework, including the General Data Protection Regulation (EU) no. 679/2016 (GDPR), aimed at supporting the methodology to be followed in the assessment of privacy and data protection issues involved in the rescue operations. Furthermore, this report holds recommendations for software and technology developers, in order to comply with the data protection regulations and principles, i.e. by following the privacy by design and privacy by default approaches, as well as complying with technical and organisational measures to store and protect personal data pursuant to the GDPR and the other data protection regulations.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::6fad9af1c6e9b5fe5dacd779158db250",
"title": "eyre.ai Regulatory Compliance Framework: Comprehensive GDPR, DSA, and AI Act Compliance Documentation for eyre.ai Secure Sovereign European Collaboration Platform",
"authors": [
"Habriiel, Yuliia"
],
"date": "2025-09-07",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.17071790",
"pdfUrl": "",
"doi": "10.5281/zenodo.17071790",
"abstract": "This document, Eyre.ai Regulatory Compliance Framework: Comprehensive GDPR, DSA, and AI Act Compliance Documentation for the Eyre.ai Secure Sovereign European Collaboration Platform, provides an integrated reference for regulatory compliance across the European digital landscape. The framework consolidates the full set of compliance measures embedded within Eyre.ai’s sovereign meeting and collaboration platform, aligning with the three core pillars of European digital regulation: GDPR (General Data Protection Regulation): Data minimisation, lawful processing, user rights management, and privacy-by-design technical safeguards. DSA (Digital Services Act): Transparency in digital service operations, risk management obligations, and content governance responsibilities. AI Act (Artificial Intelligence Act): High-risk AI system requirements, traceability, continuous monitoring, and technical documentation to support regulatory conformity. The documentation provides detailed compliance architectures, technical control mappings, operational processes, and accountability mechanisms. It is designed to support audits, regulator engagement, and partner due diligence processes while demonstrating Eyre.ai’s commitment to digital sovereignty and secure European infrastructure. This framework serves legal, compliance, and technical stakeholders by offering a structured and transparent methodology for meeting evolving EU regulatory obligations. Disclaimer: This framework is provided for transparency and reference. It does not replace independent legal advice or regulatory consultation.",
"topics": [
"gdpr_compliance",
"ai_governance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:info15110697",
"title": "Privacy-Preserving Techniques in Generative AI and Large Language Models: A Narrative Review",
"authors": [
"Georgios Feretzakis",
"Konstantinos Papaspyridis",
"Aris Gkoulalas-Divanis",
"Vassilios S. Verykios"
],
"date": "2024-11-04",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3390/info15110697",
"pdfUrl": "",
"doi": "10.3390/info15110697",
"abstract": "Generative AI, including large language models (LLMs), has transformed the paradigm of data generation and creative content, but this progress raises critical privacy concerns, especially when models are trained on sensitive data. This review provides a comprehensive overview of privacy-preserving techniques aimed at safeguarding data privacy in generative AI, such as differential privacy (DP), federated learning (FL), homomorphic encryption (HE), and secure multi-party computation (SMPC). These techniques mitigate risks like model inversion, data leakage, and membership inference attacks, which are particularly relevant to LLMs. Additionally, the review explores emerging solutions, including privacy-enhancing technologies and post-quantum cryptography, as future directions for enhancing privacy in generative AI systems. Recognizing that achieving absolute privacy is mathematically impossible, the review emphasizes the necessity of aligning technical safeguards with legal and regulatory frameworks to ensure compliance with data protection laws. By discussing the ethical and legal implications of privacy risks in generative AI, the review underscores the need for a balanced approach that considers performance, scalability, and privacy preservation. The findings highlight the need for ongoing research and innovation to develop privacy-preserving techniques that keep pace with the scaling of generative AI, especially in large language models, while adhering to regulatory and ethical standards.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.21512/becossjournal.v4i2.8377",
"title": "Petugas/Pejabat Pelindungan Data Pribadi dalam Ekosistem Perlindungan Data Pribadi: Indonesia, Uni Eropa dan Singapura",
"authors": [
"Siti Yuniarti"
],
"date": "2022-06-04",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.21512/becossjournal.v4i2.8377",
"pdfUrl": "",
"doi": "10.21512/becossjournal.v4i2.8377",
"abstract": "Personal data protection regulations have been adopted by 137 countries until the beginning of 2022. In addition to creating a data protection agency, personal data protection regulations have also created new professionalism, namely personal data protection officers. The main role of the data protection officer is to ensure compliance with personal data protection regulations placing the function of a data protection officer as an important factor in the personal data protection ecosystem. It raises the question of how the role of data protection officers in the personal data protection ecosystem when it is analyzed from the attributes attached to the profession. Therefore, using the normative juridical research method, this paper attempts to describe the role of the data protection officer in the personal data protection ecosystem by analyzing the attributes attached to the profession through a comparison of the General Data Protection Regulation (GDPR) in the European Union, Personal Data Protection Act Singapore and the draft of personal data regulation in Indonesia. This paper concluded that the existence of a data protection officer is part of the data protection regulation, whether it appears as an obligation or in terms of certain conditions. Independency of the data protection officer and organizational support is essential to optimize the data protection officer’s role which has been adopted on GDPR. It also noticed the presence of data protection officers as a service to fulfill the needs of data protection officers by organizations. Further research regarding the attribute of data protection officers as studied in this paper is needed since the Indonesia personal data protection bill will impact many sectors, both private and public sectors.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.24144/2307-3322.2023.78.2.7",
"title": "Foreign experience of personal data protection in social networks",
"authors": [
"V. Kravchuk"
],
"date": "2023-08-31",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.24144/2307-3322.2023.78.2.7",
"pdfUrl": "",
"doi": "10.24144/2307-3322.2023.78.2.7",
"abstract": "The article analyzes the protection of personal data based on foreign experience. Social networking has been identified as one of the most prominent cultural phenomena to emerge in the Web 2.0 era. They keep users connected and facilitate the exchange of information between them. The European Union has adopted a new personal data protection system called the General Data Protection Regulation (GDPR). Its main goals include providing individuals with tools to control their personal data, implementing modern standards for the protection of personal information, developing the digital space of the European Union to safeguard personal data, ensuring strict compliance by all parties, and providing legal support for the international transfer of personal information. United States legislative documents related to aspects of data protection and privacy were analyzed, namely: California Consumer Privacy Act (CCPA); Children’s Online Privacy Protection Act (COPPA); Health Insurance Portability and Accountability Act (HIPAA); State data breach notification laws. It is noted that China has a comprehensive legal framework that regulates the protection of personal data, and includes the following legal acts: Personal Information Protection Law (PIPL) and Data Security Law (DSL). Conclusions were made that the urgency and importance of protecting personal data in social networks is due to rapid technological progress, the growth of cyber security threats and the spread of these platforms. By protecting personal data, people can maintain privacy, prevent abuse, maintain user trust, reduce risk, and comply with legal obligations. The issue of ensuring mobility and interoperability in social networks gives particular importance to the protection of personal data, as it relates to this particular data, and not just to technology, as it may be in the telecommunications sector. This requires additional thought and measures to ensure privacy and data security. Therefore, whe",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.30970/vla.2024.78.190",
"title": "АДМІНІСТРАТИВНО-ПРАВОВИЙ ОРГАНІЗАЦІЙНИЙ МЕХАНІЗМ ЗАХИСТУ ПЕРСОНАЛЬНИХ ДАНИХ В ЄС",
"authors": [
"Rostyslav Prystai"
],
"date": "2024-06-20",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.30970/vla.2024.78.190",
"pdfUrl": "",
"doi": "10.30970/vla.2024.78.190",
"abstract": "Today, personal data protection is one of the key areas of legal activity aimed to protect fundamental human rights and freedoms, including the right to privacy related to the processing of personal data. Within the European Union, a specific mechanism of legal regulation of personal information protection has been created and is actively functioning. Such mechanism consists of the system of legal acts that introduce and regulate the activities of the system of executive authorities of the European Union and its Member States, namely the organizational (institutional) mechanism for the protection of personal data. The institutional mechanism, since May 2018 (from the date when the General Data Protection Regulation – GDPR, entered into force), has proved to be highly effective, given the number of fines imposed in connection to violations of personal data protection legislation by controllers and processors and the environment created for the protection of the right to privacy (in terms of automated data processing and the creation of filing systems). In contrast, with the adoption of the EU-Ukraine Association Agreement, the personal data protection system in Ukraine has remained virtually unchanged and operates on the basis of legislation adopted before the entry into force of the new EU legislation in this area. However, in accordance with Article 15 of the Agreement, Ukraine undertook to ensure an adequate level of personal data protection in accordance with the highest European standards. Ten years after the adoption of the relevant commitment, the personal data protection legislation has not been improved. The result is the absence of a separate body to monitor compliance with personal data protection legislation, lack of coordination between the data subject and the data controller, and outdated regulations, including the conceptual framework of the Data Protection Law itself. Given the necessity and inevitability of changing the national legislation ",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.23939/ujit2021.02.051",
"title": "Analysis of personal data protection methods according to ukrainian legislation and the GDPR",
"authors": [
"M. M. Shabatura",
"R. O. Salashnyk"
],
"date": "2021-11-23",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.23939/ujit2021.02.051",
"pdfUrl": "",
"doi": "10.23939/ujit2021.02.051",
"abstract": "The problem of modern technologies rapid development is shown and characterized, which makes the issues of Internet users personal data protection very urgent. The current state of personal data protection in accordance with the requirements of Ukrainian legislation and the General Data Protection Regulation (GDPR) is analyzed. It is also determined which data belong to personal data and why they are subject to protection. According to Ukrainian Laws \"On Access to Public Information\", \"On Personal Data Protection \" and \"About information protection in information and telecommunication systems\" it was found the methods of personal data protection, peculiarities of processing information, storage, and transfer. Personal data is a kind of restricted access information so should be processed only in systems that have a comprehensive information security system possessing a certificate of conformity. Ukraine was one of the first countries, which introduce an electronic passport, so we considered the \"DIIA\" application. This application contains a huge database of personal data, that is why we investigate it and many interesting facts about the development are presented. The Code of Ukraine on Administrative Offenses and the Criminal Code of Ukraine for violation of requirements and non-compliance with the law on personal data protection in Ukraine are analyzed, penalties are also described. The requirements for personal data protection according to the European standard GDPR, namely, the procedure of pseudonymization, annihilation, encryption, etc. are given. A set of technical solutions and cybersecurity tools for implementing compliance with the GDPR standards is considered. In addition to technical solutions, important issues are security organization measures, these include staff training, adding privacy policies, proper organization of processes, providing access to personal data only to authorized employees. The penalty for violating the GDPR requirements h",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.15294/jllr.v6i3.10252",
"title": "Personal Data Protection in Review of Legal Theories and Principles",
"authors": [
"Supeno Supeno",
"Rosmidah Rosmidah",
"Syed Mohd Uzair Iqbal"
],
"date": "2025-07-31",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.15294/jllr.v6i3.10252",
"pdfUrl": "",
"doi": "10.15294/jllr.v6i3.10252",
"abstract": "The abuse of personal data for certain interests and causing harm to other parties is often occur so that this raises concerns as a large community in conducting online transactions, in 2022 the President together with the Indonesian Parliament has enacted Law Number 27 of 2022 on Personal Data Protection (PDP) which aims to provide legal protection for the community against their personal data, this provides good hope to ward off various kinds of acts of misuse of personal data, the purpose of this study is to reveal the legal protection of customer data in online transactions after the legalization of personal data protection law seen from legal theory and how the personal data dispute resolution model is in line with the ultimum remidium principle. The type of research used is juridical-normative law using normative and theoretical approaches. The results showed that the protection of one’s privacy rights in online transactions is an embodiment of absolute right theory because the protection of privacy rights is a basic right that everyone must respect, the utilization of one’s privacy rights without the approval of the right owner is a violation of the law, the personal data dispute resolution model in the personal data protection law is not in following with the ultimum remidium principle, the personal data dispute by special organ with like such as the General Data Protection Regulation (GDPR) in the European Union, because it can resolve cross-border personal data cases.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:1938",
"title": "Anonymization of Faces",
"authors": [
"Hellmann, Fabio",
"André, Elisabeth",
"Benouis, Mohamed",
"Buchner, Benedikt",
"Mertes, Silvan"
],
"date": "2024-05-31",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/s11623-024-1938-6",
"pdfUrl": "",
"doi": "10.1007/s11623-024-1938-6",
"abstract": "ZusammenfassungThis paper explores face anonymization techniques in the context of the General Data Protection Regulation (GDPR) amidst growing privacy concerns due to the widespread use of personal data in machine learning. We focus on unstructured data, specifically facial data, and discuss two approaches to assessing re-identification risks: the risk- based approach supported by GDPR and the zero or strict approach. Emphasizing a process-oriented perspective, we argue that face anonymization should consider the overall data processing context, including the actors involved and the measures taken, to achieve legally secure anonymization under GDPR’s stringent requirements. ",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "europepmc:PPR1077075",
"title": "Balancing Transparency and Data Protection in Academic Publishing: The Case of Editorial Correspondence Disclosure on Preprint Servers",
"authors": [
"Liu Y."
],
"date": "2025-09-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202508.1193.v3",
"pdfUrl": "https://doi.org/10.20944/preprints202508.1193.v3",
"doi": "10.20944/preprints202508.1193.v3",
"abstract": "The intersection of data protection regulations and academic transparency presents complex challenges for scholarly publishing platforms, particularly preprint servers operating under European Union General Data Protection Regulation (GDPR) and Swiss Federal Act on Data Protection (FADP). This article examines the tension between editorial transparency advocates' calls for open disclosure of peer review correspondence and legal requirements for third-party consent in data processing. Through analysis of current regulatory frameworks and publishing practices, we identify key conflicts between transparency principles and privacy protection in academic contexts. Our findings suggest that while data protection laws legitimately restrict unauthorized disclosure of identifying information about third parties, these regulations may inadvertently limit scholarly discourse and accountability mechanisms. We propose a framework for balancing competing interests that maintains legal compliance while preserving opportunities for constructive academic critique. The analysis reveals that current interpretations of data protection law may be overly restrictive in academic contexts where transparency serves legitimate scholarly purposes, suggesting need for clearer guidance on the boundaries between personal data protection and academic freedom.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "europepmc:40464900",
"title": "[Legal aspects of copyright and data protection in the use of pathology images on social media].",
"authors": [
"Sieling C",
"von Petersdorff-Campen MJ."
],
"date": "2025-06-04",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1007/s00292-025-01430-0",
"pdfUrl": "",
"doi": "10.1007/s00292-025-01430-0",
"abstract": "Background
Because of digitalization in pathology, more and more patient images are being used outside of the patient file.Question
What copyright and data protection aspects in the German legal area must be considered when using images from pathology on social media?Material and methods
Research and analysis of the legal basis in German copyright and data protection law.Results
German legislation provides clear guidelines regarding authorship and the rights to use images. The General Data Protection Regulation (GDPR) is particularly strict when it comes to handling health data. According to some voices, anonymization is not only difficult to implement in the age of digitalization and increasing networking and processing of data, but it is also unclear when exactly anonymization has taken place. However, one thing is certain: anonymized data do not fall under the GDPR.Conclusions
When publishing images from pathology on social media, data protection law must be observed in particular, since the data in question are health data and thus personal data that are particularly worthy of protection. Without anonymization, it is necessary to obtain patient consent that complies with data protection regulations. Furthermore, copyright aspects must be considered for images from pathology as photographic works.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "Pathologie (Heidelberg, Germany)",
"language": "en"
},
{
"id": "europepmc:40480182",
"title": "Fast yet versatile machine unlearning for deep neural networks.",
"authors": [
"Chen K",
"Zhang D",
"Mi B",
"Huang Y",
"Li Z."
],
"date": "2025-06-04",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1016/j.neunet.2025.107648",
"pdfUrl": "",
"doi": "10.1016/j.neunet.2025.107648",
"abstract": "In response to the growing concerns regarding data privacy, many countries and organizations have implemented corresponding laws and regulations, such as the General Data Protection Regulation (GDPR), to safeguard users' data privacy. Among these, the Right to Be Forgotten holds particular significance, signifying the necessity for data to be forgotten from improper use. Recently, researchers have integrated the concept of the Right to Be Forgotten into the field of machine learning, focusing on the unlearning of data from machine learning models. However, existing studies either require additional storage for caching updates during the model training phase or are only applicable in specific forgotten scenarios. In this paper, we propose a versatile unlearning method that involves unlearning data by fine-tuning the model until the distribution of the model's prediction for the forgotten data matches those for unseen third-party data. Importantly, our method does not require additional storage for caching model updates, and it can be applied across different forgotten scenarios. Experimental results demonstrate the efficacy of our method in unlearning backdoor triggers, entire classes of training data, and subsets of training data.",
"topics": [
"gdpr_compliance",
"llm_privacy_attacks"
],
"painPointTracks": [
"AI Training PII",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "Neural networks : the official journal of the International Neural Network Society",
"language": "en"
},
{
"id": "openaire:10.3233/shti200177",
"title": "MQT-TZ: Secure MQTT Broker for Biomedical Signal Processing on the Edge",
"authors": [
"Segarra, Carlos",
"Delgado-Gonzalo, Ricard",
"Schiavoni, Valerio"
],
"date": "2020-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3233/shti200177",
"pdfUrl": "http://arxiv.org/pdf/2007.01555",
"doi": "10.3233/shti200177",
"abstract": "Physical health records belong to healthcare providers, but the information contained within belongs to each patient. In an increasing manner, more health-related data is being acquired by wearables and other IoT devices following the ever-increasing trend of the \"Quantified Self\". Even though data protection regulations (e.g., GDPR) encourage the usage of privacy-preserving processing techniques, most of the current IoT infrastructure was not originally conceived for such purposes. One of the most used communication protocols, MQTT, is a lightweight publish-subscribe protocol commonly used in the Edge and IoT applications. In MQTT, the broker must process data on clear text, hence exposing a large attack surface for a malicious agent to steal/tamper with this health-related data. In this paper, we introduce MQT-TZ, a secure MQTT broker leveraging Arm TrustZone, a popular Trusted Execution Environment (TEE). We define a mutual TLS-based handshake and a two-layer encryption for end-to-end security using the TEE as a trusted proxy. We provide quantitative evaluation of our open-source PoC on streaming ECGs in real time and highlight the trade-offs.",
"topics": [
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "Studies in health technology and informatics",
"language": "en"
},
{
"id": "doaj:1c8b16f1edf749cab4427bf6e20dcb9e",
"title": "Data Protection and Religious Freedom in the EU in the Context of the Catholic Church in Poland",
"authors": [
"Piotr Kroczek"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2077-1444/16/3/364",
"pdfUrl": "",
"doi": "10.3390/rel16030364",
"abstract": "The protection of personal data and religious freedom represent two fundamental rights that can be potentially in conflict in the European Union legal framework. The purpose of this paper is to critically analyze Articles 91 and 17 of the General Data Protection Regulation (GDPR 2016) in order to examine their implications for the exercise of religious freedom in both the personal and the institutional realms. The research employs a comprehensive legal analysis, examining potential interpretations of the articles in the context of the Catholic Church and of Poland. The findings suggest that while Article 91 introduces data protection requirements for religious associations, it does not inherently threaten religious freedom. However, the study highlights significant risks arising from potential misinterpretations of Article 91, particularly regarding the concepts of “comprehensive rules” and “brought into line with” GDPR standards. The same applies to Article 17 and the “right to be forgotten”, whose absolute application can interfere with freedom of religion. The research concludes that careful, nuanced interpretation of the GDPR is crucial to maintaining both personal data protection and religious freedom. The paper ultimately argues that the articles of the GDPR can be understood as a mechanism for safeguarding religious freedom rather than constraining it, provided it is applied regarding the diverse doctrinal principles of different religious organizations.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "Religions",
"language": "en"
},
{
"id": "doaj:100c6731832b4b0089113606ac0aa01c",
"title": "PPNNBP: A Third Party Privacy-Preserving Neural Network With Back-Propagation Learning",
"authors": [
"Nawal Almutairi",
"Frans Coenen",
"Keith Dures"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/10086504/",
"pdfUrl": "",
"doi": "10.1109/access.2023.3263114",
"abstract": "With the advances in machine learning techniques and the potency of cloud computing there is an increasing adoption of third party cloud services for outsourcing training and prediction of machine learning models. Although cloud-hosted machine learning services enable more efficient storage and computation of data, privacy concerns and data sovereignty issues remain a major challenge. Privacy-preserving machine learning provides a promising solution. In this paper, a privacy-preserving neural network generation and utilization framework is presented, the PPNNBP framework. PPNNBP allows model training and prediction to be securely delegated to a third party with minimal data owner participation once the input data have been encrypted without recourse to secret sharing or multiple party setting. This is achieved using a proposed fully homomorphic encryption scheme, the Modified Liu Scheme (MLS), that permits certain operations over cyphertexts and features order preservation. The PPNNBP framework using MLS addresses the challenge of computational complexity of model learning using existing schemes; a complexity caused by the increasing size of cyphertexts (cyphertext inflation) and the quantity of noise introduced into cyphertexts through the application of multiplication operations, as learning progresses. Both the PPNNBP framework and MLS are fully described and analysed. The reported evaluation demonstrates that the PPNNBP framework achieves accuracy that is comparable to that obtained using a “standard” framework, whilst at the same time operating in a secure manner with minimal data owner participation.",
"topics": [
"privacy_engineering",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Solutions Market",
"User Behavior / PII Communities"
],
"relevanceScore": 0.696,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "hal:2553848",
"title": "A Contrastive Study of Pre- and Post-legislation Interaction Design for Communication and Action About Personal Data Protection in e-Commerce Websites",
"authors": [
"Clarisse Souza"
],
"date": "2019-09-02",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-02553848v1",
"pdfUrl": "https://inria.hal.science/hal-02553848/document",
"doi": "10.1007/978-3-030-29387-1_1",
"abstract": "The European General Data Protection Regulation (GDPR) has had a major impact on data collection and processing practices. It has also challenged interaction design aiming to support the effectiveness of data owners’ rights, their informed decisions, and their actions regarding how personal information is used by companies, governments, and others. Similar legislation has been issued in various non-European countries, which means that, in this respect, the HCI community has an important role to play for users all over the world. This paper presents the conclusions of a contrastive study with four major e-commerce websites in Portugal, where data protection law has been effective since 2018, and four analogs in Brazil, where the national Data Protection Law (DPL) has been sanctioned but will only be effective in 2020. The purpose of the study is to examine the pre-legislation to post-legislation evolution in the design of interaction for communication and action about personal data protection matters, so as to anticipate some of the threats and opportunities ahead of us. Using concepts and elements of Semiotic Engineering methods and techniques, we found that, within the scope of this study, GDPR seems to have had little impact on what European users can do and experience online, compared to pre-DPL Brazilian users. We discuss some of the possible reasons for this and conclude with thoughts on the role of interaction design in empowering data owners for this new regulation era.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-031-69651-0_16",
"title": "Synthetic Data Outliers: Navigating Identity Disclosure",
"authors": [
"Carolina Trindade",
"Luís Antunes",
"Tânia Carvalho",
"Nuno Moniz"
],
"date": "2024-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-031-69651-0_16",
"pdfUrl": "",
"doi": "10.1007/978-3-031-69651-0_16",
"abstract": "Multiple synthetic data generation models have emerged, among which deep learning models have become the vanguard due to their ability to capture the underlying characteristics of the original data. However, the resemblance of the synthetic to the original data raises important questions on the protection of individuals' privacy. As synthetic data is perceived as a means to fully protect personal information, most current related work disregards the impact of re-identification risk. In particular, limited attention has been given to exploring outliers, despite their privacy relevance. In this work, we analyze the privacy of synthetic data w.r.t the outliers. Our main findings suggest that outliers re-identification via linkage attack is feasible and easily achieved. Furthermore, additional safeguards such as differential privacy can prevent re-identification, albeit at the expense of the data utility.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "s2:8ef447dd2eb8d18f8b56b0cb770cf17afafff212",
"title": "RE-DACT: Adaptive Redaction and Anonymization Tool Using Machine-Learning",
"authors": [
"Kishore Kumar I",
"Hepsi Ajibah A S"
],
"date": "2024-12-12",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/8ef447dd2eb8d18f8b56b0cb770cf17afafff212",
"pdfUrl": "http://xplorestaging.ieee.org/ielx8/10865981/10865809/10866838.pdf?arnumber=10866838",
"doi": "10.1109/ICUIS64676.2024.10866838",
"abstract": "“RE-DACT” is a safe and user-friendly redaction tool for customizable redaction, masking, and anonymization using a user-defined gradational scale. With the help of NLP and ML, the tool gives users the opportunity to specify data elements that are going to be redacted, ranging from simple name removal and more complex anonymization techniques to the generation of fully synthetic data, all while keeping the structure of the content unchanged. This tool is usable both online and offline in its web- based interface and takes into account the common input formats for text files, images, as well as PDFs. Over time, RE-DACT learns to make realistic synthetic datasets suitable for training, testing, as well as commercial applications without compromising privacy. It therefore holds robust data security with the minimum retention of data and prevents unauthorized access to sensitive information. The secure coding and scalable solutions support real-world applications. Performance is measured in terms of precision, recall, F1 score, redaction efficacy, speed, and ease of use. “The tool incorporates anonymization techniques, such as k-anonymity and synthetic data generation, to ensure privacy. It makes use of advanced encryption methods and ensures safe placeholders to guard sensitive information from unauthorized access.”",
"topics": [
"data_anonymization",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "2024 4th International Conference on Ubiquitous Computing and Intelligent Information Systems (ICUIS)",
"language": "en"
},
{
"id": "s2:420ba1dd396ba0eec759414fce52057b5fc7659d",
"title": "Ensuring Privacy in the Labour Market: Towards Full Compliance with LGPD and GDPR",
"authors": [
"H. Silva",
"Aldrey Pedrazoli",
"Sergio Nascimento",
"Regina Moraes"
],
"date": "2025-04-24",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/420ba1dd396ba0eec759414fce52057b5fc7659d",
"pdfUrl": "",
"doi": "10.1109/ISDFS65363.2025.11012121",
"abstract": "The right to privacy of sensitive personal data and control over its use and sharing have been central to regulations worldwide. In Brazil, the General Data Protection Law (LGPD), in effect since 2020, mandates strict adherence to security and privacy protocols. To prevent identity theft, financial fraud, and cybercrime, as well as to ensure confidentiality, techniques such as anonymization and pseudonymization are strongly recom-mended. The PRIVAaaS framework, focused on these techniques, was integrated with the General Risk Assessment to offer a systematic approach to assessing and mitigating re-identification and privacy leakage risks. With this integration it was possible to implement effective data privacy measures, evaluate identifiable information and attribute sensitivity, as well as make data corre-lations. This combined approach supports decisions about data sharing and disclosure while ensuring compliance with privacy regulations. As a case study, two real government microdata databases were utilized, which are crucial for economic decision-making, job flow analysis, and the formulation of business policies for organizations that support worker social assistance. Overall, this Practical Experience Report aims to report the results of solutions to protect individual privacy and meet legal requirements through a real case study.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "International Symposium on Digital Forensics and Security",
"language": "en"
},
{
"id": "openaire:50|datacite____::16957912b550bee4c1f3ec62996f231f",
"title": "EVALUATING THE SECURITY AND PRIVACY IMPLICATIONS OF USING BIOMETRIC DATA FOR AUTHENTICATION",
"authors": [
"Adedayo-Ajayi, Victoria Oluwaseyi"
],
"date": "2025-12-11",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.17889995",
"pdfUrl": "",
"doi": "10.5281/zenodo.17889995",
"abstract": "The increasing adoption of biometric data for authentication in various domains has revolutionized identity verification systems by offering enhanced security, efficiency, and user convenience. Biometric authentication, leveraging unique physical and behavioral traits such as fingerprints, facial recognition, and iris patterns, has become a preferred alternative to traditional password-based systems. However, its implementation raises critical concerns regarding the security and privacy of sensitive biometric information. Unlike passwords, compromised biometric data cannot be reset, posing significant challenges in protecting individuals' identities. This study evaluates the security vulnerabilities inherent in biometric systems, including spoofing attacks, database breaches, and template aging. It also examines the privacy implications of biometric data collection, storage, and potential misuse, emphasizing the importance of transparent data management practices. Furthermore, the research assesses existing regulatory frameworks such as the GDPR and Biometric Information Privacy Act (BIPA), highlighting gaps in global standards for biometric data protection. Through a comprehensive analysis of biometric modalities and their implications, this study identifies key challenges and proposes technological advancements and policy recommendations to enhance the security and privacy of biometric systems. By addressing these concerns, the research aims to support the development of more secure and privacy-conscious biometric technologies, balancing innovation with ethical and legal considerations.",
"topics": [
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:2666-3570(202451)5:2;1-Z",
"title": "A Facial Recognition Panopticon on Border and Migration Controls: Can Privacy and Data Protection Survive?",
"authors": [
"Maria Avramidou",
"Lorenzo Gugliotta",
"Maja Nišević"
],
"date": "2024-05-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.54648/gplr2024009",
"pdfUrl": "",
"doi": "10.54648/gplr2024009",
"abstract": " As technology permeates various aspects of individual and societal life, automated surveillance systems, particularly those employing facial recognition technology (FRT), have become a reality. This is particularly evident in border and migration controls, where such systems are increasingly utilized to address migration challenges and enhance security at European Union (EU) borders. The EU legal framework, including provisions in the EU Charter of Fundamental Rights and the Treaty on the Functioning of the EU (TFEU), plays a pivotal role in safeguarding personal data. The General Data Protection Regulation (GDPR), as a critical data protection law in the EU, holds significance in this regard.This article delves into the role of automated surveillance systems and FRT, exploring specific use cases at airport border controls. However, its primary focus is to identify and assess essential privacy and data protection concerns arising from the increasing deployment of FRT. ",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "Global Privacy Law Review",
"language": "en"
},
{
"id": "openaire:10.34190/ejel.23.1.3896",
"title": "Beyond Face Recognition: A Multi-Layered Approach to Academic Integrity in Online Exams",
"authors": [
"Aivar Sakhipov",
"Islam Omirzak",
"Alexey Fedenko"
],
"date": "2025-02-25",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.34190/ejel.23.1.3896",
"pdfUrl": "",
"doi": "10.34190/ejel.23.1.3896",
"abstract": "Ensuring academic integrity in online assessments is crucial for upholding fairness and credibility, especially with the widespread adoption of remote learning. This research addresses key vulnerabilities in preventing cheating and unauthorized collaboration, common in online assessments lacking direct supervision. To address these challenges, an intelligent proctoring system was developed and tested on BlockchainStudy.kz — an educational platform that offers online courses and issues blockchain-based certificates. This system establishes a controlled examination environment through facial recognition, user activity monitoring, and browser behavior tracking, effectively deterring dishonest practices. The study adopted a phased methodology, starting with pilot testing for feasibility, followed by large-scale deployment to assess scalability and effectiveness. The approach combines machine learning-based facial recognition for identity verification, user action logging, and browser monitoring to detect suspicious behaviors indicative of academic dishonesty. Findings demonstrated a marked decrease in cheating incidents, enhanced examination credibility, and improved perceptions of fairness among both students and instructors. By encouraging accountability, the system fostered a culture of honesty within the online education environment. Ethical concerns regarding privacy were addressed through robust safeguards in compliance with General Data Protection Regulation (GDPR), building student trust in the proctoring system. This research contributes to the field of e-learning by providing a scalable, effective solution for maintaining academic integrity in online assessments. It facilitates informed decision-making for educators, reduces dishonest behavior, and promotes a culture of integrity within digital education. Overall, this work enriches the body of e-learning knowledge by presenting a practical, adaptable strategy for overcoming the complex challenges of a",
"topics": [
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.71097/ijsat.v16.i2.5091",
"title": "Photo Retrieval System based on Face Recognition with Cloud Integration",
"authors": [
"Kritika Patidar -",
"Kaushal Rathore -",
"Divya Kumawat -",
"Mandakini Ingle -",
"Gajendra Singh Rajput -"
],
"date": "2025-06-15",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.71097/ijsat.v16.i2.5091",
"pdfUrl": "",
"doi": "10.71097/ijsat.v16.i2.5091",
"abstract": "Event photography is the process of capturing images of personal or public event in order to preserve memories. Using AI and cloud storage, this study streamline and accelerate the process of locating, sharing, and managing event photographs in real-time. Without need of manual sorting, users can easily retrieve their photos, due to online storage, QR code login, and facial recognition technology. In this paper we have implemented FaceNet AI model to locate attendees’ photos without going through numerous images. Our model has achieved 90% accuracy for single-face recognition and average 78% accuracy in group photos, where lighting and varied angles impacted performance. We have used AWS S3 provides scalable cloud storage for event images, while PostgreSQL securely manages user data and photo metadata. This research project focuses on implementing the use of access control measure, and regulations such as General Data Protection Regulation (GDPR), to safeguard user information’s it uses QR code-based authentication to ensure authorized access to images. Furthermore, it proposes strategies for enhancing the system’s balance and dependability. This technology uses AI, cloud storage, and real-time image processing to make event photography easier for both attendees and professional photographers. Events are made more memorable by automating the photo-finding process and enhancing user experience and security.",
"topics": [
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "International Journal for Sciences and Technology",
"language": "en"
},
{
"id": "doaj:9301b2b608bd468aaf13d46413309009",
"title": "Efficient face information encryption and verification scheme based on full homomorphic encryption",
"authors": [
"Yijia Chen",
"Fei Duan",
"Yuhui Zhao",
"Tailin Han",
"Jun Hu",
"Xuan Liu",
"Jialin Chen",
"Dong Bai"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1038/s41598-025-95383-2",
"pdfUrl": "",
"doi": "10.1038/s41598-025-95383-2",
"abstract": "Abstract Emerging global privacy mandates enforce strict requirements for biometric data protection, requiring encrypted processing throughout storage and computation phases. While full homomorphic encryption (FHE)-based face recognition ensures security on platforms like Elastic Compute Service (ECS), three critical compliance gaps persist: 1) about 500 $$\\times$$ ciphertext expansion in high-dimensional facial features, exceeding practical deployment thresholds, 2) vulnerabilities in live verification scenarios documented by ENISA (83% failure rate in 2024 audits), and 3) absence of mechanisms satisfying IND-CPA and IND-CCA2 standards. These limitations collectively undermine both regulatory adherence and operational efficiency in practical biometric systems. To address these gaps, this paper proposes a Hybrid Encryption with Facial Data Integrity Verification(HEFDIVS) scheme, which combines dimensionality reduction and hybrid encryption algorithms. Specifically, the scheme first realizes facial feature similarity calculation in the ciphertext domain without decryption. Then, the ISOMAP algorithm is applied to reduce the dimensionality of the facial data, thus alleviating the computational complexity in the ciphertext domain. Finally, based on FHE, a hybrid encryption algorithm combining SM2 and SM4 is introduced to enhance the security of the scheme. Experimental validation on the LFW and Faces94 datasets demonstrates mean recognition accuracy rates of 95.45% and 96.98% respectively, with 89% faster ciphertext computation time (0.028s) compared to pure FHE implementations in the ciphertext domain. The proposed scheme surpasses existing methods in accuracy-efficiency tradeoff while complying with IND-CPA (NIST SP 800-57) and IND-CCA2 (ISO 19772) security standards through hybrid SM2-SM4 authentication mechanisms.",
"topics": [
"privacy_engineering",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "Scientific Reports",
"language": "en"
},
{
"id": "https://openalex.org/W4233635718",
"title": "The Right to Explanation, Explained",
"authors": [
"Margot E. Kaminski"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.31228/osf.io/rgeus",
"pdfUrl": "https://doi.org/10.2139/ssrn.3196985",
"doi": "https://doi.org/10.31228/osf.io/rgeus",
"abstract": "Many have called for algorithmic accountability: laws governing decision-making by complex algorithms, or AI. The EU’s General Data Protection Regulation (GDPR) now establishes exactly this. The recent debate over the right to explanation (a right to information about individual decisions made by algorithms) has obscured the significant algorithmic accountability regime established by the GDPR. The GDPR’s provisions on algorithmic accountability, which include a right to explanation, have the potential to be broader, stronger, and deeper than the preceding requirements of the Data Protection Directive. This Essay clarifies, largely for a U.S. audience, what the GDPR actually requires, incorporating recently released authoritative guidelines.",
"topics": [
"power_knowledge_asymmetry",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.696,
"venue": "SSRN Electronic Journal",
"language": "en"
},
{
"id": "https://openalex.org/W3123831349",
"title": "\"The Right to Explanation, Explained\"",
"authors": [
"Margot E. Kaminski"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://scholar.law.colorado.edu/cgi/viewcontent.cgi?article=2335&context=articles",
"pdfUrl": "https://doi.org/10.15779/z38td9n83h",
"doi": "https://doi.org/10.15779/z38td9n83h",
"abstract": "Many have called for algorithmic accountability: laws governing decision-making by complex algorithms, or AI. The EU’s General Data Protection Regulation (GDPR) now establishes exactly this. The recent debate over the right to explanation (a right to information about individual decisions made by algorithms) has obscured the significant algorithmic accountability regime established by the GDPR. The GDPR’s provisions on algorithmic accountability, which include a right to explanation, have the potential to be broader, stronger, and deeper than the preceding requirements of the Data Protection Directive. This Essay clarifies, largely for a U.S. audience, what the GDPR actually requires, incorporating recently released authoritative guidelines.",
"topics": [
"power_knowledge_asymmetry",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.696,
"venue": "Berkeley technology law journal",
"language": "en"
},
{
"id": "https://openalex.org/W3124892530",
"title": "A Right to Reasonable Inferences",
"authors": [
"Sandra Wachter",
"Brent Mittelstadt"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.7916/cblr.v2019i2.3424",
"pdfUrl": "https://doi.org/10.7916/cblr.v2019i2.3424",
"doi": "https://doi.org/10.7916/cblr.v2019i2.3424",
"abstract": "Big Data analytics and artificial intelligence (AI) draw non-intuitive and unverifiable inferences and predictions about the behaviors, preferences, and private lives of individuals. These inferences draw on highly diverse and feature-rich data of unpredictable value, and create new opportunities for discriminatory, biased, and invasive decision-making. Data protection law is meant to protect people’s privacy, identity, reputation, and autonomy, but is currently failing to protect data subjects from the novel risks of inferential analytics. The legal status of inferences is heavily disputed in legal scholarship, and marked by inconsistencies and contradictions within and between the views of the Article 29 Working Party and the European Court of Justice (ECJ). This Article shows that individuals are granted little control or oversight over how their personal data is used to draw inferences about them. Compared to other types of personal data, inferences are effectively “economy class” personal data in the General Data Protection Regulation (GDPR). Data subjects’ rights to know about (Articles 13–15), rectify (Article 16), delete (Article 17), object to (Article 21), or port (Article 20) personal data are significantly curtailed for inferences. The GDPR also provides insufficient protection against sensitive inferences (Article 9) or remedies to challenge inferences or important decisions based on them (Article 22(3)). This situation is not accidental. In standing jurisprudence the ECJ has consistently restricted the remit of data protection law to assessing the legitimacy of input personal data undergoing processing, and to rectify, block, or erase it. Critically, the ECJ has likewise made clear that data protection law is not intended to ensure the accuracy of decisions and decision-making processes involving personal data, or to make these processes fully transparent. Current policy proposals addressing privacy protection (the ePrivacy Regulation and the EU Digital Content Directive) and Europe’s new Copyright Directive and Trade Secrets Directive also fail to close the GDPR’s accountability gaps concerning inferences. This Article argues that a new data protection right, the “right to reasonable inferences,” is needed to help close the accountability gap currently posed by “high risk inferences,” meaning inferences drawn from Big Data analytics that damage privacy or reputation, or have low verifiability in the sense of being predictive or opinion-based while being used in important decisions. This right would require ex-ante justification to be given by the data controller to establish whether an inference is reasonable. This disclosure would address (1) why certain data form a normatively acceptable basis from which to draw inferences; (2) why these inferences are relevant and normatively acceptable for the chosen processing purpose or type of automated decision; and (3) whether the data and methods used to draw the inferences are accurate and statistically reliable. The ex-ante justification is bolstered by an additional ex-post mechanism enabling unreasonable inferences to be challenged.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.696,
"venue": "Columbia Academic Commons (Columbia University)",
"language": "en"
},
{
"id": "https://openalex.org/W4394918816",
"title": "Article: Sustainable AI Regulation",
"authors": [
"Philipp Hacker"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.54648/cola2024025",
"pdfUrl": "",
"doi": "https://doi.org/10.54648/cola2024025",
"abstract": "This article addresses a critical gap in the current AI regulatory discourse by focusing on the environmental sustainability of AI and technology more broadly, a topic often overlooked both in environmental law and in technology regulation, such as the General Data Protection Regulation (GDPR) or the EU AI Act. Recognizing AI’s significant impact on climate change and its substantial water consumption, especially in large generative models like ChatGPT, GPT-4, or Gemini, the article aims to integrate sustainability considerations into technology regulation, in three steps. First, while current EU environmental law does not directly address these issues, there is potential to reinterpret existing legislation, such as the GDPR, to support sustainability goals. Counterintuitively, the article argues that this also implies the need to balance individual rights, such as the right to erasure, with collective environmental interests. Second, based on an analysis of current law, and the proposed EU AI Act, the article suggests a suite of policy measures to align AI and technology regulation with environmental sustainability. They extend beyond mere transparency mechanisms, such as disclosing greenhouse gas footprints, to include a mix of strategies like co-regulation, sustainability by design, restrictions on training data, and consumption caps, potentially integrating AI and technology more broadly into the EU emissions trading regime. Third, this regulatory toolkit could serve as a blueprint for other technologies with high environmental impacts, such as blockchain and metaverse applications. The aim is to establish a comprehensive framework that addresses the dual fundamental societal transformations of digitization and climate change mitigation. AI regulation, environmental sustainability, GDPR, EU AI Act, sustainability goals",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.696,
"venue": "Common Market Law Review",
"language": "en"
},
{
"id": "https://openalex.org/W3013343379",
"title": "The EU-US Privacy Shield Regime for Cross-Border Transfers of Personal Data under the GDPR",
"authors": [
"Timo Minssen",
"C. Seitz",
"Mateo Aboy",
"Marcelo Corrales Compagnucci"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.21552/eplr/2020/1/6",
"pdfUrl": "",
"doi": "https://doi.org/10.21552/eplr/2020/1/6",
"abstract": "Cloud-based technologies, big data, statistical signal processing algorithms, and Artificial Intelligence (AI) technologies are expected to play an increasingly important role in themedical field. Big data and AI-technologies rely on the cloud for data storage as well as for computational power and thus need effective and robust legal frameworks for international data transfer. Because of inconsistent data protection regulations, this is not always simple to achieve as it can be illustrated in the United States (US)–European Union (EU) context. Due to the lack of general data protection law at the federal level, the US currently does not have a general ‘adequacy decision’ from the European Commission (EC) to enable EU-US cross-border data transfers without the need for additional data protection safeguards under GDPR. As a fallback, a ‘limited adequacy’ decision was adopted in 2016 on the so-called ‘EU/US Privacy Shield Framework’. This framework protects the fundamental rights of natural persons in the EU and allows the free transfer of personal data to companies that are certified under the EU-US Privacy Shield. However, the EU-US Privacy Shield has been recently contested at the Court of Justice of the European Union (CJEU). This paper analyzes the EU-US Privacy Shield Framework, the associated legal challenges, and how these might affect organizations deploying or implementing cloud-based medical technologies relying on cross-border data transfers from EU data subjects.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.696,
"venue": "European Pharmaceutical Law Review",
"language": "en"
},
{
"id": "s2:9e1285d59609350650a06e892d79ed6328d02034",
"title": "Adanonymizer: Interactively Navigating and Balancing the Duality of Privacy and Output Performance in Human-LLM Interaction",
"authors": [
"Shuning Zhang",
"Xin Yi",
"Haobin Xing",
"Lyumanshan Ye",
"Y. Hu",
"Hewu Li"
],
"date": "2024-10-19",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/9e1285d59609350650a06e892d79ed6328d02034",
"pdfUrl": "",
"doi": "10.48550/arXiv.2410.15044",
"abstract": "Current Large Language Models (LLMs) cannot support users to precisely balance privacy protection and output performance during individual consultations. We introduce Adanonymizer, an anonymization plug-in that allows users to control this balance by navigating a trade-off curve. A survey (N=221) revealed a privacy paradox, where users frequently disclosed sensitive information despite acknowledging privacy risks. The study further demonstrated that privacy risks were not significantly correlated with model output performance, highlighting the potential to navigate this trade-off. Adanonymizer normalizes privacy and utility ratings by type and automates the pseudonymization of sensitive terms based on user preferences, significantly reducing user effort. Its 2D color palette interface visualizes the privacy-utility trade-off, allowing users to adjust the balance by manipulating a point. An evaluation (N=36) compared Adanonymizer with ablation methods and differential privacy techniques, where Adanonymizer significantly reduced modification time, achieved better perceived model performance and overall user preference.",
"topics": [
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"User Behavior / PII Communities"
],
"relevanceScore": 0.696,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "s2:0e3f71b29db7365e9700189b33ca3bd47fd28080",
"title": "Ensuring privacy of data in Machine Learning",
"authors": [
"Reshmi T",
"Sumesh Divakaran"
],
"date": "2024-05-16",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/0e3f71b29db7365e9700189b33ca3bd47fd28080",
"pdfUrl": "",
"doi": "10.1109/RAICS61201.2024.10689750",
"abstract": "Machine Learning is one of the most popular advancements in technology which is being widely used in various domains, including healthcare, avionics, automotive, business, education, etc. A Machine learning approach works by learning the required knowledge from the data to be supplied by a client system. In a typical scenario, a client entrusts a third-party agency to develop a machine learning application and shares the data to the developer to enable the development of a Machine learning application. This is badly affecting the privacy of data as a third-party is getting access to sensitive data from a client system. Therefore, an effective data encoding technique is required to ensure the privacy of sensitive data while enabling a third-party agency to develop a Machine learning application on the encoded data. Existing data masking/encoding techniques such as pseudonymization, anonymization and substitution are badly affecting the machine learning process as the modification they do for masking data is preventing a machine learning approach to learn the required knowledge. Another approach known in the literature is Fully Homomorphic Encryption. But, there is no tool available based on this technique which enables a client system to mask sensitive data before giving it to a third-party Machine Learning developer. We failed to obtain the expected outcome from an off-the-shelf Machine Learning classifier when we tried to classify a benchmark dataset masked using an available implementation of Fully Homomorphic Encryption. Since enough details about the implementation is not available, we could not find and fix the issues which is causing this problem. We propose a technique based on which we implemented a tool which provides an easy-to-use Graphical User Interface enabling the client to mask sensitive data before giving it to a third-party agency for developing a Machine Learning Application. Our tool enables a client to mask sensitive data through few mouse clicks. We mask sensitive data by applying a modified version of the RSA encryption system. We have applied our tool on three benchmark datasets and applied an off-the-shelf Machine Learning classifier on the datasets masked by our tool and found that the results obtained on the masked datasets are as good as the results obtained on the unmasked datasets.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "IEEE Recent Advances in Intelligent Computational Systems",
"language": "en"
},
{
"id": "s2:13a1740557ecb33685deaeff8c58d131a990442f",
"title": "Anonymity-washing",
"authors": [
"Szivia Lesty'an",
"William Letrône",
"Ludovica Robustelli",
"Gergely Bicz'ok"
],
"date": "2025-05-24",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/13a1740557ecb33685deaeff8c58d131a990442f",
"pdfUrl": "",
"doi": "10.48550/arXiv.2505.18627",
"abstract": "Anonymization is a foundational principle of data privacy regulation, yet its practical application remains riddled with ambiguity and inconsistency. This paper introduces the concept of anonymity-washing -- the misrepresentation of the anonymity level of ``sanitized''personal data -- as a critical privacy concern. While both legal and technical critiques of anonymization exist, they tend to address isolated aspects of the problem. In contrast, this paper offers a comprehensive overview of the conditions that enable anonymity-washing. It synthesizes fragmented legal interpretations, technical misunderstandings, and outdated regulatory guidance and complements them with a systematic review of national and international resources, including legal cases, data protection authority guidelines, and technical documentation. Our findings reveal a lack of coherent support for practitioners, contributing to the persistent misuse of pseudonymization and obsolete anonymization techniques. We conclude by recommending targeted education, clearer technical guidance, and closer cooperation between regulators, researchers, and industry to bridge the gap between legal norms and technical reality.",
"topics": [
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Sector Regulations"
],
"relevanceScore": 0.696,
"venue": "Annual Privacy Forum",
"language": "en"
},
{
"id": "s2:e670380b02489b82bc706b019e534e1a196ad498",
"title": "A Privacy-Preserving and Redactable Healthcare Blockchain System",
"authors": [
"Shengmin Xu",
"Jianting Ning",
"Xiaoguo Li",
"Jiaming Yuan",
"Xinyi Huang",
"Robert H. Deng"
],
"date": "2024-03-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/e670380b02489b82bc706b019e534e1a196ad498",
"pdfUrl": "",
"doi": "10.1109/TSC.2024.3356595",
"abstract": "Blockchain as an open and immutable ledger is being posited as the next frontier in healthcare that will help solve the industry's interoperability challenges. However, immutability in processing personal data is no longer legal since the General Data Protection Regulation (GDPR) requires the “right to be forgotten” as a critical data subject right. To observe such data regulation, it is desirable to build a healthcare blockchain with data redaction in a controlled way. Moreover, electronic health records (EHRs) usually are sensitive and the conventional blockchain lacks systematic and formal security analysis of data confidentiality, especially in the multi-user setting. Furthermore, EHRs are typically helpful in medical research for predicting epidemic diseases and valuable in insurance agencies making business plans. Hence, in healthcare blockchain systems, data confidentiality and flexible key distribution have become the most challenging issues that should be urgently resolved. In this article, we propose a privacy-preserving and redactable healthcare blockchain system (PRHBS). Our solution offers fine-grained block-level data reduction and secure data sharing with flexible key distribution mechanisms. We give the formal definition and security models of PRHBS, and propose a generic construction based on trapdoor-based chameleon-hash function, attribute-based encryption, and puncturable encryption. We present formal security analysis and give an instantiation based on our proposed generic construction. The comprehensive comparison and experimental simulation demonstrate that our implementation exhibits comparable performance, while surpassing the most relevant solutions in terms of functionality.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "IEEE Transactions on Services Computing",
"language": "en"
},
{
"id": "s2:1fbaebfedff12f48a7a37f2d7d8a2f3c2a434182",
"title": "SynBench: A Benchmark for Differentially Private Text Generation",
"authors": [
"Yidan Sun",
"Viktor Schlegel",
"Srinivasan Nandakumar",
"Iqra Zahid",
"Yuping Wu",
"Yulong Wu",
"Hao Li",
"Jie Zhang",
"Warren Del-Pinto",
"Goran Nenadic",
"Siew-Kei Lam",
"Anil A. Bharath"
],
"date": "2025-09-18",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/1fbaebfedff12f48a7a37f2d7d8a2f3c2a434182",
"pdfUrl": "",
"doi": "10.48550/arXiv.2509.14594",
"abstract": "Data-driven decision support in high-stakes domains like healthcare and finance faces significant barriers to data sharing due to regulatory, institutional, and privacy concerns. While recent generative AI models, such as large language models, have shown impressive performance in open-domain tasks, their adoption in sensitive environments remains limited by unpredictable behaviors and insufficient privacy-preserving datasets for benchmarking. Existing anonymization methods are often inadequate, especially for unstructured text, as redaction and masking can still allow re-identification. Differential Privacy (DP) offers a principled alternative, enabling the generation of synthetic data with formal privacy assurances. In this work, we address these challenges through three key contributions. First, we introduce a comprehensive evaluation framework with standardized utility and fidelity metrics, encompassing nine curated datasets that capture domain-specific complexities such as technical jargon, long-context dependencies, and specialized document structures. Second, we conduct a large-scale empirical study benchmarking state-of-the-art DP text generation methods and LLMs of varying sizes and different fine-tuning strategies, revealing that high-quality domain-specific synthetic data generation under DP constraints remains an unsolved challenge, with performance degrading as domain complexity increases. Third, we develop a membership inference attack (MIA) methodology tailored for synthetic text, providing first empirical evidence that the use of public datasets - potentially present in pre-training corpora - can invalidate claimed privacy guarantees. Our findings underscore the urgent need for rigorous privacy auditing and highlight persistent gaps between open-domain and specialist evaluations, informing responsible deployment of generative AI in privacy-sensitive, high-stakes settings.",
"topics": [
"data_anonymization",
"llm_privacy_attacks"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII"
],
"relevanceScore": 0.696,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "s2:6bec326045dc1918ec3b0f77ee2e5ee2ee5e90c2",
"title": "Securing Biometric Data: Fully Homomorphic Encryption in Multimodal Iris and Face Recognition",
"authors": [
"Surendra Singh",
"Lambert Igene",
"S. Schuckers"
],
"date": "2024-08-26",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/6bec326045dc1918ec3b0f77ee2e5ee2ee5e90c2",
"pdfUrl": "http://arxiv.org/pdf/2408.14609",
"doi": "10.1109/BIOSIG61931.2024.10786750",
"abstract": "Multimodal biometric systems have gained popularity for their enhanced recognition accuracy and resistance to attacks like spoofing. This research explores methods for fusing iris and face feature vectors and implements robust security measures to protect fused databases and conduct matching operations on encrypted templates using fully homomorphic encryption (FHE). Evaluations on the QFIRE-I database demonstrate that our method effectively balances user privacy and accuracy while maintaining a high level of precision. Through experimentation, we demonstrate the effectiveness of employing FHE for template protection and matching within the encrypted domain, achieving notable results: a 96.41% True Acceptance Rate (TAR) for iris recognition, 81.19% TAR for face recognition, 98.81% TAR for iris fusion (left and right), and achieving a 100% TAR at 0.1% false acceptance rate (FAR) for face and iris fusion. The application of FHE presents a promising solution for ensuring accurate template matching while safeguarding user privacy and mitigating information leakage.",
"topics": [
"privacy_engineering",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "Biometrics and Electronic Signatures",
"language": "en"
},
{
"id": "s2:e42e46cda6a9a2bcc506eb8d218961555c26437a",
"title": "AI facial recognition and biometric detection: balancing consumer rights and corporate interests",
"authors": [
"Felipe Romero Moreno"
],
"date": "2021-10-11",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/e42e46cda6a9a2bcc506eb8d218961555c26437a",
"pdfUrl": "http://uhra.herts.ac.uk/bitstream/2299/25414/1/AI_facial_recognition_and_biometric_detection_balancing_consumer_rights_and_corporate_interests_Copy.pdf",
"doi": "10.1109/ICCST49569.2021.9717403",
"abstract": "The purpose of this study is two-fold. Firstly, to critically assess the extent to which corporate actors can lawfully use artificial intelligence (AI) technology for real-time facial recognition biometric detection. Secondly, to suggest and appraise some procedural safeguards to make the use of these systems by private actors compatible with consumers' right to protection of their personal data under the General Data Protection Regulation (GDPR). This study seeks to fill an existing gap in the literature. It concludes that unless, the three variables suggested in the study are considered, that is, ‘whether’, ‘when’ and ‘how’ corporate actors can legally use AI for real-time facial recognition biometric detection, the use of this technology will violate consumers' data protection rights.",
"topics": [
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "International Carnahan Conference on Security Technology",
"language": "en"
},
{
"id": "https://openalex.org/W4214643781",
"title": "Contributions to Privacy and Data Protection from a Multi-Disciplinary Model-Based Software and Systems Engineering Approach",
"authors": [
"Yod Samuel Martín García"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.20868/upm.thesis.69940",
"pdfUrl": "https://doi.org/10.20868/upm.thesis.69940",
"doi": "https://doi.org/10.20868/upm.thesis.69940",
"abstract": "Information privacy and personal data protection have gained relevance in recent years in parallel to the explosion of business models based on exploiting these personal data. Many initiatives have been developed to address these concerns from civil society, academia, and institutions, of which the enactment of stricter regulatory frameworks (and in particular the EU General Data Protection Regulation or GDPR) is a paramount example. In this context, privacy engineering has emerged as a field in software and systems engineering that vouches for the introduction of methods, tools, and techniques into engineering practice to address privacy and data protection concerns from a systematic and economical approach. This way, it recognizes the key role of engineers to ensure privacy and data protection in the systems they develop, and responds from the body of knowledge and the accumulated wisdom of software and systems engineering by introducing methods, tools, and techniques aligned to those employed by the engineering community of practice in their job. In this dissertation, we present our contributions to that field, leveraging the model-based software and systems engineering (MBSSE) approach, as it provides a demonstrated way to systematically organize knowledge about the system and its context, integrate system-specific and aspect-oriented viewpoints, and facilitate the processing of the models by both human and automated means. We have especially focused on the integration of privacy and data protection concerns into several engineering disciplines (risk management, requirements engineering, design, systems assurance, and method engineering) through the following contributions: - A working definition of privacy and data protection and an adversary model suitable for privacy and data protection engineering. - An analysis of the gap between the needs of engineers in relation to the implementation of privacy and data protection principles (and compliance with the EU GDPR) and the support by privacy management tools, and a proposal to support these needs from the perspectives of the above-mentioned engineering disciplines. - An implementation-independent Domain-Specific Aspect Language (DSAL) to annotate a variety of system models with privacy and data protection features. - A methodological framework for managing requirements to address privacy and data protection requirements from a dual perspective (risk-based and goal-oriented) and the application of the latter to operationalize the contents of ISO/IEC 29100. - A system for privacy design patterns, including morphological elements (structure), syntactical elements (relationships), and lexical elements (instances). - A method for privacy and data protection assurance (especially, privacy and data protection impact assessments) including the definition of a process-oriented reference framework, argumentation patterns, and mapping between legal regulations (GDPR), technical standards (ISO/IEC 29134), and industry guidance (smart grid PIA template). - A methodological metamodel for privacy and data protection engineering methods, the definition of a set of privacy and data protection processes to be introduced throughout the System Development Lifecycle (SDLC), their interactions between one another, and an architecture of a software toolset to support that process. - A policy brief with recommendations for future legal and institutional developments. All in all, these contributions set the scene for introducing privacy and data protection throughout the SDLC, and have been validated in the context of EU-funded research projects PRIPARE, TRUESSEC.EU, PDP4E. In the last one, the consortium has implemented open-source software tools to support parts of the methods that we have devised and introduced in this dissertation. Besides, a community on privacy and data protection engineering by models is being established at the Eclipse Foundation to pursue our work in the future. ----------RESUMEN---------- La privacidad y la protección de datos personales han ido ganando importancia en paralelo a la explotación de estos datos por las empresas. Entre las iniciativas para abordarlas, destaca la promulgación del Reglamento General de Protección de Datos de la UE (RGPD). Desde la ingeniería de software y sistemas, surge el campo de la ingeniería de privacidad y protección de datos para introducir métodos, herramientas y técnicas en la práctica de la ingeniería, que aborden estas cuestiones desde un enfoque sistemático y eficiente. Así, se reconoce el rol clave de los ingenieros para garantizar la privacidad en los sistemas que desarrollan, respondiendo desde el cuerpo de conocimiento y la experiencia de la ingeniería de software y sistemas mediante métodos, herramientas y técnicas alineadas con las que los ingenieros trabajan en la práctica. Esta tesis presenta nuestras contribuciones a dicho campo, aprovechando el enfoque de la ingeniería de software y sistemas basada en modelos (MBSSE), que ha demostrado su adecuación para organizar sistemáticamente el conocimiento del sistema y de su contexto, integrar puntos de vista propios del sistema con otros orientados a aspectos transversales, y facilitar el procesamiento humano o automatizado de los modelos. Nos hemos centrado en integrar la privacidad y la protección de datos en varias disciplinas de ingeniería (gestión de riesgos, ingeniería de requisitos, diseño, aseguramiento de sistemas e ingeniería de métodos) mediante las siguientes contribuciones: - Una definición operativa de privacidad y protección de datos, y un modelo de adversario apropiado para la ingeniería de privacidad y de protección de datos. - Un análisis de la brecha entre las necesidades de los ingenieros para implementar los principios de privacidad y protección de datos (y con el cumplimiento del RGPD de la UE), y el respaldo ofrecido por las herramientas de gestión de la privacidad, más una propuesta para apoyar estas necesidades desde las disciplinas de ingeniería mencionadas. - Un lenguaje específico de aspectos (DSAL) independiente de la implementación, para anotar una variedad de modelos de sistema con información de características de privacidad y protección de datos. - Un marco metodológico de gestión de requisitos para abordar los requisitos de privacidad y protección de datos desde una doble perspectiva (basada en riesgos y orientada a objetivos) y la aplicación de esta última para operativizar los contenidos de la norma ISO/IEC 29100. - Un sistema de patrones de diseño de privacidad, incluidos elementos morfológicos (estructura), elementos sintácticos (relaciones) y elementos léxicos (instancias). - Un método para la garantía de privacidad y protección de datos (especialmente, evaluaciones de impacto de privacidad y protección de datos EIPD), con un marco de referencia orientado a procesos, patrones de argumentación, y correspondencia entre la ley (GDPR), estándares técnicos (ISO/IEC 29134) y pautas industriales (plantilla EIPD para red eléctrica inteligente). - Un metamodelo metodológico para los métodos de ingeniería de privacidad y protección de datos, un conjunto de procesos de privacidad y protección de datos que se introducirán a lo largo del ciclo de vida de desarrollo del sistema (SDLC), sus interacciones, y la arquitectura de un conjunto de herramientas de software para respaldar ese proceso. - Un resumen de políticas con recomendaciones para futuros desarrollos legales e institucionales. Estas contribuciones muestran la introducción la privacidad y la protección de datos a lo largo del SDLC, y han sido validadas en el contexto de los proyectos de investigación europeos PRIPARE, TRUESSEC.EU, y PDP4E. En este último, el consorcio ha implementado herramientas de software de código abierto para apoyar parte de los métodos que introducimos en esta tesis. Además, se pretende continuar nuestro trabajo en una comunidad albergada por la Eclipse Foundation para el futuro.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W4407666340",
"title": "Semantic Representation of Privacy Terms and Policy-based Algorithms for Decentralised Data Environments",
"authors": [
"Beatriz Esteves",
"Beatriz Gonçalves Crisóstomo Esteves"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.20868/upm.thesis.83215",
"pdfUrl": "https://doi.org/10.20868/upm.thesis.83215",
"doi": "https://doi.org/10.20868/upm.thesis.83215",
"abstract": "With the widespread of technologies in every aspect of our day-to-day life, the amount of data available worldwide is growing rapidly and, consequently, the legal and ethical implications of its exploration have been under debate for quite a few years. When the General Data Protection Regulation (GDPR) came into full effect on the 25th of May 2018, companies had to deal with the impact of this new legislation on their processing of personal data and users were overloaded with the amount of complex technical information on their renewed rights over that processing. The main goal of this thesis is to find ways to help users of Web services deal with this overload, offering services that match their preferences and respect their rights, aiding them in taking control over the publication and sharing of their personal data. In this context, the use and extension of data protection vocabularies and machine-readable policy languages are suitable for the representation of individual privacy preferences and requirements, fine-grained policies for the processing of personal data and other machine-readable information related to GDPR rights and obligations, including the logging of processing activities for future auditing and the exercising of user's personal data-related rights. Furthermore, these specifications can also be used to establish a policy matching mechanism where fine-grained GDPR-aligned access control policies are used to manage and determine access to decentralised personal datastores, such as Solid Pods. Solid is a decentralised data environment that detaches the storage of data from the processing of said data performed by data-driven applications. Such an architecture allows Web users to have better control over the movement of their personal data and regain trust in the services using it as the users are the ones specifying who can access their data. The policy matching algorithm and the developed vocabularies are also used to deal with the requirements of sharing health data and to manage the requirements of the newly enforced Data Governance Act to showcase the representational capabilities of the developed technologies to cover specific use cases and to be expanded to deal with new demands, in particular, related to the expression of data reuse policies and consent terms. The contributions proposed in this Thesis confirm the hypothesis that Semantic Web technologies can be used to successfully express data protection-related information, including the definition of data subjects' privacy preferences as access control policies related to their personal data. Furthermore, said technologies can be used to increase the transparency and accountability of decentralised data environments, in particular when it comes to the involved entities and infrastructure, including their access control mechanisms. RESUMEN Con la expansión de las tecnologías en todos los aspectos de nuestra vida cotidiana, la cantidad de datos disponibles en todo el mundo está creciendo rápidamente y, en consecuencia, las implicaciones legales y éticas de su exploración han sido objeto de debate durante bastantes años. Cuando el Reglamento General de Protección de Datos (RGPD) entró en pleno vigor el 25 de mayo de 2018, las empresas tuvieron que lidiar con el impacto de esta nueva legislación en su procesamiento de datos personales y los usuarios se vieron sobrecargados con la cantidad de información técnica compleja relacionada con sus derechos renovados sobre ese tratamiento. El objetivo principal de esta tesis es encontrar formas de ayudar a los usuarios de servicios Web a lidiar con esta sobrecarga, ofreciéndoles servicios que se ajusten a sus preferencias y respeten sus derechos, ayudándoles a tomar control sobre la publicación y el intercambio de sus datos personales. En este contexto, el uso y la ampliación de vocabularios de protección de datos y lenguajes de políticas son adecuados para la representación de preferencias y requisitos de privacidad individuales, políticas detalladas para el procesamiento de datos personales y otra información legible por máquinas relacionada con los derechos y obligaciones del RGPD, incluido el registro de las actividades de procesamiento para futuras auditorías y el ejercicio de los derechos del usuario relacionados con los datos personales. Además, estas especificaciones también se pueden utilizar para establecer un mecanismo de coincidencia de políticas en el que se utilicen políticas de control de acceso detalladas y alineadas con el RGPD para gestionar y determinar el acceso a almacenes de datos personales descentralizados, como Solid Pods. Solid es un ambiente de datos descentralizado que separa el almacenamiento de datos del procesamiento de dichos datos realizado por aplicaciones. Esta arquitectura permite a los usuarios de la Web tener un mejor control sobre el movimiento de sus datos personales y recuperar la confianza en los servicios que los utilizan, ya que son los usuarios quienes especifican quién puede acceder a sus datos. El algoritmo de coincidencia de políticas y los vocabularios desarrollados también se utilizan para abordar los requisitos de compartir datos de salud y para gestionar los requisitos de la Ley de Gobernanza de Datos recientemente aplicada para mostrar las capacidades de representación de las tecnologías desarrolladas para cubrir casos de uso específicos y ampliarse para hacer frente a nuevas demandas, en particular, relacionadas con la expresión de políticas de reutilización de datos y términos de consentimiento. Las contribuciones propuestas en esta Tesis confirman la hipótesis de que las tecnologías de la Web Semántica pueden usarse para expresar con éxito información relacionada con la protección de datos, incluida la definición de las preferencias de privacidad de los interesados como políticas de control de acceso relacionadas con sus datos personales. Además, dichas tecnologías se pueden utilizar para aumentar la transparencia y la rendición de cuentas de los ambientes de datos descentralizados, en particular cuando se trata de las entidades y la infraestructura involucradas, incluidos sus mecanismos de control de acceso.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W4412388941",
"title": "Contributions to the Automated Assessment of Mobile Applications’ Compliance with Privacy and Data Protection Requirements",
"authors": [
"David Rodríguez",
"David Rodriguez Torrado"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.20868/upm.thesis.89643",
"pdfUrl": "https://doi.org/10.20868/upm.thesis.89643",
"doi": "https://doi.org/10.20868/upm.thesis.89643",
"abstract": "Smartphones have seen widespread adoption in society, largely due to their Internet connectivity and their ability to perform a wide range of activities—from work-related tasks like document creation and editing to multimedia consumption. However, while their capabilities have been significantly enhanced by the advent and proliferation of mobile applications, they also introduce risks for users. The numerous sensors integrated into these devices and their extensive connectivity enable the collection and transfer of vast amounts of personal data, making it possible to identify users and track their behavior, movements, and usage patterns. This practice, mainly driven by business models based on hyper-targeted advertising, poses a considerable risk to privacy. In response to this and other challenges in our digital society, the European Union enacted the General Data Protection Regulation (GDPR) to promote greater protection and handling of personal data. Evaluating the regulatory compliance of mobile applications with the GDPR is a formidable challenge, particularly in fast-paced environments like the Google Play Store, where thousands of apps are published and updated daily. The sheer volume and frequency of these changes make manual inspection impractical, and the widespread use of third-party libraries further compounds this challenge. Although these libraries allow developers to rapidly integrate new functionalities, they often collect and transfer user data without the developers’ awareness. Within the framework of the AutoGDPR project, which the Spanish government funded with European funds, this thesis contributes a set of methods and artifacts that allow for the comprehensive analysis of mobile app behavior. The approach involves the use of both static and dynamic techniques—employing tools such as Mitmproxy and Frida—to assess app behavior, as well as the automation of privacy policy and privacy label processing through natural language processing techniques and large language models. Moreover, GDPR requirements have necessarily been translated into programmable rules that enable automatic evaluations, with frequent collaboration with legal experts to ensure accuracy. The developed methods and artifacts have been integrated into a modular platform based on technologies like Docker and RabbitMQ, facilitating large-scale studies and the extraction of empirical evidence. The results from these studies reveal widespread non-compliance with transparency obligations: more than 80% of the analyzed apps potentially fail to meet GDPR requirements regarding the disclosure of data transfers to third parties, and significant shortcomings exist in the privacy configurations of third-party libraries, which are responsible for over 70% of undeclared data transfers. Additionally, about 50% of privacy policies do not correctly state the data retention periods, and 48% of those transferring data do so to servers outside the European Union without proper declaration, as required by the GDPR. Furthermore, studies have shown that privacy labels often do not match the actual behavior of the apps or the information provided in their privacy policies. All this demonstrates that the current mobile application ecosystem is misaligned with data protection regulations, underscoring the need for authorities to employ automated monitoring and review mechanisms and for developers to have tools that help them comply with these regulations. This research has resulted in a total of 12 scientific publications. Seven articles are a direct outcome of this thesis—four published in journals indexed in the Journal Citation Report (with one in the first quartile Q1 and three in the second Q2), and two in international peer-reviewed events, including a notable publication at the Privacy Enhancing Technologies Symposium (PETS), one of the most prestigious congresses in privacy research. Additionally, the developed methods and artifacts have indirectly contributed to five further publications— two in international peer-reviewed events, two in JCR-listed Q1 journals, and one in a Q2 journal currently under review. International collaborations have played a significant role in this work. Research stays of three months each were carried out at renowned institutions such as Carnegie Mellon University and King’s College London, along with additional collaborations with research groups at ETH Zurich. In the industrial realm, the artifacts have been employed in regulatory compliance audits, demonstrating their practical utility. Regulatory bodies, including members from the Federal Trade Commission (FTC) in the United States and the Spanish Data Protection Agency (AEPD), have expressed interest in these findings and tools, highlighting their potential to enhance supervision and enforcement of data protection laws. Moreover, some of the research findings have reached a wider audience through major Spanish media outlets such as La Vanguardia, Computer Hoy, La COPE, and TreceTV, raising public awareness about the importance of privacy in our digital age. The thesis also includes the direct supervision of five final degree projects and the provision of technical support to other research initiatives, which have helped advance the automation of regulatory compliance evaluation and contributed to the education of new talent in the field of data protection. Overall, this doctoral thesis lays the groundwork for the automated evaluation of regulatory compliance in mobile applications by providing tools that foster a more transparent digital ecosystem, aligned with data protection laws. Future research will extend this approach to other platforms such as iOS, enable multilingual assessments of privacy policies, and apply these methods and knowledge to analyzing usage policies in customized chatbots, thereby addressing emerging challenges in an ever-evolving digital landscape. RESUMEN Los teléfonos móviles, y particularmente los inteligentes, han tenido una gran adopción en la sociedad, en especial gracias a su conectividad a internet y capacidad para realizar un amplio abanico de actividades, desde tareas orientadas al trabajo, como la creación y modificación de documentos, hasta el consumo multimedia. Sin embargo, aunque sus capacidades se han visto especialmente aumentadas tras la aparición y proliferación de las aplicaciones, también conllevan riesgos para los usuarios. La cantidad de sensores que integran estos dispositivos y su gran conectividad, permite que se recolecte y envíe un gran volumen de datos personales, posibilitando identificar a los usuarios, conocer su comportamiento, movimientos y patrones de uso. Esta práctica, impulsada en gran medida por los modelos de negocio basados en la publicidad hipersegmentada, supone un riesgo considerable para la privacidad. En respuesta a este problema ya presente y en auge en nuestra sociedad digital, la Unión Europea presentó el Reglamento General de Protección de Datos (RGPD) con el fin de promover una mayor protección y un adecuado tratamiento de los datos personales. No obstante, la evaluación del cumplimiento normativo de aplicaciones móviles conforme al RGPD representa un desafío significativo, especialmente en un ecosistema marcado por el dinamismo de sus plataformas de distribución, como Google Play Store, donde miles de ellas son publicadas y actualizadas a diario. Este gran volumen y frecuencia de cambios hacen impracticable la inspección manual de todas las aplicaciones, subrayando la necesidad de métodos, técnicas y herramientas automatizados que permitan abordar esta tarea a escala. Además, este problema se ve agravado por el uso de bibliotecas de código de terceros, que permiten integrar funcionalidades de forma rápida y efectiva, pero que a menudo recopilan y transfieren datos de los usuarios, hecho que a menudo ocurre inadvertido para los desarrolladores y responsables de las aplicaciones. En respuesta a esta problemática, y en el marco del proyecto AutoGDPR—financiado por el Gobierno de España y centrado en la automatización de la evaluación del cumplimiento del RGPD—, esta tesis contribuye con el diseño y desarrollo de métodos y artefactos. Estos permiten, de forma conjunta, 1) analizar el comportamiento de las aplicaciones, 2) automatizar el procesamiento de políticas y etiquetas de privacidad mediante técnicas de procesamiento de lenguaje natural, y 3) traducir los requisitos del RGPD en reglas programables que posibilitan evaluaciones automáticas. Para abordar este último punto se ha requerido, además, una frecuente colaboración con abogados expertos en protección de datos, destacando la faceta multidisciplinar de este trabajo. El análisis del comportamiento de las aplicaciones se ha llevado a cabo mediante técnicas de análisis estático y dinámico de aplicaciones, apoyado parcialmente por herramientas de código abierto como Mitmproxy o Frida. Otras tecnologías, como los modelos de lenguaje de gran tamaño, han permitido identificar y extraer prácticas más complejas descritas en los textos legales, permitiendo evaluar el cumplimiento de requisitos de RGPD como las transferencias internacionales de datos personales, o transferencias a terceras organizaciones. Finalmente, los artefactos y métodos desarrollados se han integrado en una plataforma modular basada en tecnologías como Docker y RabbitMQ, que han propiciado realizar estudios con un gran volumen de aplicaciones y extraer conclusiones basadas en evidencia empírica. Los resultados obtenidos con la plataforma y los artefactos desarrollados muestran incumplimientos generalizados en las obligaciones de transparencia de los responsables de las aplicaciones. Más del 80% de las aplicaciones analizadas potencialmente incumplen con los requisitos de transparencia del RGPD respecto a la cesión de datos a terceros y se identificaron deficiencias significativas en la configuración de privacidad de bibliotecas de terceros, resp",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "europepmc:36572676",
"title": "A Python library to check the level of anonymity of a dataset.",
"authors": [
"Sáinz-Pardo Díaz J",
"López García Á."
],
"date": "2022-12-26",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1038/s41597-022-01894-2",
"pdfUrl": "https://europepmc.org/articles/PMC9791635?pdf=render",
"doi": "10.1038/s41597-022-01894-2",
"abstract": "Openly sharing data with sensitive attributes and privacy restrictions is a challenging task. In this document we present the implementation of pyCANON, a Python library and command line interface (CLI) to check and assess the level of anonymity of a dataset through some of the most common anonymization techniques: k-anonymity, (α,k)-anonymity, ℓ-diversity, entropy ℓ-diversity, recursive (c,ℓ)-diversity, t-closeness, basic β-likeness, enhanced β-likeness and δ-disclosure privacy. For the case of more than one sensitive attribute, two approaches are proposed for evaluating these techniques. The main strength of this library is to obtain a full report of the parameters that are fulfilled for each of the techniques mentioned above, with the unique requirement of the set of quasi-identifiers and sensitive attributes. The methods implemented are presented together with the attacks they prevent, the description of the library, examples of the different functions' usage, as well as the impact and the possible applications that can be developed. Finally, some possible aspects to be incorporated in future updates are proposed.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.696,
"venue": "",
"language": "fr"
},
{
"id": "gdprhub:8321",
"title": "Rb. Amsterdam - C/13/731682 / HA ZA 23-329",
"authors": [],
"date": "2024-09-30",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=Rb._Amsterdam_-_C/13/731682_/_HA_ZA_23-329",
"pdfUrl": "",
"doi": "",
"abstract": "structurally failing to comply with GDPR data security principles such as privacy by design, data minimization, purpose limitation and technical and organizational",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.696,
"venue": "",
"language": "el"
},
{
"id": "arxiv:2306.00292",
"title": "Sustainable AI Regulation",
"authors": [
"Philipp Hacker"
],
"date": "2023-06-01",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2306.00292v4",
"pdfUrl": "https://arxiv.org/pdf/2306.00292v4",
"doi": "",
"abstract": "Current proposals for AI regulation, in the EU and beyond, aim to spur AI that is trustworthy (e.g., AI Act) and accountable (e.g., AI Liability) What is missing, however, is a robust regulatory discourse and roadmap to make AI, and technology more broadly, environmentally sustainable. This paper aims to take first steps to fill this gap. The ICT sector contributes up to 3.9 percent of global greenhouse gas (GHG) emissions-more than global air travel at 2.5 percent. The carbon footprint and water consumption of AI, especially large-scale generative models like GPT-4, raise significant sustainability concerns. The paper is the first to assess how current and proposed technology regulations, including EU environmental law, the General Data Protection Regulation (GDPR), and the AI Act, could be adjusted to better account for environmental sustainability. The GDPR, for instance, could be interpreted to limit certain individual rights like the right to erasure if these rights significantly conflict with broader sustainability goals. In a second step, the paper suggests a multi-faceted approach to achieve sustainable AI regulation. It advocates for transparency mechanisms, such as disclosing the GHG footprint of AI systems, as laid out in the proposed EU AI Act. However, sustainable AI regulation must go beyond mere transparency. The paper proposes a regulatory toolkit comprising co-regulation, sustainability-by-design principles, restrictions on training data, and consumption caps, including integration into the EU Emissions Trading Scheme. Finally, the paper argues that this regulatory toolkit could serve as a blueprint for regulating other high-emission technologies and infrastructures like blockchain, Metaverse applications, and data centers. The framework aims to cohesively address the crucial dual challenges of our era: digital transformation and climate change mitigation.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "hal:5407897",
"title": "k-scale: k-Anonymizing Millions of Trajectories",
"authors": [
"Abhishek Kumar Mishra",
"Marco Fiore"
],
"date": "2026-05-18",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05407897v1",
"pdfUrl": "https://hal.science/hal-05407897/document",
"doi": "",
"abstract": "Trajectory datasets collected by network operators and service providers offer detailed information about individual mobility and have wide application in business and research. However, managing such data raises privacy risks, as the unique movement patterns of individuals pose significant re-identification risks and make common countermeasures like pseudonymization ineffective. The privacy-preserving data publishing (PPDP) of trajectory datasets that maintains post-anonymization accuracy and truthfulness is an open problem -especially for large datasets with millions of records like those gathered by major actors in the telco ecosystem. We close this gap with k-scale, a framework that implements k-anonymity in massive mobile user trajectory datasets, removing uniqueness while safeguarding accuracy at the record level. Not only k-scale is the first model capable of scaling k-anonymization to a dataset of one million trajectories, but it does so while also outperforming state-of-the-art methods for trajectory data publishing in terms of preserved data quality, which we prove in real-world massive datasets and applications.",
"topics": [
"data_anonymization",
"nlp_ner_tools"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:repozitorij.pmf.unizg.hr:pmf_14179",
"title": "Anonimizacija podataka pohranjenih u relacijske baze podataka",
"authors": [
"Jerešić, Helena"
],
"date": "2025-02-28",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:repozitorij.pmf.unizg.hr:pmf_14179",
"pdfUrl": "",
"doi": "",
"abstract": "The protection of personal data has become crucial in today's digital society, especially in the context of relational databases that process large amounts of sensitive information on a daily basis. Data anonymization ensures the protection of users' privacy by reducing the risk of re-identification, enabling the secure storage, processing, and exchange of data, while also helping to comply with legal requirements such as the General Data Protection Regulation. The first chapter of this paper defines key terms such as pseudonymization and anonymization, and the differences between them, explaining how each technique contributes to privacy protection. The second chapter focuses on the most commonly used anonymization techniques in practice, such as substitution, data mixing, noise addition, suppression, symbol masking, cryptographic techniques, and data generalization. The third chapter analyzes existing data anonymization tools, such as ARX, \\(\\mu\\)-ARGUS, SDCMicro, and Amnesia, which offer various approaches and levels of privacy protection. Finally, the fourth chapter provides a detailed description of the practical part of this thesis, in which an application for anonymizing data stored in relational databases, called AnonyDB, was developed. This chapter describes the entire development process of the application, including the selection of technologies, the implementation of key functionalities, and the demonstration of anonymization results on a sample database. The application allows users to apply various privacy protection techniques, such as hashing, suppression, and noise addition.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od______1272::0bd790a144ae18979fb9b1df050315b3",
"title": "Privacy and data protection in India and Germany: A comparative analysis",
"authors": [
"Arora, Kim"
],
"date": "2020-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______1272::0bd790a144ae18979fb9b1df050315b3",
"pdfUrl": "",
"doi": "",
"abstract": "This research report offers a comparative analysis of privacy and data protection in Germany and India. It compares the two regimes on four counts. First, it examines how the right to privacy and/or its allied rights have developed in the two countries historically. In this, it explores the political factors contributing to the understanding and acceptability of the principles of privacy in the decades after the Second World War. Second, it delves into the instruments and forms of state surveillance employed by both the countries and analyses how the presence of parliamentary and judicial oversight on intelligence agencies impacts individual privacy. In the third section, it compares how biometric identity systems have been deployed in the two countries, the safeguards designed around the same, and the legal challenges they have thrown up. Lastly, it evaluates data subject rights as defined under the General Data Protection Regulation (GDPR) together with the Bundesdatenschutzgesetz-Neu (BDSG-Neu) and how they compare with those as defined under the Draft Personal Data Protection Bill, 2018 in the Indian context.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:https://acikbilim.yok.gov.tr:20.500.12812/363860",
"title": "Anlamsal onam yönetimi için bir çerçeve geliştirilmesi",
"authors": [
"Olca, Emre"
],
"date": "2020-12-21",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:https://acikbilim.yok.gov.tr:20.500.12812/363860",
"pdfUrl": "",
"doi": "",
"abstract": "The rapid development of information and communication technologies enables the sharing and distribution of personal data more easily. As a result of this sharing, personal data is becoming accessible, regardless of location and time. In addition to this ease of access, privacy and security risks arise and private life abuse is occurred. In order to prevent this abuse and to protect the personal fundamental rights and freedoms, legal regulations are made in national and international areas to ensure the privacy of personal data. In Turkey, the Personal Data Protection Law - PDPL No. 6698 was adopted in 2016 in order to protect people's fundamental rights and freedoms and to determine the principles and procedures that persons should comply with. In addition, the Global Data Protection Regulation - GDPR, a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA) was issued in April 2016 and entered into force in May 2018. According to both PDPL and GDPR, personal consent is required in order to process personal data. According to the consent of the person, consent management becomes an important and necessary process in the management of the process of processing personal data.Within the scope of this thesis, a semantic consent management framework has been developed to protect the privacy of personal data. It is necessary to re-use the domain information and to make inferences in order to perform an effective consent management. Therefore, a semantic solution is proposed instead of an electronic consent management. In this regard, the text of the law is taken as a supporting document for the proposed solution. For this purpose, the system elements are determined by analyzing the law. Consent Ontology using this system elements and a framework that performs consent management have been developed. Within the developed framework, case studies were conducted in two different domains.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "hal:4953775",
"title": "Transfer of EU Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR?",
"authors": [
"Theodore Christakis"
],
"date": "2019",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04953775v1",
"pdfUrl": "",
"doi": "",
"abstract": "Since the adoption of the Clarifying Lawful Overseas Use of Data Act – CLOUD Act in March 2018 there have been a lot of discussions about whether a transfer of EU personal data by an Internet and Cloud Service Provider to U.S. Law Enforcement Authorities under the Stored Communications Act (SCA), could conflict with the EU General Data Protection Regulation (GDPR), in force since May 2018. Some commentators went as far as arguing that the CLOUD Act was “an American offensive in order to counter the GDPR”! However, to our knowledge, up to today, there is still no comprehensive study of the topic examining whether a transfer of EU personal data to U.S. LEAs under an SCA warrant could violate the GDPR. The objective of this paper is to contribute to this debate by focusing on the interaction between article 48 (which was introduced in the GDPR in order to limit transfer of EU personal data to foreign governments) and the permissible “derogations” under article 49 – and, especially, the most relevant among them which authorizes transfers “for important reasons of public interest” (art. 49(1)(d)). The two first parts of this paper “set the scene” by presenting the relevant provisions of the GDPR and their legislative history. The third part examines how these provisions have been interpreted by different actors, including the EU Commission, during the proceedings in the U.S. v. Microsoft Case before the U.S. Supreme Court. The fourth part focuses on the guidance given on these issues by the European Data Protection Board. The paper ends with 10 conclusions and thoughts on the current situation which, as this study shows, is not clear.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "hal:3468773",
"title": "Detection and measurement of web tracking",
"authors": [
"Imane Fouad"
],
"date": "2021-06-29",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-03278529v2",
"pdfUrl": "https://theses.hal.science/tel-03278529/document",
"doi": "",
"abstract": "In this thesis, we detected and measured web tracking technologies. We further audited the legal compliance of websites within the EU data Protection legal framework by assessing their compliance with the General Data Protection Regulation (GDPR) and the ePrivacy Directive. First, we proposed a fine-grained behavioral classification of tracking based on the analysis of invisible pixels. We demonstrated that popular methods to detect tracking, based on EasyList&EasyPrivacy and on Disconnect lists respectively miss 25.22% and 30.34% of the trackers that we detect. As a follow up of this first work, we made a qualitative study, and reported on the analysis on 176 websites of medical doctors and hospitals. We found that 76% of these websites fail to comply with the GDPR requirements on a valid explicit consent. Second, we studied the combination of both stateful and stateless web tracking techniques. To the best of our knowledge, our study is the first to detect and measure cookie respawning via browser and machine fingerprint. We found out that this technique can be used to track users across websites even when third-party cookies are deprecated. Finally, we investigate the legal compliance of purposes for 20,218 third-party cookies. We found that purposes declared in cookie policies do not comply with the purpose specification principle in 95% of cases in our automatized audit. Furthermore, we analyzed the authentication practices implemented in third-party tracking services to exercise the access right.",
"topics": [
"gdpr_compliance",
"linkability_tracking"
],
"painPointTracks": [
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.696,
"venue": "theses.fr (ABES)",
"language": "en"
},
{
"id": "arxiv:1512.07158",
"title": "Feature Selection for Classification under Anonymity Constraint",
"authors": [
"Baichuan Zhang",
"Noman Mohammed",
"Vachik Dave",
"Mohammad Al Hasan"
],
"date": "2015-12-22",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/1512.07158v7",
"pdfUrl": "https://arxiv.org/pdf/1512.07158v7",
"doi": "",
"abstract": "Over the last decade, proliferation of various online platforms and their increasing adoption by billions of users have heightened the privacy risk of a user enormously. In fact, security researchers have shown that sparse microdata containing information about online activities of a user although anonymous, can still be used to disclose the identity of the user by cross-referencing the data with other data sources. To preserve the privacy of a user, in existing works several methods (k-anonymity, l-diversity, differential privacy) are proposed that ensure a dataset which is meant to share or publish bears small identity disclosure risk. However, the majority of these methods modify the data in isolation, without considering their utility in subsequent knowledge discovery tasks, which makes these datasets less informative. In this work, we consider labeled data that are generally used for classification, and propose two methods for feature selection considering two goals: first, on the reduced feature set the data has small disclosure risk, and second, the utility of the data is preserved for performing a classification task. Experimental results on various real-world datasets show that the method is effective and useful in practice.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.696,
"venue": "",
"language": "en"
},
{
"id": "ETid-1524",
"title": "GDPR Fine: Portuguese National Statistical Institute — Portuguese Data Protection Authority (CNPD) (Portugal)",
"authors": [
"Portuguese Data Protection Authority (CNPD)"
],
"date": "2022-11-02",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1524",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €4,300,000 | Articles: Art. 5 (1) a) GDPR, Art. 9 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 28 (1), (6), (7) GDPR, Art. 35 (1), (2), (3) b) GDPR, Art. 44 GDPR, Art. 46 (2) GDPR | Non-compliance with general data processing principles | The Portuguese DPA has fined the Portuguese National Statistical Institute EUR 4,3 million. \n\nThe DPA found numerous violations of the GPDR in connection with the 2021 census in Portugal. \n\nThe DPA first found that the controller had failed to inform the data subjects that the provision of religious and health data was purely voluntary. The DPA considered this to be an interference with the data subjects' ability to freely express their will regarding data processing. \n\nIn addition, the DPA found that the controller failed to exercise due diligence in selecting its processor, contrary to its obligation under Art. 28 GDPR.\n\nIn addition, the order processing contract permitted the transfer of personal data outside the EEA without providing for additional security measures besides the SCCS approved by the European Commission, as required under the Schrems II ruling. The DPA considered this to be a breach of Art. 44 GDPR and Art. 46 (2) GDPR. \n\nFinally, the DPA found that the controller failed to conduct a data protection impact assessment regarding the census.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.696,
"venue": "GDPR DPA: Portuguese Data Protection Authority (CNPD)",
"language": "en"
},
{
"id": "https://openalex.org/W3035466169",
"title": "Tipologia protecției datelor cu caracter personal în situații de criză medicală: coronavirus COVID-19 (The Typology of Personal Data Protection in Situations of Medical Crisis: Corona Virus COVID-19)",
"authors": [
"Daniel Mihail Şandru"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "",
"pdfUrl": "",
"doi": "",
"abstract": "Romanian Abstract: Protecția datelor (art. 8), dreptul la viața (art. 2), dreptul la viața privata (art. 8) și protecția sanatații (art. 35) sunt drepturi fundamentale protejate deopotriva in Carta drepturilor fundamentale a Uniunii Europene (CDFUE) precum și in dispoziții asemanatoare ori chiar identice din Convenția pentru apararea Drepturilor Omului și a Libertaților Fundamentale (CEDO). Regulamentul general privind protecția datelor (RGPD) protejeaza in primul rând datele cu caracter personal, dar subliniaza ca acest drept nu este absolut (consid. 4). De la caz la caz va trebui sa se aiba in vedere contextul aplicarii normelor speciale referitoare la datele personale ale persoanelor vizate. Protecția datelor in situații de criza medicala are in vedere mai multe direcții de cercetare și tipologii in aplicare. In primul rând, trebuie avute in vedere situația de criza umanitara și medicala și restrângerea drepturilor persoanelor fizice, respectiv reacția legislativa a statelor și organizațiilor. Este necesara o abordare critica privind ”unitatea in diversitate” a reacției statelor membre ale Uniunii Europene și a Comitetului European pentru Protecția Datelor. In al doilea rând, trebuie sa fie avute in vedere drepturile persoanelor vizate in calitatea acestora de pacienți sau de subiecte susceptibile de a fi pacienți, infectate sau suspecte de a fi purtarii noului virus SARS-CoV-2 (severe acute respiratory syndrome coronavirus 2 - sindrom sever respirator acut coronavirus 2) care declanșeaza boala COVID-19. In al treilea rând, articolul discuta despre limitarea drepturilor persoanelor fizice in situații excepționale și aplicarea acestora protecției datelor, inclusiv dreptul la informare și apariția fake news. In al patrulea rând, relația dintre angajat și angajator se modifica prin instituirea unor proceduri de informare a angajatului, masuri de protecția a acestuia și de protecția acestuia in raport cu clienții, masuri care sa conduca la protecția celorlalți angajați și luarea altor masuri tehnice și organizatorice de protecție a datelor. Aplicarea principiilor, in special in ceea ce privește temeiul prelucrarii, respectiv art. 6 alin. 1 lit. d – ”prelucrarea este necesara pentru a proteja interesele vitale ale persoanei vizate sau ale altei persoane fizice” este analizata in acest cadru. In al cincilea rând, articolul are in vedere securitatea datelor și riscurile asociate utilizarii muncii la domiciliu și a telemuncii. In concluzii, se subliniaza necesitatea elaborarii unui ghid unic de catre Comitetul european de protecția datelor și se fac trimiteri la lista tuturor ghidurilor și orientarilor Comitetului european ori ale autoritaților naționale de supraveghere intrucât Regulamentul general ofera puține resurse specifice de interpretare. Aceste orientari sunt necesare atât pentru intemeierea acțiunilor operatorilor dar și pentru evitarea sancțiunilor, autorul analizând sancțiunile care se refera la fenomenul COVID-19 sau care ar putea implica situații de criza medicala.\r\nCuvinte cheie: protecția datelor; protecția sanatații; COVID-19; drepturile persoanei vizate; obligațiile operatorului; criza medicala.\r\n\r\nEnglish Abstract: Data protection (Art. 8), right to life (Art. 2), right to privacy (Art. 8) and protection of health (Art. 35) are fundamental rights protected by Charter of Fundamental Rights of European Union (CDFUE) as well, and by similar or even identical provisions of Convention for Protection of Human Rights and Fundamental Freedoms (ECHR). The General Data Protection Regulation (GDPR) primarily protects personal data, emphasizing that this right is not absolute (recital 4). On a case-by-case basis, context of applying special rules regarding personal data of has to be assessed. Data protection in medical crisis situations involves several research directions and typologies in application. First of all, situation of humanitarian and medical crisis and restriction of rights of natural persons, respectively legislative reaction of states and organizations, must be taken into account. A critical approach on unity in diversity of reaction of member states of European Union and European Committee for Data Protection is needed. Secondly, rights of data subjects as patients or subjects likely to be patients, infected or suspected to be carrying new SARS-CoV-2 virus (severe acute respiratory syndrome coronavirus 2) must be taken into consideration that triggers COVID-19 disease. Third, article discusses limiting rights of individuals in exceptional situations and their application to data protection, including right to information and emergence of fake news. Fourth, relationship between employee and employer is modified by establishing procedures for informing employee, measures to protect him and his protection in relation to clients, measures that lead to protection of other employees and taking of other technical and organizational measures for data protection. The application of principles, especially regarding basis of processing, respectively art. 6 paragraph 1 letter d - the processing is necessary to protect vital interests of data subject or of another natural person is analyzed in this framework. Fifth, article addresses data security and risks associated with using home-based and telework. In conclusions, need to develop a single guide by European Data Protection Committee is underlined and references are made to all European Committee guidelines or guidelines or national supervisory authorities as General Regulation provides few specific interpretation resources. These guidelines are necessary both for establishment of operators' actions and for avoidance of sanctions, author analyzing sanctions that refer to COVID-19 phenomenon or that could involve situations of medical crisis.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.696,
"venue": "",
"language": "ro"
},
{
"id": "europepmc:41030655",
"title": "HRI-confusion: A multimodal dataset for modelling and detecting user confusion in situated human-robot interaction.",
"authors": [
"Li N",
"Courtney J",
"Ross R."
],
"date": "2025-09-10",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1016/j.dib.2025.112047",
"pdfUrl": "https://europepmc.org/articles/PMC12478088?pdf=render",
"doi": "10.1016/j.dib.2025.112047",
"abstract": "The dataset was collected from 28 participants (17 female, 9 male, and 1 non-binary) for a study aimed at modelling and detecting user social behaviours with different confusion states in task-oriented situated human-robot interaction (HRI). The dataset consists of user facial body video recordings synchronised with user speech across three designed experiment scenarios (Tasks 1 - 3). Each experiment lasted approximately one hour per participant. The videos are segmented into individual clips corresponding to specific experimental conversations under predefined conditions: general confusion and non-confusion for Task 1 and 3; and productive confusion, unproductive confusion, and non-confusion for Task 2. In total, the dataset contains 789 video clips (body: 392, face: 397). Each video is recorded in high-definition RGB format, capturing user facial expressions or body language along with their speech. These multimodal data provide a valuable resource for studying user cognitive and mental states in human-robot interaction and human-computer interaction. The data collected for Task 2 was used in [9]. In compliance with GDPR (General Data Protection Regulation) and DPIA (data protection impact assessment) guidelines, the dataset is freely available upon request at https://sites.google.com/view/hridatarequst/home.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "Data in brief",
"language": "en"
},
{
"id": "openaire:jcp3030030",
"title": "Attribute-Centric and Synthetic Data Based Privacy Preserving Methods: A Systematic Review",
"authors": [
"Abdul Majeed"
],
"date": "2023-09-11",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3390/jcp3030030",
"pdfUrl": "https://www.mdpi.com/2624-800X/3/3/30/pdf",
"doi": "10.3390/jcp3030030",
"abstract": "Anonymization techniques are widely used to make personal data broadly available for analytics/data-mining purposes while preserving the privacy of the personal information enclosed in it. In the past decades, a substantial number of anonymization techniques were developed based on the famous four privacy models such as k-anonymity, ℓ-diversity, t-closeness, and differential privacy. In recent years, there has been an increasing focus on developing attribute-centric anonymization methods, i.e., methods that exploit the properties of the underlying data to be anonymized to improve privacy, utility, and/or computing overheads. In addition, synthetic data are also widely used to preserve privacy (privacy-enhancing technologies), as well as to meet the growing demand for data. To the best of the authors’ knowledge, none of the previous studies have covered the distinctive features of attribute-centric anonymization methods and synthetic data based developments. To cover this research gap, this paper summarizes the recent state-of-the-art (SOTA) attribute-centric anonymization methods and synthetic data based developments, along with the experimental details. We report various innovative privacy-enhancing technologies that are used to protect the privacy of personal data enclosed in various forms. We discuss the challenges and the way forward in this line of work to effectively preserve both utility and privacy. This is the first work that systematically covers the recent development in attribute-centric and synthetic-data-based privacy-preserving methods and provides a broader overview of the recent developments in the privacy domain.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "Journal of Cybersecurity and Privacy",
"language": "en"
},
{
"id": "europepmc:PPR1074969",
"title": "An Efficient and Effective Model for Preserving Sensitive Data in Location-Based Graphs Using Data Generalization and Data Suppression in Conjunction with Data Sliding Windows and R-Trees",
"authors": [
"Riyana S",
"Harnsamut N."
],
"date": "2025-08-29",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202508.2125.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202508.2125.v1",
"doi": "10.20944/preprints202508.2125.v1",
"abstract": "Location-based services (LBS) are well-known services that provide a user’s position and deliver tailored experiences. They are generally used for getting from one location to another, tracking, mapping, and timing, and they are often available in smartphones, tablets, computers, and applications such as Facebook, Twitter, TikTok, and YouTube. Aside from these, the data is collected by location-based services, which can be provided to the data analyst for some business reasons, such as improving marketing strategies, organizational policies, and customer services. In this situation, it can lead to privacy violation concerns. To reduce these concerns when location-based data is provided to the data analyst or released to be utilized outside the scope of data collecting organizations, several privacy preservation models have been proposed, such as k-Anonymity, l-Diversity, t-Closeness, LKC-Privacy, differential privacy, and location-based privacy preservation models. Unfortunately, to the best of our knowledge about these privacy preservation models, they still have several vulnerabilities regarding privacy violation concerns that must be addressed when location-based data is released, i.e., privacy violation issues from inferring sensitive locations (e.g., specialized hospitals, pawnshops, prisons, and safe house), privacy violation issues from considering duplicate trajectory paths (i.e., although the user’s visited path duplicate with other paths, it still has privacy violation issues when it consists of a sensitive location), and privacy violation issues from considering unique locations (e.g., home, condominium, and office). Moreover, these privacy preservation models have data utility issues and data transformation complexity that must be improved. To address these vulnerabilities, a new privacy preservation model, (ξ, ϵ)-Privacy, is proposed in this work. It is based on data generalization and data suppression in conjunction with data sliding windows and R-Tree",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "",
"language": "de"
},
{
"id": "openaire:S2589004225006431",
"title": "On the fidelity versus privacy and utility trade-off of synthetic patient data",
"authors": [
"Tim Adams",
"Colin Birkenbihl",
"Karen Otte",
"Hwei Geok Ng",
"Jonas Adrian Rieling",
"Anatol-Fiete Näher",
"Ulrich Sax",
"Fabian Prasser",
"Holger Fröhlich"
],
"date": "2024-12-08",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1016/j.isci.2025.112382",
"pdfUrl": "https://europepmc.org/articles/PMC12059695?pdf=render",
"doi": "10.1016/j.isci.2025.112382",
"abstract": "SummaryThe use of synthetic data is a widely discussed and promising solution for privacy-preserving medical research. Synthetic data may however not always be privacy preserving and can vary greatly in terms of data fidelity and utility.We systematically evaluate the trade-offs between privacy, fidelity, and utility across five synthetic data models and three patient-level datasets. We evaluate fidelity based on statistical similarity to the real data, utility on three machine learning use cases and privacy via membership inference, singling out, and attribute inference risks. Synthetic data without differential privacy (DP) maintained fidelity and utility without evident privacy breaches, whereas DP-enforced models significantly disrupted correlation structures. K-anonymity-based data sanitization, while preserving fidelity, introduced notable privacy risks. Our findings emphasize the need to advance methods that effectively balance privacy, fidelity, and utility in synthetic patient data generation.HighlightsDifferential Privacy (DP) had a detrimental effect on feature correlationsModels that did not implement DP showed good fidelity compared to real dataNon-DP synthetic models showed no strong evidence of privacy breachesk-anonymization produced high fidelity data but showed notable privacy risks",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "iScience",
"language": "en"
},
{
"id": "europepmc:39018389",
"title": "Anonymization: The imperfect science of using data while preserving privacy.",
"authors": [
"Gadotti A",
"Rocher L",
"Houssiau F",
"Creţu AM",
"de Montjoye YA."
],
"date": "2024-07-17",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1126/sciadv.adn7053",
"pdfUrl": "https://europepmc.org/articles/PMC466941?pdf=render",
"doi": "10.1126/sciadv.adn7053",
"abstract": "Information about us, our actions, and our preferences is created at scale through surveys or scientific studies or as a result of our interaction with digital devices such as smartphones and fitness trackers. The ability to safely share and analyze such data is key for scientific and societal progress. Anonymization is considered by scientists and policy-makers as one of the main ways to share data while minimizing privacy risks. In this review, we offer a pragmatic perspective on the modern literature on privacy attacks and anonymization techniques. We discuss traditional de-identification techniques and their strong limitations in the age of big data. We then turn our attention to modern approaches to share anonymous aggregate data, such as data query systems, synthetic data, and differential privacy. We find that, although no perfect solution exists, applying modern techniques while auditing their guarantees against attacks is the best approach to safely use and share data today.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "Science advances",
"language": "de"
},
{
"id": "crossref:10.31219/osf.io/2fvj7",
"title": "Privacy-preserving data publishing through anonymization, statistical disclosure control, and de-identification",
"authors": [
"Grigorios Loukides",
"Nik Lomax"
],
"date": "2021-05-06",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.31219/osf.io/2fvj7",
"pdfUrl": "",
"doi": "10.31219/osf.io/2fvj7",
"abstract": "Recent developments in information technology allow the collection of massive amounts of data about individuals. These data capture a multitude of activities, characteristics, and aspects of the life of individuals, ranging from demographic, to financial and to health information. The use of the collected data is a valuable source for analyses, ranging from answering statistical (aggregate) queries to building statistical models for prediction and classification. However, there are considerable concerns regarding violations of personal privacy and misuse of the collected data. This paper provides an overview of methodological developments in the area of privacy-preserving data publishing, focusing on data anonymization and statistical disclosure control methods.
",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "crossref:10.21203/rs.3.rs-5821174/v1",
"title": "Establishing a Comprehensive Data Protection Impact Assessment Methodology for Big Data Analytics in Compliance with the General Data Protection Regulation",
"authors": [
"Georgios Georgiadis",
"Geert Poels"
],
"date": "2025-01-15",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-5821174/v1",
"pdfUrl": "https://www.researchsquare.com/article/rs-5821174/v1",
"doi": "10.21203/rs.3.rs-5821174/v1",
"abstract": "Abstract\n In today’s digital landscape, as big data analytics (BDA) gain increasing significance, it is vital to have robust strategies for safeguarding privacy and data protection. This paper focuses on improving data protection impact assessments (DPIAs) in the context of BDA, aligning them with the principles of the General Data Protection Regulation (GDPR). Through a study that combines a Delphi approach with individual expert interviews, we have validated nine critical privacy touch points (PTPs) for adapting DPIA methodology to BDA environments. These PTPs, identified in our previous research, address key privacy and data protection issues in BDA, including consent nuances, definitions of data control, and challenges such as re-identification and discrimination. The result is a framework tailored to the unique landscape of BDA technologies. This research stands out by thoroughly analysing and validating these nine PTPs and offering actionable recommendations to enhance the existing DPIA framework. With the anticipated growth of artificial intelligence and large language models, BDA will continue to attract attention. Our research therefore contributes both academically and practically by supporting the evolution of thorough DPIA practices while providing guidance for policymakers, businesses, and privacy advocates.
",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "crossref:10.12794/metadc2481661",
"title": "Comparison of Fully Homomorphic Encryption and Garbled Circuits approaches in Privacy-Preserving Machine Learning",
"authors": [
"Kalyan Cheerla"
],
"date": "2025-10-14",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.12794/metadc2481661",
"pdfUrl": "",
"doi": "10.12794/metadc2481661",
"abstract": "Machine Learning (ML) is making its way into fields such as healthcare, finance, and natural language processing (NLP), and concerns over data privacy and model confidentiality continue to grow. Privacy-Preserving Machine Learning (PPML) addresses this challenge by enabling inference on private data without revealing sensitive inputs or proprietary models. Leveraging Secure Computation techniques from Cryptography, two widely studied approaches in this domain are Fully Homomorphic Encryption (FHE) and Garbled Circuits (GC). This thesis presents a comparative evaluation of FHE and GC for secure neural network inference (SNNI). A two-layer neural network (NN) was implemented using the CKKS scheme from the Microsoft SEAL library (FHE) and the TinyGarble2.0 framework (GC) by IntelLabs. Both implementations are evaluated under a semi-honest threat model, measuring inference output error, round-trip time, peak memory usage, communication overhead, and communication rounds. Results reveal a trade-off: modular GC offers faster execution and lower memory consumption, while FHE supports non-interactive inference. The reproducible implementations aid secure model deployments in real-world ML-as-a-Service (MLaaS) settings.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1111/eulj.70008",
"title": "Unveiling transparency in data protection enforcement across the EU: Assessing the level and quality of disclosure of GDPR fines by data protection authorities",
"authors": [
"Pablo Marcello Baquero",
"Aluna Wang",
"David Restrepo Amariles"
],
"date": "2025-10-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1111/eulj.70008",
"pdfUrl": "",
"doi": "10.1111/eulj.70008",
"abstract": "Abstract Despite the increasing recognition of data protection rights across the European Union (EU), evidence suggests they are often underenforced, thereby undermining the effectiveness of the General Data Protection Regulation (GDPR). This article shows that an often neglected aspect in GDPR enforcement is the variability in transparency exhibited by data protection authorities across EU Member States concerning the disclosure of fines. To bridge this research gap, we gathered data from 23 out of 27 EU data protection authorities (DPAs) and built an indicator to measure their level and quality of fines' disclosure. Our research uncovers disparities in the disclosure of GDPR fines across the EU. We examine the consequences of different levels of disclosure for individuals, entities, regulatory authorities and the data protection system. We argue that harmonised standards of transparency are necessary to ensure the effectiveness of the GDPR and the fundamental right to data protection across the EU.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.5771/9783845294025",
"title": "Building-Blocks of a Data Protection Revolution",
"authors": [
"Kulhari, Shraddha"
],
"date": "2018-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5771/9783845294025",
"pdfUrl": "",
"doi": "10.5771/9783845294025",
"abstract": "The General Data Protection Regulation (GDPR) replaced the old and battered Data Protection Directive on 25 May 2018 after a long-drawn reform. The rapidly evolving technological landscape will test the ability of the GDPR to effectively achieve the goals of protecting personal data and the free movement of data. This book proposes a technological supplement to achieve the goal of data protection as enshrined in the GDPR. The proposal comes in the form of digital identity management platforms built on blockchain technology. However, the very structure of blockchain poses some significant challenges in terms of compatibility with the GDPR. Accordingly, the claim of GDPR being a technologically neutral legislation is examined. The compatibility of a blockchain-based solution is scrutinised on the parameters of data protection principles like accountability, data minimisation, control and data protection by design in conjunction with the right to be forgotten and right to data portability.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:S1472669618000051",
"title": "The General Data Protection Regulation: the Next Generation of EU Data Protection",
"authors": [
"Sahar Bhaimia"
],
"date": "2018-03-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1017/s1472669618000051",
"pdfUrl": "",
"doi": "10.1017/s1472669618000051",
"abstract": "AbstractThis article, written by Sahar Bhaimia, presents an overview of the General Data Protection Regulation (EU) (2016/679) (GDPR) which will apply automatically across the EU on 25 May 2018. The GDPR is an update and reform of existing EU data protection law, first established by the Data Protection Directive (1995/46/EC). The article is for knowledge managers and information services professionals who may be asked to take on responsibility for GDPR, and focuses on the UK. It covers the fundamentals of EU data protection law, highlights key changes brought about by the GDPR, and provides practical tips and suggestions for knowledge managers.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-030-83164-6_2",
"title": "A Framework for Investigating GDPR Compliance Through the Lens of Security",
"authors": [
"Angelica Marotta",
"Stuart Madnick"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-030-83164-6_2",
"pdfUrl": "",
"doi": "10.1007/978-3-030-83164-6_2",
"abstract": "The General Data Protection Regulation (GDPR) was widely seen as a significant step towards enhancing data protection and privacy. Unlike previous legislation, adherence to GDPR required organizations to assume greater responsibility for cybersecurity with respect to data processing. This shift represented a profound transformation in how businesses retain, use, manage, and protect data. However, despite these innovative aspects, the actual implementation of the GDPR security side poses some challenges. This paper attempts to identify positive and negative aspects of GDPR requirements and presents a new framework for analyzing them from a security point of view. Firstly, it provides an overview of the most significant scholarly perspectives on GDPR and cybersecurity. Secondly, it presents a systematic roadmap analysis and discussion of the requirements of GDPR in relation to cybersecurity. Results show that some of the GDPR security controls, such as the Data Protection Impact Assessments (DPIA), records on processing, and the appointment of a Data Protection Officer (DPO), are some of the most critical from a security viewpoint. Finally, it provides recommendations for tackling these challenges in the evolving compliance landscape.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:S0016718520301317",
"title": "How the GDPR can contribute to improving geographical research",
"authors": [
"Meijering, Louise",
"Osborne, Tess",
"Hoorn, Esther",
"Montagner, Cristina"
],
"date": "2020-12-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1016/j.geoforum.2020.05.013",
"pdfUrl": "",
"doi": "10.1016/j.geoforum.2020.05.013",
"abstract": "As geographers, we often work with personal data, meaning that the European Union's General Data Protection Regulation (GDPR) can have a major impact upon our research. The GDPR is a set of legal requirements that serves to ensure the protection of personal data. In this paper, we reflect on our experiences of how the GDPR impacts upon the planning and conduct of (international) geographical research; and develop good data protection practices for geography. In so doing, we explore the Data Protection Impact Assessment (DPIA) as a method to explore data protection and privacy issues and discuss three relevant issues for geographers in relation to the GDPR: (1) informing research participants; (2) data management; and (3) international collaboration. Although it is time-consuming to make a project ‘GDPR proof’, the process helps researchers to thoroughly think through its privacy implications at an early stage. Thus, the GDPR does not make geographical research impossible, but rather contributes to making it more effective and fairer.
",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::1b18be67977eb757062958394c75055c",
"title": "Understanding The Dna Of Eu'S Gdpr",
"authors": [
"Editorial Team, IndraStra Global"
],
"date": "2018-04-18",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.1221358",
"pdfUrl": "",
"doi": "10.5281/zenodo.1221358",
"abstract": "On May 25, 2018, a new data protection regulation touted as General Data Protection Regulation (GDPR), Regulation (European Union - EU) 2016/689, will come into force in the European Union (EU) and its 28 Member States. It will replace the 1995 EU Data Protection Directive 95/46/EC. The GDPR will have a significant impact in protecting the data and digital footprint of users of apps and another digital platform. It will provide significant new data privacy protections for individuals residing in EU states.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.2139/ssrn.3584219",
"title": "The Data Protection Impact Assessment as a Tool to Enforce Non-Discriminatory AI",
"authors": [
"Yordanka Ivanova"
],
"date": "2020-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2139/ssrn.3584219",
"pdfUrl": "",
"doi": "10.2139/ssrn.3584219",
"abstract": "This paper argues that the novel tools under the General Data Protection Regulation (GDPR) may provide an effective legally binding mechanism for enforcing non-discriminatory AI systems. Building on relevant guidelines, the generic literature on impact assessments and algorithmic fairness, this paper aims to propose a specialized methodological framework for carrying out a Data Protection Impact Assessment (DPIA) to enable controllers to assess and prevent ex ante the risk to the right to non-discrimination as one of the key fundamental rights that GDPR aims to safeguard.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "Lecture notes in computer science",
"language": "en"
},
{
"id": "openaire:10.2139/ssrn.5378592",
"title": "On a Deceptive Intersection: Data Subjects' Rights and Labour Protection. Building the Labour Scope of Data Protection",
"authors": [
"Molè, Michele"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2139/ssrn.5378592",
"pdfUrl": "",
"doi": "10.2139/ssrn.5378592",
"abstract": "The General Data Protection Regulation (GDPR, EU Reg. 2016/679) grants several individual rights and principles to the employee: information, purpose limitation and consent are cornerstones for a lawful data processing by the data controller (the employer). As a result of the widespread use of employee digital surveillance, the sphere of control and protection over the data subject's personal information has been transposed by mainstream labour law literature as a counterbalance to the new digital authority of the employer.
Yet, the new data-intensive systems such Artificial Intelligence (AI) and the Internet of Things (IoT) are still perpetrating ‘one-way mirror’ effects in workplace surveillance, with significant externalities on social rights such as trade union rights or equal treatment; in addition to the doubts raised by data protection authorities on the effectiveness of freely given consent in subordinate employment. From these premises, the present contribution aims to highlight the deceptive application of data subjects' rights in the guises of labour rights to protect fundamental freedoms at work. The recent literature has in fact questioned the threshold of transparency and purpose limitation ensured by individual rights regimes in curbing the impact of such surveillance on employees' rights. The contemporary data processing requires a regulatory approach that – besides personality rights – addresses the scope of data protection at work according to the proper function of labour regulation: interfering in the (data) market for a proper balance between economic needs and fundamental labour rights.
To this end, the present contribution classifies the three relevant intersections between data and labour protection in the existing regulatory framework: the rights of the data subject (Art. 12-22 GDPR); social consultation and data processing (Art. 88 GDPR); data protection impact assessment (Art. 32-35 GDPR, Proposal for an AI Regulation). Reasoning f",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::c3037ea8068d79a756a40ab052938966",
"title": "Contributions to Statistical Theory of Data Privacy",
"authors": [
"Qu, Chang"
],
"date": "2025-01-14",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.20381/ruor-30858",
"pdfUrl": "",
"doi": "10.20381/ruor-30858",
"abstract": "This thesis explores key challenges and methodologies in the statistical theory of data privacy, focusing on disclosure risk assessment and synthetic data generation. The research reviews established privacy frameworks, such as k-anonymity,-diversity, t-closeness, and differential privacy, and highlights their practical limitations. To address these gaps, a new approach to Correct Attribution Probability (CAP) is proposed, utilizing equivalence classes to enhance applicability and interpretability. The thesis also provides a detailed analysis of synthetic data generation methods, assessing their utility and privacy implications, and thoroughly examines the Synthpop package. Several improvements to Synthpop are proposed, including better handling of data dependencies, the incorporation of privacy metrics like differential privacy, and more robust utility evaluation methods. These contributions aim to improve the balance between data privacy and utility.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.48001/978-81-980647-0-7-4",
"title": "The Impact of Artificial Intelligence on Customer Experience and Personalization",
"authors": [
"Margaret Mary T",
"G Prathap",
"Chris Asri Samuel G",
"Mahesh M",
"Immaculate Aradhana R",
"Hajra Bee"
],
"date": "2025-05-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.48001/978-81-980647-0-7-4",
"pdfUrl": "",
"doi": "10.48001/978-81-980647-0-7-4",
"abstract": "In the age of big data, securing sensitive information is critical for maintaining privacy and protecting organizational assets. Anonymization and data masking are key methods for safeguarding data while retaining its usefulness for analysis, testing, and regulatory compliance. Data masking conceals original information by replacing it with realistic but fictional data, protecting sensitive details without losing functionality. Anonymization removes or modifies identifiable information to ensure privacy, making the process irreversible.These techniques are vital in big data analytics, where large datasets often contain personally identifiable information (PII) or other confidential data. This paper explores types of data anonymization, including pseudonymization and various masking techniques such as substitution, shuffling, and randomization. It also examines entity-based data masking to maintain referential integrity, and compares static and dynamic data masking approaches for different use cases across structured and unstructured data. Finally, it addresses challenges in applying anonymization to software testing, analytics, training, and compliance, underscoring the importance of these practices in enabling secure, privacy-conscious data insights.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::a0d5b087dcbced92c3f8bc98357f5104",
"title": "Privacy Preserving Techniques Applied to CPNI Data: Analysis and Recommendations",
"authors": [
"Murray Jr, Jeffrey",
"Mashhadi, Afra",
"Lagesse, Brent",
"Stiber, Michael"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.48550/arxiv.2101.09834",
"pdfUrl": "",
"doi": "10.48550/arxiv.2101.09834",
"abstract": "With mobile phone penetration rates reaching 90%, Consumer Proprietary Network Information (CPNI) can offer extremely valuable information to different sectors, including policymakers. Indeed, as part of CPNI, Call Detail Records have been successfully used to provide real-time traffic information, to improve our understanding of the dynamics of people's mobility and so to allow prevention and measures in fighting infectious diseases, and to offer population statistics. While there is no doubt of the usefulness of CPNI data, privacy concerns regarding sharing individuals' data have prevented it from being used to its full potential. Traditional de-anonymization measures, such as pseudonymization and standard de-identification, have been shown to be insufficient to protect privacy. This has been specifically shown on mobile phone datasets. As an example, researchers have shown that with only four data points of approximate place and time information of a user, 95% of users could be re-identified in a dataset of 1.5 million mobile phone users. In this landscape paper, we will discuss the state-of-the-art anonymization techniques and their shortcomings.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.55859/ijiss.1212964",
"title": "Privacy Issues in Magnetic Resonance Images",
"authors": [
"Mahmut KAPKİÇ",
"Şeref SAĞIROĞLU"
],
"date": "2023-03-10",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.55859/ijiss.1212964",
"pdfUrl": "https://dergipark.org.tr/en/download/article-file/2806204",
"doi": "10.55859/ijiss.1212964",
"abstract": "Privacy in magnetic resonance imaging (MRI) plays an important role due to violations occurring in scanning, storing, transferring, analyzing, and sharing. This paper reviews privacy concerns in MRI and especially Brain MRI in terms of datasets, models, platforms, violations, solutions used in privacy and security in the literature, discusses important issues based on risks, techniques, policies, rules, and existing and missing points in MRIs. Even if there have been rules, regulations, policies, and laws available for preserving privacy with the available techniques anonymization, differential privacy, federated learning, pseudonymization, synthetic data generation, privacy-utility or anonymization-utility dilemma is still on novel privacy-enhancing, or preserving techniques are always required to handle sensitive data with care. This paper focuses on these issues with some suggestions, and also discusses these issues for future directions.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "International Journal of Information Security Science",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-319-97719-5_9",
"title": "Privacy in Big Data Through Variable t-Closeness for MSN Attributes",
"authors": [
"Zakariae El Ouazzani",
"Hanan El Bakkali"
],
"date": "2018-07-28",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-319-97719-5_9",
"pdfUrl": "",
"doi": "10.1007/978-3-319-97719-5_9",
"abstract": "With the raised and extensive use of online data, the notion of big data has been widely studied in the literature recently. In fact, a big quantity of sensitive personal information could be contained in high dimensional data bases. This data needs to be sanitized before publishing. In this context, many ways were proposed in order to ensure privacy in big data including pseudonymization, cryptographic and anonymization techniques. T-closeness has been studied and treated with great interest as an anonymization technique ensuring privacy in big data when dealing with sensitive attributes. Although, t-closeness could be applied when treating quasi identifier attributes, but it is more suitable for sensitive attributes. Despite the fact that many algorithms for t-closeness have been proposed, many of them admit that the threshold t of t-closeness is set to a fixed value. In this chapter, a method using t-closeness for multiple sensitive numerical (MSN) attributes is presented. The method could be applied on both single and multiple sensitive numerical attributes. In the case where the data set contains attributes with high correlation, then our method will be applied only on one numerical attribute. In addition, a new algorithm called variable t-closeness for multiple sensitive numerical attributes was implemented. Our algorithm gives good results in terms of data anonymization and was experimentally evaluated on a test table. Furthermore, we highlighted all the steps of our proposed algorithm with detailed comments.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "s2:50a1d32f7a9946e30b66fc894036193dfeae28da",
"title": "Privacy preserving sentiment analysis on multiple edge data streams with Apache NiFi",
"authors": [
"Abhinay Pandya",
"Panos Kostakos",
"Hassan Mehmood",
"Marta Cortés",
"Ekaterina Gilman",
"M. Oussalah",
"S. Pirttikangas"
],
"date": "2019-11-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/50a1d32f7a9946e30b66fc894036193dfeae28da",
"pdfUrl": "https://zenodo.org/records/4298915/files/Privacy%20preserving%20sentiment%20analysis%20on%20multiple%20edge%20data%20streams%20with%20Apache%20NiFi.pdf",
"doi": "10.1109/EISIC49498.2019.9108851",
"abstract": "Sentiment analysis, also known as opinion mining, plays a big role in both private and public sector Business Intelligence (BI); it attempts to improve public and customer experience. Nevertheless, de-identified sentiment scores from public social media posts can compromise individual privacy due to their vulnerability to record linkage attacks. Established privacy-preserving methods like k-anonymity, l-diversity and t-closeness are offline models exclusively designed for data at rest. Recently, a number of online anonymization algorithms (CASTLE, SKY, SWAF) have been proposed to complement the functional requirements of streaming applications, but without open-source implementation. In this paper, we present a reusable Apache NiFi dataflow that buffers tweets from multiple edge devices and performs anonymized sentiment analysis in real-time, using randomization. The solution can be easily adapted to suit different scenarios, enabling researchers to deploy custom anonymization algorithms.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "European Intelligence and Security Informatics Conference",
"language": "en"
},
{
"id": "openaire:10.31228/osf.io/6fvgh",
"title": "Analysis of the NHSX Contact Tracing App ‘Isle of Wight’ Data Protection Impact Assessment",
"authors": [
"Veale, Michael"
],
"date": "2020-05-09",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.31228/osf.io/6fvgh",
"pdfUrl": "",
"doi": "10.31228/osf.io/6fvgh",
"abstract": "This note examines the published data protection impact assessment (DPIA) released by NHSX in relation to their contact tracing/proximity tracing app. It highlights a range of significant issues which leave the app falling short of data protection legislation. It does this in order so that these issues can be remedied before the next DPIA is published. The main issues this note focuses on are the following:Personal data- The DPIA must not claim this data is anonymous, or that the app preserves anonymity, as under UK law, it does not.- The document (and associated public messaging) must be changed throughout to reflect the fact that it is not the case that personal data about a user is only uploaded with a user’s permission, as other people upload data revealing a user's social interactions.User rights- The lawful basis for a blanket refusal of the right to erasure is unspecified by NHSX in this DPIA.- The NHSX App unlawfully designs out the right to access when there is a legal obligation to design it in.- If the controller plans to, as with the right to erasure and the right to access, refuse all attempts at the right to object, this needs a justification in the DPIA.Monitoring and automated decision making- The DPIA must acknowledge the NHSX App systematically monitors publicly accessible spaces.- The DPIA does not set out a valid lawful basis for the solely automated, significant decision-making it correctly identifies as occurring.- The information contained in the document embedded in the DPIA describing the logic of automated decisions must be provided under GDPR, article 13.Prior consultation and e-Privacy- The Information Commissioner must be consulted prior to processing within the meaning of GDPR, art 36, not just briefed.- The DPIA should explain how the The Privacy and Electronic Communications Regulations are complied with, both in relation to Bluetooth usage and in relation to embedded trackers.The note does not consider alternative architectures or",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "pubmed:37589648",
"title": "The significance of general data protection regulation in the compliant data contribution to the European Society of Thoracic Surgeons database.",
"authors": [
"Bertolaccini, Luca",
"Falcoz, Pierre-Emmanuel",
"Brunelli, Alessandro",
"Batirel, Hasan",
"Furak, Jozsef",
"Passani, Stefano",
"Szanto, Zalan"
],
"date": "2023-09-07",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1093/ejcts/ezad289",
"pdfUrl": "",
"doi": "10.1093/ejcts/ezad289",
"abstract": "The General Data Protection Regulation (GDPR), enacted in the European Union in 2018, has significantly transformed the landscape of personal data management and protection. This article provides an overview of GDPR's impact, focusing on its applicability, fundamental principles and influence on data management practices, particularly within the European Society of Thoracic Surgeons (ESTS) database. GDPR's reach extends to all entities collecting and processing personal data of European Union residents, regardless of their location. It encompasses various data types, emphasizing meticulous handling and protection of identifiable information. Special categories of data, such as health and sensitive attributes, require even more stringent protection. The regulation sets legal, fair and transparent data processing principles, emphasizing accuracy, purpose limitation and data minimization. It also stresses accountability, leading to the appointment of Data Protection Officers and significant penalties for non-compliance. The ESTS database, designed to enhance thoracic surgical research and care, collects data on European procedures. It follows GDPR principles by pseudonymizing data, ensuring secure data transmission and providing clear instructions for data submission. The database contributes to research, policymaking and practice improvement in thoracic surgery by offering a comprehensive dataset for analysis. Here, we aim to shed light on the complexities of GDPR implementation and emphasize the need for comprehensive data management strategies to ensure compliance and enhance privacy protection with the contribution to the ESTS database. GDPR compliance comes with challenges, including potential human dignity and privacy rights violations. Data breaches can result in unauthorized disclosures, and non-compliance can lead to substantial fines and reputational damage. The implementation of GDPR encourages organizations to prioritize ethical data practices, security mea",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "European journal of cardio-thoracic surgery : official journal of the European Association for Cardio-thoracic Surgery",
"language": "en"
},
{
"id": "https://openalex.org/W3132340800",
"title": "Using Secure Multi-Party Computation to Protect Privacy on a Permissioned Blockchain",
"authors": [
"Jiapeng Zhou",
"Yuxiang Feng",
"Zhenyu Wang",
"Danyi Guo"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3390/s21041540",
"pdfUrl": "https://www.mdpi.com/1424-8220/21/4/1540/pdf?version=1614177408",
"doi": "https://doi.org/10.3390/s21041540",
"abstract": "The development of information technology has brought great convenience to our lives, but at the same time, the unfairness and privacy issues brought about by traditional centralized systems cannot be ignored. Blockchain is a peer-to-peer and decentralized ledger technology that has the characteristics of transparency, consistency, traceability and fairness, but it reveals private information in some scenarios. Secure multi-party computation (MPC) guarantees enhanced privacy and correctness, so many researchers have been trying to combine secure MPC with blockchain to deal with privacy and trust issues. In this paper, we used homomorphic encryption, secret sharing and zero-knowledge proofs to construct a publicly verifiable secure MPC protocol consisting of two parts-an on-chain computation phase and an off-chain preprocessing phase-and we integrated the protocol as part of the chaincode in Hyperledger Fabric to protect the privacy of transaction data. Experiments showed that our solution performed well on a permissioned blockchain. Most of the time taken to complete the protocol was spent on communication, so the performance has a great deal of room to grow.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.683,
"venue": "Sensors",
"language": "en"
},
{
"id": "doaj:abb280885c47468fa3fc2d7b6c2b317e",
"title": "Efficient SMC Protocol Based on Multi-Bit Fully Homomorphic Encryption",
"authors": [
"Zong-Wu Zhu",
"Ru-Wei Huang"
],
"date": "2021",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2076-3417/11/21/10332",
"pdfUrl": "",
"doi": "10.3390/app112110332",
"abstract": "Aiming at the problems of large ciphertext size and low efficiency in the current secure multi-party computation (SMC) protocol based on fully homomorphic encryption (FHE), the paper proves that the fully homomorphic encryption scheme that supports multi-bit encryption proposed by Chen Li et al. satisfies the key homomorphism. Based on this scheme and threshold decryption, a three-round, interactive, leveled, secure multi-party computation protocol under the Common Random String (CRS) model is designed. The protocol is proved to be safe under the semi-honest model and the semi-malicious model. From the non-interactive zero-knowledge proof, it can be concluded that the protocol is also safe under the malicious model. Its security can be attributed to the Decisional Learning With Errors (DLWE) and a variant of this problem (some-are-errorless LWE). Compared with the existing secure multi-party computation protocol based on fully homomorphic encryption under the CRS model, the ciphertext size of this protocol is smaller, the efficiency is higher, the storage overhead is smaller, and the overall performance is better than the existing protocol.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.683,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "doaj:d61cc3f20f9b4770bf14ba3b4a88e5fc",
"title": "AI-driven anonymization for secure and privacy-preserving business intelligence cloud migration",
"authors": [
"Najia Khouibiri",
"Yousef Farhaoui",
"Ahmad El Allaoui"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1007/s10791-025-09898-3",
"pdfUrl": "",
"doi": "10.1007/s10791-025-09898-3",
"abstract": "Abstract Sensitive data protection is a key issue in the context of Business Intelligence (BI), especially considering the increasing emergence of outsourcing computing over cloud. This paper presents an AI-driven automated solution designed to conceal sensitive data while maintaining its integrity for analytical purposes. We developed an anonymization pipeline that applies technologies such as pseudonymization and data masking, supported by machine learning for sensitive data detection. Our experiments demonstrate that anonymized data retains its analytical value with minimal impact on performance and accuracy, providing a solid foundation for secure and efficient BI outsourcing computing over cloud.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "Discover Computing",
"language": "en"
},
{
"id": "hal:2076303",
"title": "Protecting Infrastructure Data via Enhanced Access Control, Blockchain and Differential Privacy",
"authors": [
"Asma Alnemari",
"Suchith Arodi",
"Valentina Rodriguez Sosa",
"Soni Pandey",
"Carol Romanowski",
"Rajendra Raj",
"Sumita Mishra"
],
"date": "2018-03-12",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02076303v1",
"pdfUrl": "https://hal.science/hal-02076303/document",
"doi": "10.1007/978-3-030-04537-1_7",
"abstract": "Protecting critical infrastructure data is challenging because it typically includes sensitive information that is often needed by analysts to answer crucial questions about the critical infrastructure. For example, in the healthcare sector, epidemiologists need to analyze personally identifiable information to track the spread of diseases or regional emergency services managers may need to view details of all 911 calls made during a hurricane or terrorist incident. In other situations where personally identifying information is not needed to perform analyses, studies have shown that anonymization approaches such as k-anonymity or l-diversity cannot safeguard the information from inadvertent or malicious exposure. Additionally, recent data breaches involving critical infrastructure information demonstrate that current access control mechanisms, including role-based access control, are neither sufficient to secure the information nor adequate to prevent the ensuing loss of privacy. This chapter presents a novel approach that integrates existing access control mechanisms with blockchain and differential privacy to protect infrastructure data.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "hal:1875518",
"title": "Long White Cloud (LWC): A Practical and Privacy-Preserving Outsourced Database",
"authors": [
"Shujie Cui",
"Ming Zhang",
"Muhammad Rizwan Asghar",
"Giovanni Russello"
],
"date": "2017-09-28",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-01875518v1",
"pdfUrl": "https://inria.hal.science/hal-01875518/document",
"doi": "10.1007/978-3-319-93524-9_3",
"abstract": "To fully benefit from a cloud storage approach, privacy in outsourced databases needs to be preserved in order to protect information about individuals and organisations from malicious cloud providers. As shown in recent studies [1, 2], encryption alone is insufficient to prevent a malicious cloud provider from analysing data access patterns and mounting statistical inference attacks on encrypted databases. In order to thwart such attacks, actions performed on outsourced databases need to be oblivious to cloud service providers. Approaches, such as Fully Homomorphic Encryption (FHE), Oblivious RAM (ORAM), or Secure Multi-Party Computation (SMC) have been proposed but they are still not practical. This paper investigates and proposes a practical privacy-preserving scheme, named Long White Cloud (LWC), for outsourced databases with a focus on providing security against statistical inferences. Performance is a key issue in the search and retrieval of encrypted databases. LWC supports logarithmic-time insert, search and delete queries executed by outsourced databases with minimised information leakage to curious cloud service providers. As a proof-of-concept, we have implemented LWC and compared it with a plaintext MySQL database: even with a database size of 10M records, our approach shows only a 10-time slowdown factor.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "hal:5410559",
"title": "Block-PAD: A blockchain-enabled framework for resilient and flexible CBDC transactions leveraging digital identity",
"authors": [
"Olivier Atangana",
"Lyes Khoukhi",
"Morgan Barbier",
"Ahmet Kokcam"
],
"date": "2026-02",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05410559v1",
"pdfUrl": "",
"doi": "10.1016/j.comnet.2025.111805",
"abstract": "In an economic landscape increasingly dominated by the proliferation of virtual currencies and the rise of digital payments, Central Bank Digital Currencies (CBDCs) emerge as a credible payment alternative. CBDCs, researched extensively by both governmental and non-governmental financial institutions, promise to digitize fiat money, making it more efficient, cost-effective, rapid, and financially inclusive. However, realizing such prospects hinges on overcoming challenges that address monetary policy support, privacy, regulatory compliance, security, resilience, and now consumer-desired features. This paper introduces Block-PAD, a novel blockchain-enabled framework specifically designed to enhance the resilience and flexibility of CBDC transactions. Our solution introduces: 1) a full transferable offline payment method (Alice to Bob); 2) A staged (hybrid) offline payment method (Bob to Carla) 3) an end-to-end privacy that aligns with regulatory standards; 4) a security framework assessed by properties of unlinkability, undeniability, clearance, balance integrity, and protection against double spending and incoming; and 5) interoperability between traditional payment schemes and the CBDC paradigm. Leveraging blockchain, privacy accountability description, (PAD), eID wallets, Trusted Execution Environment, and three Privacy Enhancing Technologies (PETs): blind signature, zk-SNARK, and full homomorphic encryption Cheon-Kim-Kim-Song (CKKS). Block-PAD stands as an innovative solution embodying privacy by design and regulatory compliance. Experimental results demonstrate that our solution delivers exceptional transaction performance with low latency and high throughput, while effectively integrating privacy-enhancing technologies without significant computational overhead. The system also proves robust and scalable, making it highly suitable for real-world retail and micro-payment scenarios.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.683,
"venue": "Computer Networks",
"language": "en"
},
{
"id": "https://openalex.org/W4385412448",
"title": "smartFHE: Privacy-Preserving Smart Contracts from Fully Homomorphic Encryption",
"authors": [
"Ravital Solomon",
"Rick Weber",
"Ghada Almashaqbeh"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/eurosp57164.2023.00027",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/10190357/10190476/10190530.pdf?arnumber=10190530",
"doi": "https://doi.org/10.1109/eurosp57164.2023.00027",
"abstract": "Despite the great potential and flexibility of smart contract-enabled blockchains, building privacy-preserving applications using these platforms remains an open question. Existing solutions fall short since they ask end users to coordinate and perform the computation off-chain themselves. While such an approach reduces the burden of the miners of the system, it largely limits the ability of lightweight users to enjoy privacy since performing the actual computation on their own and attesting to its correctness is expensive even with state-of-the-art proof systems.To address this limitation, we propose smartFHE, a framework to support private smart contracts using fully homomorphic encryption (FHE). To the best of our knowledge, smartFHE is the first to use FHE in the blockchain model; moreover, it is the first to support arbitrary privacy-preserving applications for lightweight users under the same computation-on-demand model pioneered by Ethereum. smartFHE does not overload the user since miners are instead responsible for performing the private computation. This is achieved by employing FHE so miners can compute over encrypted data and account balances. Users are only responsible for proving well-formedness of their private inputs using efficient zero-knowledge proof systems (ZKPs). We formulate a notion for a privacy-preserving smart contract (PPSC) scheme and show a concrete instantiation of our smartFHE framework. We address challenges resulting from using FHE in the blockchain setting—including concurrency and dealing with leveled schemes. We also show how to choose suitable FHE and ZKP schemes to instantiate our framework, since naively choosing these will lead to poor performance in practice. We formally prove correctness and security of our construction. Finally, we conduct experiments to evaluate its efficiency, including comparisons with a state-of-the-art scheme and testing several private smart contract applications. We have open-sourced our (highly optimized) ZKP library, which could be of independent interest.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.683,
"venue": "2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)",
"language": "en"
},
{
"id": "https://openalex.org/W7131399673",
"title": "Revisiting Data Anonymization: Limitations and Challenges in the ERA of Large Language Models",
"authors": [
"Sandeep Kalari",
"Sahithi Padidela",
"Vikas Ashok",
"Ravi Mukkamala"
],
"date": "2026",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/ccwc67433.2026.11393858",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/ccwc67433.2026.11393858",
"abstract": "Traditional data anonymization techniques-including generalization, suppression, perturbation, and masking-were designed for an era of limited contextual modeling. These methods effectively balanced privacy protection and data utility for structured, textual, audio, and visual data. However, the emergence of Large Language Models (LLMs) and multimodal foundation architectures has fundamentally disrupted this balance. Modern models, equipped with powerful representation-learning and cross-modal reasoning, can infer or reconstruct masked identities using contextual, semantic, or visual cues, rendering traditional anonymization insufficient. This paper surveys anonymization techniques across tabular, textual, audio, and video domains, comparing their effectiveness before and after the advent of LLMs. Through controlled experiments, we demonstrate that context-aware LLMs can accurately re-identify subjects from anonymized datasets, even when explicit identifiers are removed. The results reveal that traditional anonymization fails to address contextual inference threats, calling for a paradigm shift toward holistic, multi-layered, privacy-preserving approaches. We discuss emerging strategies-such as differential privacy, federated learning, synthetic data generation, and LLM-in-the-loop anonymization-as potential solutions for privacy preservation in the LLM era.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "Computing and Communication Workshop and Conference",
"language": "en"
},
{
"id": "https://openalex.org/W2999879249",
"title": "The GDPR as Global Data Protection Regulation?",
"authors": [
"Cedric Ryngaert",
"Mistale Taylor"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1017/aju.2019.80",
"pdfUrl": "https://www.cambridge.org/core/services/aop-cambridge-core/content/view/CB416FF11457C21B02C0D1DA7BE8E688/S2398772319000801a.pdf/div-class-title-the-gdpr-as-span-class-italic-global-span-data-protection-regulation-div.pdf",
"doi": "https://doi.org/10.1017/aju.2019.80",
"abstract": "The deterritorialization of the Internet and international communications technology has given rise to acute jurisdictional questions regarding who may regulate online activities. In the absence of a global regulator, states act unilaterally, applying their own laws to transborder activities. The EU's “extraterritorial” application of its data protection legislation—initially the Data Protection Directive (DPD) and, since 2018, the General Data Protection Regulation (GDPR)—is a case in point. The GDPR applies to “ the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union , where the processing activities are related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour . . . within the Union.” It also conditions data transfers outside the EU on third states having adequate (meaning essentially equivalent) data protection standards. This essay outlines forms of extraterritoriality evident in EU data protection law, which could be legitimized by certain fundamental rights obligations. It then looks at how the EU balances data protection with third states’ countervailing interests. This approach can involve burdens not only for third states or corporations, but also for the EU political branches themselves. EU law viewed through the lens of public international law shows how local regulation is going global, despite its goal of protecting only EU data subjects.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "AJIL Unbound",
"language": "en"
},
{
"id": "https://openalex.org/W3131941119",
"title": "Towards a method for data protection impact assessment: Making sense of GDPR requirements",
"authors": [
"Dariusz Kloza",
"Niels van Dijk",
"Simone Casiraghi",
"Sergi Vázquez Maymir",
"Sara Roda",
"Alessia Tanas",
"Ioulia Konstantinou"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.31228/osf.io/es8bm",
"pdfUrl": "",
"doi": "https://doi.org/10.31228/osf.io/es8bm",
"abstract": "This policy brief offers a method for conducting the process of data protection impact assessment (DPIA) for the European Union (EU). First, as a prerequisite, it offers a generic method for impact assessment, meant to be used – upon tailoring down – in any domain of practice, such as environment, technology development or regulation (Section 2). Next, building on the said generic method and interpreting the requirements of the General Data Protection Regulation (GDPR), this policy brief offers a specific method for the process of DPIA in the EU (Section 3). In particular, the policy brief aims to clarify two crucial aspects of the second method, proven thus far the most contentious. These aspects are: the appraisal techniques, i.e. the necessity and proportionality assessment, and risk appraisal, as well as the stakeholder involvement (public participation) in decision-making. Section 4 summarizes the findings and calls for further guidance, clarifications and tailoring down. This policy brief is addressed predominantly to policy-makers developing assessment methods as well as to assessors conducting the assessment process in accordance therewith.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "s2:841fd18733b97e8a2e4b760d6e6dc331dee58d60",
"title": "Data privacy in the Internet of Things based on anonymization: A review",
"authors": [
"Flávio Neves",
"Rafael Souza",
"Juliana Sousa",
"Michel S. Bonfim",
"Vinícius Garcia"
],
"date": "2023-01-11",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/841fd18733b97e8a2e4b760d6e6dc331dee58d60",
"pdfUrl": "",
"doi": "10.3233/JCS-210089",
"abstract": "The Internet of Things (IoT) has shown rapid growth in recent years. However, it presents challenges related to the lack of standardization of communication produced by different types of devices. Another problem area is the security and privacy of data generated by IoT devices. Thus, with the focus on grouping, analyzing, and classifying existing data security and privacy methods in IoT, based on data anonymization, we have conducted a Systematic Literature Review (SLR). We have therefore reviewed the history of works developing solutions for security and privacy in the IoT, particularly data anonymization and the leading technologies used by researchers in their work. We also discussed the challenges and future directions for research. The objective of the work is to give order to the main approaches that promise to provide or facilitate data privacy using anonymization in the IoT area. The study’s results can help us understand the best anonymization techniques to provide data security and privacy in IoT environments. In addition, the findings can also help us understand the limitations of existing approaches and identify areas for improvement. The results found in most of the studies analyzed indicate a lack of consensus in the following areas: (i) with regard to a solution with a standardized methodology to be applied in all scenarios that encompass IoT; (ii) the use of different techniques to anonymize the data; and (iii), the resolution of privacy issues. On the other hand, results made available by the k-anonymity technique proved efficient in combination with other techniques. In this context, data privacy presents one of the main challenges for broadening secure domains in applying privacy with anonymity.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "Journal of computing and security",
"language": "en"
},
{
"id": "s2:77dc728e0333ad981aceec4634497917fb77eb4d",
"title": "A Classification of non-Cryptographic Anonymization Techniques Ensuring Privacy in Big Data",
"authors": [
"Zakariae El Ouazzani",
"H. Bakkali"
],
"date": "2020-04-26",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/77dc728e0333ad981aceec4634497917fb77eb4d",
"pdfUrl": "",
"doi": "10.54039/IJCNIS.V12I1.4401",
"abstract": "Recently, Big Data processing becomes crucial to most enterprise and government applications due to the fast growth of the collected data. However, this data often includes private personal information that arise new security and privacy concerns. Moreover, it is widely agreed that the sheer scale of big data makes many privacy preserving techniques unavailing. Therefore, in order to ensure privacy in big data, anonymization is suggested as one of the most efficient approaches. In this paper, we will provide a new detailed classification of the most used non-cryptographic anonymization techniques related to big data including generalization and randomization approaches. Besides, the paper evaluates the presented techniques through integrity, confidentiality and credibility criteria. In addition, three relevant anonymization techniques including k-anonymity, l-diversity and t-closeness are tested on an extract of a huge real data set.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "Int. J. Commun. Networks Inf. Secur.",
"language": "en"
},
{
"id": "s2:0942ccdb7b0f06079c9d3363ab5ccd6ebced996c",
"title": "Improving Cybersecurity in Hospital Information Systems Through Anonymization Techniques",
"authors": [
"Jakub Rapšík",
"Michal Kvet"
],
"date": "2025-01-23",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/0942ccdb7b0f06079c9d3363ab5ccd6ebced996c",
"pdfUrl": "",
"doi": "10.1109/SAMI63904.2025.10883123",
"abstract": "In an era of increasing cybersecurity threats, protecting sensitive patient information in hospital information systems (HIS) is critical. This paper analyzes and tests various anonymization techniques within a HIS developed for healthcare. Techniques such as generalization, k-anonymity, pseudonymization, and data masking were evaluated for their effectiveness in mitigating data leakage risks while maintaining system performance. The findings highlight the importance of balancing security with operational efficiency, showing that anonymization enhances data privacy but can introduce performance reduction. These results offer a practical approach for securing HIS without compromising service delivery.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "International Symposium on Applied Machine Intelligence and Informatics",
"language": "en"
},
{
"id": "s2:6ff1bd223fc7ab2c7448529616e597479e6e04f2",
"title": "Anonymizing Driver and Motor Vehicle Records for Secure Analysis",
"authors": [
"Meng Li",
"Xinfeng Ye",
"Sathiamoorthy Manoharan"
],
"date": "2025-06-02",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/6ff1bd223fc7ab2c7448529616e597479e6e04f2",
"pdfUrl": "",
"doi": "10.1109/MIPRO65660.2025.11131883",
"abstract": "The collection and analysis of driver and motor vehicle records are vital for transportation research, policy-making, and safety improvements. However, these records often contain sensitive personal information, such as names, addresses, and vehicle identification numbers, which raises significant privacy concerns. This paper explores techniques for anonymizing driver and motor vehicle data to protect privacy while supporting secure and effective analysis. The primary objective is to develop and implement a robust data anonymization methodology that fully anonymizes sensitive information while preserving data utility for analytical purposes. Simulated datasets serve as a testing environment for refining various anonymization techniques, including data masking, pseudonymization, and data swapping. Each method is applied to maximize data protection while maintaining analytical value. The findings demonstrate that sensitive data can be anonymized to meet privacy standards without sacrificing meaningful analysis. Additionally, it highlights the need to balance privacy with data accessibility for researchers and policymakers, along with addressing potential challenges and best practices in the field.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "2025 MIPRO 48th ICT and Electronics Convention",
"language": "en"
},
{
"id": "s2:a2cf7e6b0182a094b357ca7a4df93b048cfb4771",
"title": "Data Protection and Efficient Analysis of Urban Traffic Based on Deep Learning",
"authors": [
"Xiaoyu Zhao"
],
"date": "2025-11-14",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/a2cf7e6b0182a094b357ca7a4df93b048cfb4771",
"pdfUrl": "",
"doi": "10.1145/3784013.3784057",
"abstract": "With the rapid development of urbanization and intelligent transportation systems, urban traffic data has exploded and become a key resource for optimizing traffic management, but the sensitive personal information it contains also brings serious privacy security challenges. Traditional anonymization and encryption methods have low efficiency and insufficient protection ability when dealing with large-scale and real-time traffic data, and it is difficult to balance data use and protection. Therefore, this study aims to construct an integrated privacy protection and efficient analysis framework based on deep learning. By designing a hierarchical architecture, this framework integrates data desensitization based on self-encoder (AE), synthetic data generation based on generative adversarial network (GAN), and noise injection based on differential privacy (DP), and achieves multi-layered and quantifiable privacy protection for traffic data. Experimental results show that this scheme is significantly superior to traditional k-anonymity and modern SVM+DP schemes in terms of privacy protection intensity and data processing efficiency, effectively solves the contradiction between data sharing and privacy protection, and provides an effective solution for the safe and efficient utilization of traffic data in smart cities.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "Proceedings of the 2025 2nd Symposium on Big Data, Neural Networks, and Deep Learning",
"language": "en"
},
{
"id": "s2:402154bd34d1761f7078a1493860331e9ecaabd5",
"title": "Time Distortion Anonymization for the Publication of Mobility Data with High Utility",
"authors": [
"Vincent Primault",
"Sonia Ben Mokhtar",
"C. Lauradoux",
"L. Brunie"
],
"date": "2015-07-02",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/402154bd34d1761f7078a1493860331e9ecaabd5",
"pdfUrl": "http://arxiv.org/pdf/1507.00443",
"doi": "10.1109/Trustcom.2015.417",
"abstract": "An increasing amount of mobility data is being collected every day by different means, such as mobile applications or crowd-sensing campaigns. This data is sometimes published after the application of simple anonymization techniques (e.g., putting an identifier instead of the users' names), which might lead to severe threats to the privacy of the participating users. Literature contains more sophisticated anonymization techniques, often based on adding noise to the spatial data. However, these techniques either compromise the privacy if the added noise is too little or the utility of the data if the added noise is too strong. We investigate in this paper an alternative solution, which builds on time distortion instead of spatial distortion. Specifically, our contribution lies in (1) the introduction of the concept of time distortion to anonymize mobility datasets (2) Promesse, a protection mechanism implementing this concept (3) a practical study of Promesse compared to two representative spatial distortion mechanisms, namely Wait For Me, which enforces k-anonymity, and Geo-Indistinguishability, which enforces differential privacy. We evaluate our mechanism practically using three real-life datasets. Our results show that time distortion reduces the number of points of interest that can be retrieved by an adversary to under 3 %, while the introduced spatial error is almost null and the distortion introduced on the results of range queries is kept under 13 % on average.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "2015 IEEE Trustcom/BigDataSE/ISPA",
"language": "en"
},
{
"id": "https://openalex.org/W4407076077",
"title": "Emotion Recognition and Personalized Adverting",
"authors": [
"Roberta Montinaro"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.54648/erpl2025012",
"pdfUrl": "",
"doi": "https://doi.org/10.54648/erpl2025012",
"abstract": "p class=\"MsoNormal\"This article examines emotion recognition systems (‘ERS’) and their use in the field of personalized advertising, adopting the perspective of EU law. The identification of an individual’s emotions through the use of ERS is a form of profiling based on the analysis of data relating to human biological characteristics, from which personal, even sensitive, information can be extracted. Such processing calls into question the concept of identification established by the General Data Protection Regulation (GDPR), particularly when techniques are adopted that appear far removed from those in use in biometric identification technologies. The full range of provisions and principles set out in the GDPR for automated processing, including the principles of transparency, accuracy and fairness, apply to emotion recognition. The analysis also addresses commercial practices involving the use of ERS from the perspective of Directive 2005/29/EC and the online advertising provisions of the Digital Services Act (DSA). Lastly, the article discusses ERS regulation within the IA Act and its interaction with the data protection framework.o:p/o:pp class=\"MsoNormal\"Cet article traite des systèmes de reconnaissance des émotions (« ERS ») et de leur utilisation dans le domaine de la publicité personnalisée, en adoptant la perspective du droit communautaire. L’identification des émotions d’un individu par l’utilisation des SRE est une forme de profilage basée sur l’analyse de données relatives aux caractéristiques biologiques humaines, dont peuvent être extraites des informations personnelles, voire sensibles. Ce traitement remet en cause la notion d’identification établie par le GDPR, en particulier lorsque sont adoptées des techniques qui semblent éloignées de celles utilisées dans les technologies d’identification biométrique. L’ensemble des dispositions et principes énoncés dans le GDPR pour les traitements automatisés, y compris les principes de transparence, d’exactitude et de loyauté, s’appliquent à la reconnaissance des émotions. L’analyse porte également sur les pratiques commerciales impliquant l’utilisation des SRE du point de vue de la directive 2005/29/ CE et des dispositions relatives à la publicité en ligne de l’ASD. Enfin, l’article examine la réglementation relative à la reconnaissance des émotions dans le cadre de la loi sur la protection des données et son interaction avec le cadre de protection des données.o:p/o:pp class=\"MsoNormal\"In diesem Artikel werden Emotionserkennungssysteme (‘ERS’) und ihr Einsatz im Bereich der personalisierten Werbung aus der Perspektive des EU-Rechts untersucht. Die Identifizierung der Emotionen einer Person durch den Einsatz von ERS ist eine Form der Profilerstellung, die auf der Analyse von Daten über die biologischen Merkmale des Menschen basiert, aus denen persönliche, sogar sensible Informationen extrahiert werden können. Eine solche Verarbeitung stellt das von der DSGVO festgelegte Konzept der Identifizierung in Frage, insbesondere wenn Techniken eingesetzt werden, die weit von denen entfernt zu sein scheinen, die in biometrischen Identifizierungstechnologien verwendet werden. Die gesamte Bandbreite der in der DSGVO festgelegten Bestimmungen und Grundsätze für die automatisierte Verarbeitung, einschließlich der Grundsätze der Transparenz, Genauigkeit und Fairness, gilt für die Emotionserkennung. Die Analyse befasst sich auch mit Geschäftspraktiken, die den Einsatz von ERS beinhalten, aus der Perspektive der Richtlinie 2005/29/EG und der Bestimmungen zur Online-Werbung des Datenschutzgesetzes. Schließlich erörtert der Artikel die ERS-Regulierung im Rahmen des Informationsfreiheitsgesetzes und ihre Wechselwirkung mit dem Datenschutzrahmen.o:p/o:pp class=\"MsoNormal\" p class=\"MsoNormal\"Este artículo examina los sistemas de reconocimiento de emociones («ERS») y su uso en el ámbito de la publicidad personalizada, adoptando la perspectiva de la legislación de la UE. La identificación de las emociones de un individuo mediante el uso de ERS es una forma de elaboración de perfiles basada en el análisis de datos relativos a las características biológicas humanas, de los que puede extraerse información personal, incluso sensible. Este tipo de tratamiento cuestiona el concepto de identificación establecido por el RGPD, en particular cuando se adoptan técnicas que parecen muy alejadas de las utilizadas en las tecnologías de identificación biométrica. Toda la gama de disposiciones y principios establecidos en el RGPD para el tratamiento automatizado, incluidos los principios de transparencia, exactitud e imparcialidad, se aplican al reconocimiento de emociones. El análisis también aborda las prácticas comerciales que implican el uso de ERS desde la perspectiva de la Directiva 2005/29/CE y las disposiciones sobre publicidad en línea de la DSA. Por último, el artículo aborda la regulación del ERS dentro de la Ley de AI y su interacción con el marco de protección de datos. 1. Introduction 1. Several fields of research, including neuroscience, aim to into:p/o:p",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "European Review of Private Law/Revue européenne de droit privé/Europäische Zeitschrift für Privatrecht",
"language": "en"
},
{
"id": "https://openalex.org/W4404018654",
"title": "‘Pay-or-Consent’ and Emerging Trends in Digital Contract Law",
"authors": [
"Vittorio Bachelet"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.54648/erpl2024047",
"pdfUrl": "",
"doi": "https://doi.org/10.54648/erpl2024047",
"abstract": "Abstract: Pay-or-consent (‘Want to subscribe or continue using our Products for free with ads?’) is the dilemma facing Facebook and Instagram users since November 2023. This innovation primarily follows the Court of Justice’s strict interpretation of the General Data Protection Regulation (GDPR) in Meta v. Bundeskartellamt, which ruled on several controversial issues of the data economy. These include the conditions for the lawfulness of processing users’ personal data to finance ‘free’ social network services, the assessment of users’ freely given consent as a prerequisite for access to a dominant platform service, and the admissibility of incidental findings of GDPR infringements by national competition authorities when assessing abuse of dominance cases.The article analyses the contract law implications of the decision, which recognizes that the provision of services in exchange for personal data is not inherently incompatible with the GDPR. Simultaneously, it imposes strict conditions that require dominant platforms, such as Meta’s social networks, to offer users an equivalent service without targeted advertising, to preserve their freedom to consent to data processing. To avoid undermining entrepreneurial freedom, such an alternative can be provided, if necessary, for an appropriate fee, as Facebook and Instagram have recently done in Europe, opening up new problematic scenarios for scholars to address. This article then focuses on the conditions that ensure a real choice between payment and consent, examining what constitutes an appropriate fee and when it is necessary. We conclude that the payor- okay model needs to be adapted for GDPR compliance, offering users differentiated options beyond the all-or-nothing approach to ensure that their choice is free and specific.Résumé: Pay-or-consent («Voulez-vous vous abonner, ou continuer à utiliser nos produits gratuitement avec des publicités?») est le dilemme auquel sont confrontés les utilisateurs de Facebook et Instagram depuis novembre 2023. Cette innovation découle principalement de l’interprétation stricte du RGPD par la Cour de justice dans l’affaire Meta c. Bundeskartellamt, qui a statué sur plusieurs questions controversées de l’économie des données. Celles-ci incluent les conditions de licéité du traitement des données personnelles des utilisateurs pour financer des services de réseaux sociaux «gratuits», l’évaluation du consentement libre des utilisateurs comme condition préalable à l’accès à un service de plateforme dominante, et l’admissibilité des constatations, de nature incidente, de violations du RGPD par les autorités nationales de la concurrence lorsqu’elles évaluent des cas d’abus de position dominante.L’article analyse les implications de la décision en droit des contrats, reconnaissant que la fourniture de services en échange de données personnelles n’est pas intrinsèquement incompatible avec le RGPD. Simultanément, il impose des conditions strictes exigeant que les plateformes dominantes, telles que les réseaux sociaux de Meta, offrent aux utilisateurs un service équivalent sans publicité ciblée, afin de préserver leur liberté de consentir au traitement des données. Pour éviter de saper la liberté entrepreneuriale, une telle alternative peut être fournie, le cas échéant contre une remuneration appropriée, comme Facebook et Instagram l’ont récemment fait en Europe, ouvrant de nouveaux scénarios problématiques pour les chercheurs à examiner. Cet article se concentre ensuite sur les conditions qui garantissent un véritable choix entre paiement et consentement, en examinant ce qui constitue un tarif approprié et quand il est nécessaire. Nous concluons que le modèle pay-or-okay doit être adapté pour se conformer au RGPD, offrant aux utilisateurs des options différenciées au-delà de l’approche tout ou rien pour garantir que leur choix soit libre et spécifique.Zusammenfassung: Pay-or-consent (‚Möchtest du ein Abo abschließen oder unsere Produkte weiterhin kostenfrei mit Werbung verwenden?‘) ist das Dilemma, dem Facebook- und Instagram-Nutzer seit November 2023 gegenüberstehen. Diese Innovation folgt hauptsächlich der strikten Auslegung der DSGVO durch den Gerichtshof im Fall Meta gegen Bundeskartellamt, das zu mehreren kontroversen Fragen der Datenökonomie entschied. Dazu gehören die Bedingungen für die Rechtmäßigkeit der Verarbeitung personenbezogener Daten der Nutzer zur Finanzierung ‘kostenloser’ sozialer Netzwerke, die Bewertung des freiwillig erteilten Nutzereinverständnisses als Voraussetzung für den Zugang zu einem dominanten Plattformdienst und die Zulässigkeit von inzidenten Feststellungen von DSGVOVerstößen durch nationale Wettbewerbsbehörden bei der Bewertung von Missbrauchsfällen einer marktbeherrschenden Stellung.Der Artikel analysiert die vertragsrechtlichen Implikationen der Entscheidung, die anerkennt, dass die Erbringung von Dienstleistungen im Austausch gegen personenbezogene Daten nicht grundsätzlich mit der DSGVO unvereinbar ist. Gleichzeitig werden strikte Bedingungen auferlegt, die verlangen, dass dominante Plattformen wie die sozialen Netzwerke von Meta den Nutzern einen gleichwertigen Dienst ohne zielgerichtete Werbung anbieten, um ihre Freiheit zur Einwilligung in die Datenverarbeitung zu wahren. Um die unternehmerische Freiheit nicht zu untergraben, kann eine solche Alternative, gegebenenfalls gegen ein angemessenes Entgelt, angeboten werden, wie es Facebook und Instagram kürzlich in Europa getan haben, was neue problematische Szenarien für Gelehrten aufwirft. Dieser Artikel konzentriert sich dann auf die Bedingungen, die eine echte Wahl zwischen Zahlung und Einwilligung sicherstellen, und untersucht, was eine angemessene Gebühr darstellt und wann sie erforderlich ist. Wir kommen zu dem Schluss, dass das Pay-or-Okay- Modell an die DSGVO angepasst werden muss, indem den Nutzern differenzierte Optionen über das Alles-oder-Nichts-Prinzip hinaus angeboten werden, um sicherzustellen, dass ihre Wahl frei und spezifisch ist.Resumen: Pagar o consentir (‘¿Quieres suscribirte o seguir usando nuestros productos gratis con anuncios?’) es el dilema al que se enfrentan los usuarios de Facebook e Instagram desde noviembre de 2023. Esta innovación sigue principalmente la interpretación estricta del RGPD que hizo el Tribunal de Justicia en el caso Meta v. Bundeskartellamt, que se pronunció sobre varias cuestiones controvertidas de la economía de los datos. Entre ellas, las condiciones de legalidad del tratamiento de los datos personales de los usuarios para financiar servicios de redes sociales «gratuitos», la evaluación del consentimiento libremente otorgado por los usuarios como requisite previo para el acceso a un servicio de una plataforma dominante y la admisibilidad de las conclusiones incidentales de infracciones del RGPD por parte de las autoridades nacionales de competencia al evaluar los casos de abuso de posición dominante.El artículo analiza las implicaciones de derecho contractual de la decisión, que reconoce que la prestación de servicios a cambio de datos personales no es intrínsecamente incompatible con el RGPD. Al mismo tiempo, impone condiciones estrictas que obligan a las plataformas dominantes, como las redes sociales de Meta, a ofrecer a los usuarios un servicio equivalente sin publicidad dirigida, para preservar su libertad de consentir el tratamiento de datos. Para evitar socavar la libertad empresarial, se puede ofrecer una alternativa de este tipo, si es necesario, a cambio de una tarifa adecuada, como han hecho recientemente Facebook e Instagram en Europa, lo que abre nuevos escenarios problemáticos que los investigadores deben abordar. Este artículo se centra en las condiciones que garantizan una elección real entre el pago y el consentimiento, examinando qué constituye una tarifa adecuada y cuándo es necesaria. Concluimos que el modelo de pago o consentimiento debe adaptarse al cumplimiento del RGPD, ofreciendo a los usuarios opciones diferenciadas más allá del enfoque de todo o nada para garantizar que su elección sea libre y específica.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "European Review of Private Law/Revue européenne de droit privé/Europäische Zeitschrift für Privatrecht",
"language": "en"
},
{
"id": "https://openalex.org/W7117756206",
"title": "Blockchain, archivage sécurisé et protection des données dans le cloud : analyse croisée des enjeux techniques et juridiques liés à l'intégrité et à la souveraineté de l'information",
"authors": [
"Abir Jendoubi Omri",
"Kawtar AZIZ",
"Soumaya AKKOUR"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.5281/zenodo.18099524",
"pdfUrl": "https://doi.org/10.5281/zenodo.18099524",
"doi": "https://doi.org/10.5281/zenodo.18099524",
"abstract": "Résumé La blockchain est fréquemment présentée comme une technologie disruptive capable de transformer les mécanismes traditionnels de sécurisation, de traçabilité et d’intégrité de l’information. En parallèle, l’usage croissant du cloud computing soulève des interrogations profondes quant à la protection des données personnelles et à la souveraineté numérique. Cet article propose une analyse technique et juridique croisée de la blockchain appliquée à deux problématiques clés : l’archivage sécurisé des documents numériques et la protection des données dans les environnements cloud. L’étude examine les garanties offertes par la technologie blockchain en matière d’intégrité, de traçabilité et d’immutabilité des données, tout en confrontant ces promesses aux exigences du droit de la protection des données (notamment le RGPD). À travers une grille de lecture combinant architecture technique (registre distribué, smart contracts, chiffrement) et enjeux normatifs (responsabilité, droit à l’oubli, territorialité des données), nous discutons la capacité réelle de la blockchain à répondre aux défis actuels en matière de conformité, de sécurité et de gouvernance des informations numériques. Cette réflexion s’inscrit dans une perspective interdisciplinaire mobilisant le droit des technologies, la cybersécurité, et l’ingénierie des systèmes d’information. Mots clés : blockchain, cloud computing, archivage électronique, protection des données, RGPD, intégrité, souveraineté numérique, analyse juridique, cybersécurité. Abstract:Blockchain is frequently presented as a disruptive technology capable of transforming traditional mechanisms for securing, tracing, and ensuring the integrity of information. At the same time, the growing use of cloud computing raises significant concerns regarding the protection of personal data and digital sovereignty. This article offers a combined technical and legal analysis of blockchain applied to two key issues: the secure archiving of digital documents and data protection in cloud environments. The study examines the guarantees provided by blockchain technology in terms of data integrity, traceability, and immutability, while confronting these promises with data protection law requirements (notably the GDPR). Using an analytical framework that combines technical architecture (distributed ledger, smart contracts, encryption) with normative issues (liability, right to erasure, data territoriality), we discuss the actual capacity of blockchain to address current challenges relating to compliance, security, and the governance of digital information. This reflection is grounded in an interdisciplinary perspective drawing on technology law, cybersecurity, and information systems engineering. Keywords: blockchain, cloud computing, electronic archiving, data protection, GDPR, integrity, digital sovereignty, legal analysis, cybersecurity.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "Zenodo (CERN European Organization for Nuclear Research)",
"language": "fr"
},
{
"id": "doaj:1f10cf0bd19a46b2bce2aedd1f84a659",
"title": "GAIN RATIO BASED FEATURE SELECTION METHOD FOR PRIVACY PRESERVATION",
"authors": [
"R. Praveena Priyadarsini",
"M.L.Valarmathi",
"S. Sivakumari"
],
"date": "2011",
"platform": "doaj",
"sourceUrl": "http://ictactjournals.in/paper/IJSCPaper_201-205.pdf",
"pdfUrl": "http://ictactjournals.in/paper/IJSCPaper_201-205.pdf",
"doi": "",
"abstract": "Privacy-preservation is a step in data mining that tries to safeguard sensitive information from unsanctioned disclosure and hence protecting individual data records and their privacy. There are various privacy preservation techniques like k-anonymity, l-diversity and t-closeness and data perturbation. In this paper k-anonymity privacy protection technique is applied to high dimensional datasets like adult and census. since, both the data sets are high dimensional, feature subset selection method like Gain Ratio is applied and the attributes of the datasets are ranked and low ranking attributes are filtered to form new reduced data subsets. K-anonymization privacy preservation technique is then applied on reduced datasets. The accuracy of the privacy preserved reduced datasets and the original datasets are compared for their accuracy on the two functionalities of data mining namely classification and clustering using naïve Bayesian and k-means algorithm respectively. Experimental results show that classification and clustering accuracy are comparatively the same for reduced k-anonym zed datasets and the original data sets.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "ICTACT Journal on Soft Computing",
"language": "en"
},
{
"id": "gdprhub:3667",
"title": "APD/GBA (Belgium) - 80/2021",
"authors": [],
"date": "2021-07-28",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_80/2021",
"pdfUrl": "",
"doi": "",
"abstract": "Article 17 of the General Data Protection Regulation (GDPR) - Right to erasure ("right to be forgotten") The data subject has the right to obtain from the controller",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"data_anonymization",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "arxiv:1505.03263",
"title": "A Comparative Study of Homomorphic and Searchable Encryption Schemes for Cloud Computing",
"authors": [
"B. T. Prasanna",
"C. B. Akki"
],
"date": "2015-05-13",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/1505.03263v1",
"pdfUrl": "https://arxiv.org/pdf/1505.03263v1",
"doi": "",
"abstract": "Cloud computing is a popular distributed network and utility model based technology. Since in cloud the data is outsourced to third parties, the protection of confidentiality and privacy of user data becomes important. Different methods for securing the data in cloud have been proposed by researchers including but not limited to Oblivious RAM, Searchable Encryption, Functional Encryption, Homomorphic Encryption etc. This paper focuses on Searchable and Homomorphic Encryption methods. Finally, a comparative study of these two efficient cloud cryptographic methods has been carried out and given here.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "arxiv:0905.1755",
"title": "Can the Utility of Anonymized Data be used for Privacy Breaches?",
"authors": [
"Raymond Chi-Wing Wong",
"Ada Wai-Chee Fu",
"Ke Wang",
"Yabo Xu",
"Philip S. Yu"
],
"date": "2009-05-12",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/0905.1755v1",
"pdfUrl": "https://arxiv.org/pdf/0905.1755v1",
"doi": "",
"abstract": "Group based anonymization is the most widely studied approach for privacy preserving data publishing. This includes k-anonymity, l-diversity, and t-closeness, to name a few. The goal of this paper is to raise a fundamental issue on the privacy exposure of the current group based approach. This has been overlooked in the past. The group based anonymization approach basically hides each individual record behind a group to preserve data privacy. If not properly anonymized, patterns can actually be derived from the published data and be used by the adversary to breach individual privacy. For example, from the medical records released, if patterns such as people from certain countries rarely suffer from some disease can be derived, then the information can be used to imply linkage of other people in an anonymized group with this disease with higher likelihood. We call the derived patterns from the published data the foreground knowledge. This is in contrast to the background knowledge that the adversary may obtain from other channels as studied in some previous work. Finally, we show by experiments that the attack is realistic in the privacy benchmark dataset under the traditional group based anonymization approach.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:HAL:hal-02554437v1",
"title": "One Year and Loads of Data Later, Where Are We? An Update on the Proposed European Union General Data Protection Regulation",
"authors": [
"Voss, W."
],
"date": "2013-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:HAL:hal-02554437v1",
"pdfUrl": "",
"doi": "",
"abstract": "This article reviews the European Union’s Proposed General Data Protection Regulation (GDPR) one year after the European Commission proposed it. Reactions to the GDPR from EU Member States, the Article 29 Data Protection Working Party (WP29), the relevant European Parliament committees and the Council of the European Union are analyzed and the legislative action on the GDPR to date is traced. Furthermore, proposed amendments to the GDPR by the leading parliamentary committee – Civil Liberties, Justice and Home Affairs (LIBE) -- are detailed, notably in the areas of expanded scope of the GDPR, personal data breach notifications, consent to and legitimate bases for processing, data portability and the right to be forgotten, data protection officers (DPOs), and cross-border data transfers, among others. Finally, steps to prepare for the eventual adoption of the GDPR are set out.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "Journal of Internet Law",
"language": "en"
},
{
"id": "openaire:50|57a035e5b1ae::1b5474a7a2917a718e49fdbfc7c18384",
"title": "GDPR and data protection impact assessment (DPIA)",
"authors": [
"Boban, Marija"
],
"date": "2020-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|57a035e5b1ae::1b5474a7a2917a718e49fdbfc7c18384",
"pdfUrl": "",
"doi": "",
"abstract": "The DPIA is a new requirement under the General Data Protection Regulation (GDPR) as a part of the “protection by design” principle. According to the Regulation, DPIA is needed where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Author in this paper presents DPIA and GDPR compliance by introducing measures to reduce address risks to the rights and freedom of citizen’s privacy: protective measures, security measures and mechanisms to ensure the protection of personal data and also presents prior consultation of controller with the supervisory authority as legal requirement of GDPR before processing if the data protection impact assessment referred to Article 35 of GDPR.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "doaj:158576d4b1ad4ecaa0d46efc32a5b174",
"title": "The right to erasure of personal data available on the internet",
"authors": [
"Midorović Sloboda D."
],
"date": "2019",
"platform": "doaj",
"sourceUrl": "https://scindeks-clanci.ceon.rs/data/pdf/0350-8501/2019/0350-85011984281X.pdf",
"pdfUrl": "https://scindeks-clanci.ceon.rs/data/pdf/0350-8501/2019/0350-85011984281X.pdf",
"doi": "",
"abstract": "The paper examines the right to erasure of personal data (\"the right to be forgotten\"), as a specific reflection of the right to privacy in the era of information technology. In line with the solutions of the General Data Protection Regulation of the European Union (GDPR), Serbia enacted the Act on the Protection of Personal Data of the Republic of Serbia (2018), which endevours to adapt the content of the right to erasure of data to the circumstances of wide availability of personal data on the global worldwide network - the Internet.The paper aims to present the right to erasure to the domestic scientific and professional audiences, bearing in mind that its wording leaves room for diverging interpretations. The author first briefly outlines the circumstances which have led to introducing the right to erasure of data. The content and the manner of exercising this right have been presented, with reference to the case law of the Court of the Justice of the European Union (CJEU), including the key pro and con arguments.Then, the author discusses the discrepancies in the substance of this right on served in the CJEU jurisprudence (on the one hand) and the substance of this right as envisaged in the GDPR (on the other hand). Finally, the author analyzes the conditions under which this right can be exercised provisions, under the GDPR and the Serbian Personal Data on the Protection Act (2018), particularly in terms of the reasons that may lead to granting the request for erasure of personal data as well as the exceptions from exercising this right in case of balancing interests.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "Zbornik Radova Pravnog Fakulteta u Nišu",
"language": "en"
},
{
"id": "hal:2554657",
"title": "GDPR: The End of Google and Facebook or a New Paradigm in Data Privacy?",
"authors": [
"Kimberly A. Houser",
"W. Gregory Voss"
],
"date": "2018-11-06",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02554657v1",
"pdfUrl": "",
"doi": "",
"abstract": "EU Data Protection Agencies have been vigorously enforcing violations of regional and national data protection law in recent years against U.S. tech companies, but few changes have been made to their business model of exchanging free services for personal data. With the Cambridge Analytica debacle revealing how insufficient American privacy law is, we now find ourselves questioning whether the General Data Protection Regulation (GDPR) is not the onerous 99 article regulation to be feared, but rather a creation years ahead of its time. This paper will explain how the differences in U.S. and EU privacy and data protection law and ideology have led to a wide divergence in enforcement actions and what U.S. companies will need to do in order legally process the data of their users in the EU. The failure of U.S. tech companies to fulfill the requirements of the GDPR, which has extraterritorial application and becomes applicable on May 25, 2018, could result in massive fines (up to $4 billion using the example of Google). The GDPR will mandate a completely new business model for these U.S. tech companies that have been operating for well over a decade with very loose restrictions under U.S. law. Will the GDPR be the end of Google and Facebook or will it be embraced as the gold standard of how companies ought to operate?",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "Richmond Journal of Law and Technology",
"language": "en"
},
{
"id": "hal:2554182",
"title": "Internal Compliance Mechanisms for Firms in the EU General Data Protection Regulation",
"authors": [
"W. Gregory Voss"
],
"date": "2018-01-18",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02554182v1",
"pdfUrl": "https://hal.science/hal-02554182/document",
"doi": "",
"abstract": "The new EU General Data Protection Regulation (GDPR) establishes requirements (and certain incentives) for internal compliance mechanisms that do not exist in current legislation. These requirements , which will have an impact on internal processes and staffing of firms, such as the requirement in certain cases of engaging a data protection officer, of conducting a data protection impact assessment , or making notifications of data breaches, will require firms to organize themselves prior to the GDPR becoming applicable in 2018. This article sets out first the increased territorial scope of the GDPR, prior to discussing the increased accountability of firms, focusing on data protection impact assessments, prior consultation and prior authorization, data protection officers, and data breach notifications. On the way, certain differences among the various versions of the GDPR prior to its adoption on these points will be discussed. Finally, incentives for compliance are highlighted.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "Revue juridique Thémis de l'Université de Montréal",
"language": "en"
},
{
"id": "hal:3226881",
"title": "From k-anonymity to Differential Privacy: A Brief Introduction to Formal Privacy Models",
"authors": [
"Muhammad Imran Khan",
"Simon N Foley",
"Barry O'Sullivan"
],
"date": "2021-05-15",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-03226881v1",
"pdfUrl": "https://hal.science/hal-03226881/document",
"doi": "",
"abstract": "A number of formal privacy definitions also known as privacy models are presented when these definitions are followed then the anonymized data manifests some formal guarantees. There are several privacy definitions proposed in the literature including k-anonymity, differential privacy l-diversity, t-closeness so on and so forth. In this paper, we review some of the well-know formal privacy definitions.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "hal:4138599",
"title": "Optimizing Privacy and Data Utility: Metrics and Strategies",
"authors": [
"Clémence Mauger",
"Gaël Le Mahec",
"Gilles Dequen"
],
"date": "2023-07-04",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04138599v1",
"pdfUrl": "",
"doi": "",
"abstract": "k-anonymity is a PPDP anonymization model preventing identity disclosure by making each record of the table indistinguishable from k − 1 others. To obtain a k-anonymous version of a table, a common technique is to generalize the quasi-identifier attributes values until records are grouped in equivalence classes of size at least k. The choice of records to be grouped will influence the amount of generalization to be performed and therefore the quality of the anonymized data (the more a value is generalized, the more precision it loses). The different k-anonymous versions of a table are therefore more or less interesting in terms of data utility. To assess the quality of a k-anonymized table, information loss metrics are often used. They can also be used within the k-anonymization process itself to choose the groupings of records resulting in the least data alteration. In this article, we propose a unified modeling of such metrics, faciliting their implementation and their use. We then analyze the behaviors of seven metrics when they are used in the k-anonymization process to guide the equivalence classes mergings. Our analyzes compare these seven metrics on two public tables for 14 values of k. After that, we turned to the limits of k-anonymity. In a k-anonymous table, the distribution of sensitive values in equivalence classes can lead to the disclosure of sensitive in- formation about an individual. l-diversity and t-closeness anonymization models impose constraints that keep control over the distribution of sensitive values and therefore limit attribute disclosure. We continue our study on k-anonymization by proposing strategies aimed at optimizing the data alteration, the l-diversity and the t-closeness of the k-anonymous tables produced. Using two infor- mation loss metrics, we evaluate the seven optimization strategies on the two public tables first on real sensitive values distributions and then on 21 simulated sensitive values distributions. With this large study, we would like to understand how to choose a metric and an optimization strategy to provide k-anonymous database with strong guarantees on the data privacy and preserving as much as possible the data utility.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.683,
"venue": "Transactions on Data Privacy",
"language": "en"
},
{
"id": "openaire:oai:pure.rug.nl:openaire_cris_publications/0716b849-4370-49f1-8572-7740c8920e5b",
"title": "Reprocessing of biometric data for law enforcement purposes",
"authors": [
"Jasserand-Breeman, Catherine"
],
"date": "2019-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:pure.rug.nl:openaire_cris_publications/0716b849-4370-49f1-8572-7740c8920e5b",
"pdfUrl": "",
"doi": "",
"abstract": "The amount of biometric data (fingerprints, facial images, or voice samples) that private companies collect for various purposes is growing exponentially. Social media, such as Facebook, also hold certain types of personal data (e.g. photographs, audio-videos files) that can be reprocessed for biometric recognition purposes. These data are very valuable to law enforcement authorities as they can allow the identification of the individuals to whom they relate.
This dissertation investigates whether the new EU data protection framework, composed of the GDPR and the ‘police’ Directive, provides sufficient safeguards to individuals whose biometric data collected by private parties are accessed by law enforcement authorities for further use. While searching for the answer, the study has uncovered important findings. Focusing on the core notion of ‘biometric data’, the research has revealed not only gaps between legal and technical definitions but also uncertainty concerning the type of data that qualify as such and fall within the scope of sensitive data. Analysing the rules applicable to data processing across instruments, the research has raised doubt on the role played by the principle of purpose limitation and on the formulation of the right to information in the ‘police’ Directive. Finally, in an attempt to provide recommendations, the research has relied on the tools of Data Protection by Design (by Default) and Data Protection Impact Assessment to help mitigate the risks to individuals’ right to data protection.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2731720734",
"title": "Aligning data protection rights with competition law remedies? The GDPR right to data portability",
"authors": [
"Orla Lynskey"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "",
"pdfUrl": "",
"doi": "",
"abstract": "The General Data Protection Regulation (GDPR) introduces a right to data portability in the EU legal order. This novel right has no direct equivalent in EU Member States, or internationally. Data portability bears many of the trappings of a competition law remedy: it has the potential to reduce barriers to entry; to stimulate innovation; and, to lower switching costs for individuals. For this reason, the right to data portability is often attributed a competition-based rationale in addition to its data protection objective. Yet, as this paper shall demonstrate, the GDPR right to data portability can be differentiated from a competition law remedy in terms of both its scope and its objectives. These differences in terms of scope and normative logic can lead to conflicting interpretations and visions of the right to data portability. This paper argues that in case of such conflict the interpretation of the GDPR right to data portability ought to be decoupled from the logic and constraints of competition law and instead viewed within its data protection law context as an instrument for individual control over personal data.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "London School of Economics and Political Science Research Online (London School of Economics and Political Science)",
"language": "en"
},
{
"id": "ETid-333",
"title": "GDPR Fine: Municipality of Rælingen — Norwegian Supervisory Authority (Datatilsynet) (Norway)",
"authors": [
"Norwegian Supervisory Authority (Datatilsynet)"
],
"date": "2020-07-10",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-333",
"pdfUrl": "https://www.datatilsynet.no/contentassets/9d5792264c884f3a903d3981c38812ac/~-20_02191-1-vedtak-om-overtredelsesgebyr---ralingen-kommune-202444_10_1.pdf",
"doi": "",
"abstract": "Fine: €46,660 | Articles: Art. 32 GDPR, Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | Fine for the processing of children's health data in connection with disability through the digital learning platform 'Showbie'. The Municipality had failed to carry out a Data Protection Impact Assessment ('DPIA') in accordance with Article 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') prior to the start of the processing and had not taken adequate technical and organisational measures in accordance with Article 32 of the GDPR, resulting in an increased risk of unauthorised access to the personal data of the pupils.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "GDPR DPA: Norwegian Supervisory Authority (Datatilsynet)",
"language": "en"
},
{
"id": "https://openalex.org/W2811028500",
"title": "Reglamento General de Protección de Datos (RGPD) y BIG DATA",
"authors": [
"José Nogueira Blanco"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://dialnet.unirioja.es/servlet/articulo?codigo=6437479",
"pdfUrl": "",
"doi": "",
"abstract": "espanolEl inicio de aplicacion del Reglamento General de Proteccion de Datos (RGPD) incide especialmente en los tratamientos relativos al Big Data, en cuestiones como: la necesidad de disponer de un Delegado de Proteccion de Datos, las evaluaciones de impacto en la proteccion de datos, la obligatoria notificacion de brechas de seguridad, la privacidad desde el diseno y por defecto, la elaboracion de perfiles, la ampliacion del deber de informacion y transparencia, el registro de actividades del tratamiento o las transferencias internacionales de datos. Asimismo, los usuarios podran ejercer nuevos derechos como la supresion, limitacion o portabilidad de sus datos. Todo ello sin olvidarnos de la previsible entrada en aplicacion del Reglamento “E-Privacy” y la aprobacion de la nueva Ley Organica de proteccion de Datos (LOPD) durante este 2018. EnglishThe imminent implementation of the General Data Protection Regulation(GDPR) has a particular impact on the processing related to Big Data, on issues such as: the need for a Data Protection Officer, the assessments of impact on data protection, the mandatory notification of security breaches, the privacy from the design and by default, the development of profiles, the extension of the duty of disclosure and transparency, the register of processing activities or international data transfers. Also, the users will be able to exercise new rights, such as the removal, limitation or portability of their data. All of this without forgetting the foreseeable entry into application of the E-Privacy Regulation and the adoption of the new Organic Law on Data Protection (LOPD) during 2018",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.683,
"venue": "Actualidad civil",
"language": "es"
},
{
"id": "openaire:10.36948/ijfmr.2025.v07i05.58572",
"title": "Privacy vs. Surveillance: Legal Challenges in the Age of Artificial Intelligence",
"authors": [
"Aayush Verma",
"Bhavya Mittal",
"Anju Bala"
],
"date": "2025-10-22",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.36948/ijfmr.2025.v07i05.58572",
"pdfUrl": "",
"doi": "10.36948/ijfmr.2025.v07i05.58572",
"abstract": "India stands at a pivotal moment in its digital transformation, where the rapid integration of Artificial Intelligence (AI) into governance through facial recognition technologies, Aadhaar’s biometric framework, predictive analytics promises that administrates efficiency and security but simultaneously threatens privacy, autonomy, and civil liberties. While the Digital Personal Data Protection Act, 2023 and the AI Regulation Act, 2025 significantly progress toward structured data and AI governance, their broad governmental exemptions and weak accountability provisions expose deep regulatory gaps. This research paper questions how the AI-driven surveillance challenges the constitutional right to privacy in the era of Digital India, by analysing the landmark rulings of Kharak Singh and Gobind to Justice K.S. Puttaswamy (Retd.) v. Union of India, which anchored privacy within Article 21’s guarantee of life and liberty. By examining statutory shortcomings such as Section 17(2)(a) and Section 36 of the DPDP Act, which enable surveillance under the guise of “national security” without judicial oversight and the limited safeguards under the IT Act, Telegraph Act, and Aadhaar Act, the paper highlights the vulnerabilities of citizens to profiling, algorithmic bias, and data misuse in initiatives like Safe City, DigiYatra, and the National Digital Health Mission. In contrast, international frameworks such as the EU’s GDPR and AI Act demonstrate the value of risk-based regulation, algorithmic audits, and independent oversight which India’s fragmented regime currently lacks. The paper highlights a rights-based reform model featuring comprehensive AI legislation, mandatory transparency, human oversight, narrower exemptions, an independent AI Regulatory Authority, and robust grievance mechanisms along with sectoral codes and public awareness measures. As India’s pursuit of digital and AI leadership must be guided by constitutional values of justice, liberty, and dignity. ",
"topics": [
"data_anonymization",
"biometric_surveillance",
"ai_governance",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.679,
"venue": "",
"language": "en"
},
{
"id": "doaj:06fe1e74d520410e87ce9687cb671346",
"title": "FL-DPCSA: Federated learning with differential privacy for cache side-channel attack detection in edge-based smart grids",
"authors": [
"G. Hemanth Kumar",
"Sivananda Lahari Reddy Elicherla",
"Sugandha Saxena",
"K. Ayyappa Swamy",
"Ashwini P.",
"U. Pavan Kumar"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "http://www.sciencedirect.com/science/article/pii/S2772671125001640",
"pdfUrl": "",
"doi": "10.1016/j.prime.2025.101057",
"abstract": "Smart grid technology adoption at a fast pace has created new security vulnerabilities to cache side-channel attacks (CSAs) which threaten both user privacy and grid stability through edge computing devices. The current centralized detection methods need complete raw data collection, which leads to privacy risks and scalability limitations. The proposed PPFL framework provides distributed CSA detection across smart meters through a privacy-preserving federated learning approach that avoids data sharing. The solution uses differential privacy with ϵ= 1.0–5.0 to secure aggregation and a lightweight CNN-LSTM model, which results in 96.3% detection accuracy while maintaining data confidentiality. Real-world smart meter datasets from UK-DALE and REDD, together with simulation tests, show that the framework operates efficiently (2.1 s training latency/round), has minimal communication overhead (1.2 MB/round), and remains resistant to adversarial attacks (4.8% accuracy drop under evasion attempts). The proposed framework demonstrates linear scalability to 10,000+ devices while using 2.7 Wh energy per round, which makes it suitable for extensive smart grid implementations that follow GDPR and NIST cybersecurity standards.",
"topics": [
"data_anonymization",
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "e-Prime: Advances in Electrical Engineering, Electronics and Energy",
"language": "en"
},
{
"id": "doaj:01925a5e73fc499d9219a4f1d705c44b",
"title": "AI Auditing under Labour Law: Insights from the AI Act and the Platform Work Directive",
"authors": [
"Paweł Nowik"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "\n https://ejournals.eu/czasopismo/szppips/artykul/ai-auditing-under-labour-law-insights-from-the-ai-act-and-the-platform-work-directive\n ",
"pdfUrl": "",
"doi": "10.4467/25444654spp.25.021.22025",
"abstract": "This article examines the emerging role of artificial intelligence (AI) auditing as a mechanism for promoting algorithmic accountability within the European Union’s labour law framework. Focusing on two key legislative instruments—the Artificial Intelligence Act (AI Act) and the Platform Work Directive (PWD)—the study presents a comparative analysis of their respective audit models. While the AI Act introduces a general, risk‑based approach to AI governance centred on ex ante conformity assessments, the PWD establishes a sector‑specific, rights‑based framework that emphasises transparency, human oversight, and worker participation in ex post evaluations of algorithmic management systems. Drawing on legal analysis and interdisciplinary literature, the article explores how each instrument operationalises AI auditing, with particular attention to procedural safeguards, institutional design, and enforcement mechanisms. It argues that, although the AI Act offers a more formalised audit structure, its reliance on internal assessments raises concerns regarding independence and effectiveness. Conversely, while the PWD lacks a mandatory external audit requirement, it compensates through participatory governance tools, including data protection impact assessments, transparency obligations, and individual redress rights.The article concludes that these complementary regulatory models collectively represent a significant normative development in embedding algorithmic accountability within EU labour law. However, their effectiveness will depend upon robust implementation, institutional capacity, and the evolution of audit practices that are not only technically rigorous but also legally enforceable and socially legitimate.",
"topics": [
"jurisdiction_regulatory",
"power_knowledge_asymmetry",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.65,
"venue": "Studia z Zakresu Prawa Pracy i Polityki Społecznej",
"language": "en"
},
{
"id": "doaj:5894027ecb6f46fea4c018cbc7b8df3d",
"title": "Data Anonymization for Pervasive Health Care: Systematic Literature Mapping Study",
"authors": [
"Zheming Zuo",
"Matthew Watson",
"David Budgen",
"Robert Hall",
"Chris Kennelly",
"Noura Al Moubayed"
],
"date": "2021",
"platform": "doaj",
"sourceUrl": "https://medinform.jmir.org/2021/10/e29871",
"pdfUrl": "https://jmir.org/api/download?alt_name=medinform_v9i10e29871_app1.pdf&filename=8666d56253f617e5e5632504c7c68b35.pdf",
"doi": "10.2196/29871",
"abstract": "BackgroundData science offers an unparalleled opportunity to identify new insights into many aspects of human life with recent advances in health care. Using data science in digital health raises significant challenges regarding data privacy, transparency, and trustworthiness. Recent regulations enforce the need for a clear legal basis for collecting, processing, and sharing data, for example, the European Union’s General Data Protection Regulation (2016) and the United Kingdom’s Data Protection Act (2018). For health care providers, legal use of the electronic health record (EHR) is permitted only in clinical care cases. Any other use of the data requires thoughtful considerations of the legal context and direct patient consent. Identifiable personal and sensitive information must be sufficiently anonymized. Raw data are commonly anonymized to be used for research purposes, with risk assessment for reidentification and utility. Although health care organizations have internal policies defined for information governance, there is a significant lack of practical tools and intuitive guidance about the use of data for research and modeling. Off-the-shelf data anonymization tools are developed frequently, but privacy-related functionalities are often incomparable with regard to use in different problem domains. In addition, tools to support measuring the risk of the anonymized data with regard to reidentification against the usefulness of the data exist, but there are question marks over their efficacy.\n ObjectiveIn this systematic literature mapping study, we aim to alleviate the aforementioned issues by reviewing the landscape of data anonymization for digital health care.\n MethodsWe used Google Scholar, Web of Science, Elsevier Scopus, and PubMed to retrieve academic studies published in English up to June 2020. Noteworthy gray literature was also used to initialize the search. We focused on review questions covering 5 bottom-up aspects: basic anonymization operations, privacy models, reidentification risk and usability metrics, off-the-shelf anonymization tools, and the lawful basis for EHR data anonymization.\n ResultsWe identified 239 eligible studies, of which 60 were chosen for general background information; 16 were selected for 7 basic anonymization operations; 104 covered 72 conventional and machine learning–based privacy models; four and 19 papers included seven and 15 metrics, respectively, for measuring the reidentification risk and degree of usability; and 36 explored 20 data anonymization software tools. In addition, we also evaluated the practical feasibility of performing anonymization on EHR data with reference to their usability in medical decision-making. Furthermore, we summarized the lawful basis for delivering guidance on practical EHR data anonymization.\n ConclusionsThis systematic literature mapping study indicates that anonymization of EHR data is theoretically achievable; yet, it requires more research efforts in practical implementations to balance privacy preservation and usability to ensure more reliable health care applications.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "JMIR Medical Informatics",
"language": "en"
},
{
"id": "doaj:b9d50f8699834eba96175d322b561310",
"title": "Enhancing Healthcare Data Protection for Modern Digital Health Systems",
"authors": [
"Sura Abdulkareem Abbas",
"Hassan Jaleel Hassan",
"Ghaidaa M. Abdulsaheb"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://icaiit.org/paper.php?paper=13th_ICAIIT_3/1_9",
"pdfUrl": "",
"doi": "10.25673/120998",
"abstract": "In addition to transforming healthcare delivery, digital health technologies have also posed significant challenges related to data security and privacy. HIPAA and GDPR compliance, emerging technologies, and best practices are discussed in this paper examining healthcare data protection today. Cryptography, access control, data anonymization, and blockchain-based approaches are key solutions discussed to improve data integrity and security. Moreover, artificial intelligence has the potential to detect and mitigate real-time security threats. This paper proposes strategies for ensuring patient safety, building trust, and protecting sensitive healthcare information as digital health technology continues to develop. Regulatory compliance and robust security measures are key to protecting patient information while fostering digital health innovation. With these challenges addressed, the healthcare industry can enhance patient experiences and maintain patient confidentiality as the landscape becomes increasingly digital.",
"topics": [
"sector_healthcare",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Health & Genomic PII"
],
"relevanceScore": 0.65,
"venue": "Proceedings of the International Conference on Applied Innovations in IT",
"language": "en"
},
{
"id": "doaj:b7e937b0289a4f8bbb6ef0dbe5888f80",
"title": "Trustworthy AI: Securing Sensitive Data in Large Language Models",
"authors": [
"Georgios Feretzakis",
"Vassilios S. Verykios"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2673-2688/5/4/134",
"pdfUrl": "",
"doi": "10.3390/ai5040134",
"abstract": "Large language models (LLMs) have transformed Natural Language Processing (NLP) by enabling robust text generation and understanding. However, their deployment in sensitive domains like healthcare, finance, and legal services raises critical concerns about privacy and data security. This paper proposes a comprehensive framework for embedding trust mechanisms into LLMs to dynamically control the disclosure of sensitive information. The framework integrates three core components: User Trust Profiling, Information Sensitivity Detection, and Adaptive Output Control. By leveraging techniques such as Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), Named Entity Recognition (NER), contextual analysis, and privacy-preserving methods like differential privacy, the system ensures that sensitive information is disclosed appropriately based on the user’s trust level. By focusing on balancing data utility and privacy, the proposed solution offers a novel approach to securely deploying LLMs in high-risk environments. Future work will focus on testing this framework across various domains to evaluate its effectiveness in managing sensitive data while maintaining system efficiency.",
"topics": [
"ai_governance",
"pii_entity_types",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.65,
"venue": "AI",
"language": "en"
},
{
"id": "doaj:b2c8f9d7e0cf4affbf948a5300513419",
"title": "Cross-Border Data Transfers and Data Localization Mandate under the Data Protection Regime",
"authors": [
"Khushi Malviya",
"Eeshaan Singh"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://journals.ed.ac.uk/script-ed/article/view/12003",
"pdfUrl": "",
"doi": "10.2218/scrip.22.2.2025.12003",
"abstract": "The present paper critiques India's approach to cross-border data transfers under the Draft Digital Personal Data Protection Rules 2025. It highlights concerns with Rule 14 and Rule 12(4), which grant the government broad discretion to impose data localization mandates, potentially restricting the transfer of specific data types regardless of the destination country's safety. This \"regressive\" approach could stifle innovation and create compliance hurdles for businesses, especially social media intermediaries. The paper also points out the ambiguity in defining restrictions and the lack of provisions for \"onward transfers\" of data, contrasting it with the more comprehensive GDPR. It advocates for a balanced framework with clear criteria for restrictions and safeguards, aligning with international best practices to ensure both national security and economic viability.",
"topics": [
"jurisdiction_regulatory",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "SCRIPTed: A Journal of Law, Technology & Society",
"language": "en"
},
{
"id": "doaj:8ba105639ef845ffaac67d30bec82cf7",
"title": "Verso Schrems III? Analisi del nuovo EU-US Data Privacy Framework",
"authors": [
"Maria Giacalone"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "https://www.europeanpapers.eu/en/europeanforum/verso-schrems-iii-analisi-nuovo-eu-us-data-privacy-framework",
"pdfUrl": "",
"doi": "10.15166/2499-8249/644",
"abstract": "(Series Information) European Papers - A Journal on Law and Integration, 2023 8(1), 149-157 | European Forum Insight of 14 June 2023 | (Table of Contents) I. Introduzione. - II. Art. 52 della Carta dei diritti fondamentali dell’Unione europea. - III. Art. 47 della Carta dei diritti fondamentali dell’Unione europea. - IV. Conclusioni. | (Abstract) The Insight aims to analyse whether the Executive Order 14086 of 7 October 2022, signed by the President of the United States following the achievement of the so-called EU-US Data Privacy Frame-work, has addressed the requirements emerging from the Court of Justice’s ruling in the case Schrems II (case C-311/18). It further aims to assess whether, as claimed by the European Commission, the US effectively ensures a level of data protection “essentially equivalent” to that guaranteed in the EU by Regulation 2016/679 (GDPR).",
"topics": [
"enterprise_privacy_ops",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "European Papers",
"language": "en"
},
{
"id": "doaj:308da97f9bb84b4da395e60d2bdfdc3c",
"title": "Reversible anonymization for privacy of facial biometrics via cyclic learning",
"authors": [
"Shuying Xu",
"Ching-Chun Chang",
"Huy H. Nguyen",
"Isao Echizen"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1186/s13635-024-00174-3",
"pdfUrl": "https://doi.org/10.1186/s13635-024-00174-3",
"doi": "10.1186/s13635-024-00174-3",
"abstract": "Abstract Facial recognition systems have emerged as indispensable components in identity verification. These systems heavily rely on facial data, which is stored in a biometric database. However, storing such data in a database raises concerns about privacy breaches. To address this issue, several technologies have been proposed for protecting facial biometrics. Unfortunately, many of these methods can cause irreversible damage to the data, rendering it unusable for other purposes. In this paper, we propose a novel reversible anonymization scheme for face images via cyclic learning. In our scheme, face images can be de-identified for privacy protection and reidentified when necessary. To achieve this, we employ generative adversarial networks with a cycle consistency loss function to learn the bidirectional transformation between the de-identified and re-identified domains. Experimental results demonstrate that our scheme performs well in terms of both de-identification and reidentification. Furthermore, a security analysis validates the effectiveness of our system in mitigating potential attacks.",
"topics": [
"reversible_anonymization",
"biometric_surveillance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Re-identification"
],
"relevanceScore": 0.65,
"venue": "EURASIP Journal on Information Security",
"language": "en"
},
{
"id": "europepmc:40899552",
"title": "Anonymization of Health Insurance Claims Data for Medication Safety Assessments.",
"authors": [
"Halilovic M",
"Otte K",
"Meurers T",
"Alibone M",
"Ludwig M",
"Riedel N",
"Wolter S",
"Kühnel L",
"Hess S",
"Prasser F."
],
"date": "2025-09-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3233/shti251407",
"pdfUrl": "",
"doi": "10.3233/shti251407",
"abstract": "Introduction
The re-use of health insurance claims data for research purposes can provide valuable insights to improve patient care. However, as health data is often highly sensitive and subject to strict regulatory frameworks, the privacy of individuals must be protected. Anonymization is a common approach to do so, but finding an effective strategy is challenging due to an inherent trade-off between privacy protection and data utility. A structured approach is needed to balance these objectives and guide the selection of appropriate anonymization strategies.Methods
In this paper, we present a systematic evaluation of twelve anonymization strategies applied to German health insurance claims data that has previously been used in a drug safety study. The dataset consisted of 1727 records and 45 variables. Based on a structured threat modeling, we compare a conservative and a threat modeling-based approach, each with six different privacy models and risk thresholds using the ARX Data Anonymization Tool. We assess general data utility and empirically evaluate residual privacy risks using both the Anonymeter framework and a membership inference attack.Results
Our results show that conservative anonymization ensures strong privacy protection but reduces data utility. In contrast, threat modeling retains more utility while still providing acceptable privacy under moderate thresholds.Conclusion
The proposed process enables a systematic comparison of privacy-utility trade-offs and can be adapted to other medical datasets. Our findings highlight the importance of context-specific anonymization strategies and empirical risk evaluation to guide anonymized data sharing in healthcare.",
"topics": [
"data_anonymization",
"llm_privacy_attacks",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "",
"language": "de"
},
{
"id": "europepmc:41030399",
"title": "Evaluating the accuracy of automated and semi-automated anonymization tools for unstructured health records.",
"authors": [
"Alrazihi LA",
"Biswas S",
"George J."
],
"date": "2025-08-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.25259/sni_459_2025",
"pdfUrl": "https://europepmc.org/articles/PMC12477974?pdf=render",
"doi": "10.25259/sni_459_2025",
"abstract": "Background
Utilization of unstructured clinical text in research is limited by the presence of protected health identifiers (PHI) within the text. To maintain patient privacy, PHI must be de-identified. The use of anonymization tools such as Microsoft Presidio and Philter has been recognized as a potential solution to the challenges of manual de-identification. Therefore, the primary objective of this study is to evaluate the accuracy and feasibility of using Microsoft Presidio and Philter in de-identifying unstructured clinical text.Methods
A sample of 200 neurosurgical documents, temporally distributed across 10 years, was extracted. The data were processed by Microsoft Presidio and Philter. Each document was manually screened for the ground truth which was used as a reference point to evaluate the accuracy of each tool. Data analysis was conducted using Python.Results
A median of 8 PHI were manually de-identified per document. Both tools were individually capable of de-identifying a median of 6 PHI per document. Each tool de-identified PHI with an accuracy of 96%. Presidio demonstrated precision of 0.51 and a recall of 0.74, while Philter had precision and recall of 0.35 and 0.79, respectively.Conclusion
The performance of each tool supports their use in anonymizing unstructured clinical text. Formatting variations between texts limited the performance of both tools. To conclude, further research is required to optimize the tools' output and assess the reliability in de-identifying diverse and previously unseen clinical text, thus allowing the use of unstructured clinical text in medical research.",
"topics": [
"enterprise_privacy_ops",
"data_anonymization",
"nlp_ner_tools"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "Surgical neurology international",
"language": "de"
},
{
"id": "doaj:0c98e7d529154f938f1c5f5aa1a6b8d5",
"title": "Tight Bounds for Machine Unlearning via Differential Privacy",
"authors": [
"Yiyang Huang",
"Clement Canonne"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://journalprivacyconfidentiality.org/index.php/jpc/article/view/924",
"pdfUrl": "",
"doi": "10.29012/jpc.924",
"abstract": "We consider the formulation of ``machine unlearning'' of Sekhari, Acharya, Kamath, and Suresh (NeurIPS 2021), which formalizes the so-called ``\"right to be forgotten\" by requiring that a trained model, upon request, should be able to 'unlearn' a number of points from the training data, as if they had never been included in the first place. Sekhari et al. established some positive and negative results about the number of data points that can be successfully unlearnt by a trained model without impacting the model's accuracy (the ``\"deletion capacity\"), showing that machine unlearning could be achieved by using differentially private (DP) algorithms. However, their results left open a gap between upper and lower bounds on the deletion capacity of these algorithms: our work fully closes this gap, obtaining tight bounds on the deletion capacity achievable by DP-based machine unlearning algorithms.",
"topics": [
"data_anonymization",
"llm_privacy_attacks",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII",
"Enforcement"
],
"relevanceScore": 0.65,
"venue": "The Journal of Privacy and Confidentiality",
"language": "en"
},
{
"id": "europepmc:39073827",
"title": "Genomic privacy preservation in genome-wide association studies: taxonomy, limitations, challenges, and vision.",
"authors": [
"Aherrahrou N",
"Tairi H",
"Aherrahrou Z."
],
"date": "2024-07-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1093/bib/bbae356",
"pdfUrl": "https://europepmc.org/articles/PMC11285165?pdf=render",
"doi": "10.1093/bib/bbae356",
"abstract": "Genome-wide association studies (GWAS) serve as a crucial tool for identifying genetic factors associated with specific traits. However, ethical constraints prevent the direct exchange of genetic information, prompting the need for privacy preservation solutions. To address these issues, earlier works are based on cryptographic mechanisms such as homomorphic encryption, secure multi-party computing, and differential privacy. Very recently, federated learning has emerged as a promising solution for enabling secure and collaborative GWAS computations. This work provides an extensive overview of existing methods for GWAS privacy preserving, with the main focus on collaborative and distributed approaches. This survey provides a comprehensive analysis of the challenges faced by existing methods, their limitations, and insights into designing efficient solutions.",
"topics": [
"biometric_surveillance",
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "Briefings in bioinformatics",
"language": "de"
},
{
"id": "crossref:10.21203/rs.3.rs-6264767/v1",
"title": "A Kubernetes-Based AI Framework for Scalable PII Detection and Redaction in Application Logs",
"authors": [
"Ahmed Shamsan Almasah",
"sana alyaseri"
],
"date": "2025-03-21",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-6264767/v1",
"pdfUrl": "https://www.researchsquare.com/article/rs-6264767/v1",
"doi": "10.21203/rs.3.rs-6264767/v1",
"abstract": "Abstract\n The increasing adoption of microservice architectures has amplified the challenges of application log management, particularly concerning the proliferation of personally identifiable information (PII). While logs are crucial for monitoring, debugging, and compliance, the distributed nature of microservices, coupled with stringent data privacy regulations like GDPR, CCPA, and HIPAA, necessitates robust PII detection and redaction mechanisms. Traditional methods, such as regular expressions, are inadequate for the volume and complexity of log data in modern IT environments. This research investigates the application of Natural Language Processing (NLP), specifically transformer-based models, for automated PII detection and redaction within Kubernetes-based microservices. We conduct a comparative analysis of several NLP techniques, including TF-IDF, spaCy's pre-trained model, a CNN-LSTM architecture, and a specialized pre-trained PII detection model (iiiorg/piiranha-v1), using the AI4Privacy dataset. Our evaluation considers accuracy, precision, recall, F1-score, resource utilization, and runtime. The results demonstrate the trade-offs between accuracy, computational cost, and contextual understanding, highlighting the superior performance and efficiency of specialized pre-trained models for balancing these factors in Kubernetes deployments. Specifically, we show that while deep learning models like CNN-LSTM achieve high accuracy, they are resource-intensive. Conversely, while TF-IDF is efficient, it lacks the contextual awareness needed for robust PII detection. Our findings indicate that specialized pre-trained models offer a compelling solution for practical PII redaction in resource-constrained Kubernetes environments.
",
"topics": [
"data_anonymization",
"enterprise_privacy_ops",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "2025 IEEE Region 10 Symposium (TENSYMP)",
"language": "en"
},
{
"id": "crossref:10.69554/rciv2626",
"title": "Balancing AI innovation with data protection: A closer look at the EU AI Act",
"authors": [
"Sean Musch",
"Michael Charles Borrelli",
"Charles Kerrigan"
],
"date": "2023-12-01",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.69554/rciv2626",
"pdfUrl": "",
"doi": "10.69554/rciv2626",
"abstract": "In this paper the authors explore the intricate relationship between artificial intelligence (AI) innovation and data protection within the framework of the EU AI Act.1 This groundbreaking legislation addresses the challenges posed by the rapid advancement of AI to safeguarding individual privacy rights. The paper analyses the EU AI Act's provisions, including in-scope entities, extraterritorial applicability, AI system classification, permitted usage and breach notification. It delves into the protection of individuals' fundamental rights, transparency and consent mechanisms. Ultimately, the study underscores the EU AI Act's significance in shaping responsible AI development amid evolving data protection concerns.",
"topics": [
"jurisdiction_regulatory",
"data_breach_incident",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "crossref:10.47363/jaicc/2023(2)467",
"title": "NLP-Based De-Identification Techniques for Patient Data Anonymization",
"authors": [
"Veerendra Nath Jasthi"
],
"date": "2023-09-30",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.47363/jaicc/2023(2)467",
"pdfUrl": "",
"doi": "10.47363/jaicc/2023(2)467",
"abstract": "Electronic health records (EHR) Patient data in the form of electronic health records are sensitive and personal so there are legal structures to protect such\nthings such as HIPAA. De-identification of such data is enough to guarantee the privacy of such information, allowing it to be utilized in medical studies\nand the creation of AI models. Natural Language Processing (NLP) has become an effective method of automating the de-identification of unstructured\nclinical narratives. This paper discusses the different NLP-based de-identification techniques, rule-based, machine learning models, and deep learning\napproaches. These approaches are compared, and the hybrid model will be created wherein Named Entity Recognition (NER) will be combined with\nBERT-based contextual models. Precision, recall, and F1-score are assessment measures applied to benchmark datasets. Findings show that hybrid NLP\ntechniques are more generally accurate and generalized. The study helps in enhancing privacy of data in healthcare as the study allows useful anonymization\nof textual records of patients.",
"topics": [
"sector_healthcare",
"data_anonymization",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.65,
"venue": "Journal of Artificial Intelligence & Cloud Computing",
"language": "en"
},
{
"id": "crossref:10.48047/b23v4479",
"title": "Data Analysis Systems in IoE Environments for Managing Privacy and Data Protection: Pseudonymity, De-Anonymization and the Right to Be Forgotten",
"authors": [
"1Merugu Anand Kumar, Dr. S. Gowri"
],
"date": "2025-02-20",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.48047/b23v4479",
"pdfUrl": "https://cuestionesdefisioterapia.com/index.php/es/article/download/1880/1383",
"doi": "10.48047/b23v4479",
"abstract": "One of the most pressing concerns surrounding Big Data is protecting individuals' privacy, asprocessing massive amounts of data might lead to the exposure of private information. Actually,re-identification via privacy attacks is still possible, even with anonymised data. In order toprotect large data analytics systems from re-identification risks, this article lays forth amethodology for anonymization. You may employ anonymization methods and models at twophases of this framework, which is based on anonymization policies: during the ETL process andbefore exporting the statistical findings of data analytics. The second step is to assess thelikelihood of data re-identification and, if needed, raise the anonymity level. Although this paperpresents a general framework, Ophidia was used as a case study to demonstrate how it wasimplemented.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"reversible_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.65,
"venue": "Cuestiones de Fisioterapia",
"language": "en"
},
{
"id": "openaire:10.1142/S2717554524500140",
"title": "Leveraging Large Language Models for Speech De-Identification",
"authors": [
"Priyanshu Dhingra",
"Satyam Agrawal",
"Chandra Sekar Veerappan",
"Eng Siong Chng",
"Rong Tong"
],
"date": "2025-01-27",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1142/s2717554524500140",
"pdfUrl": "",
"doi": "10.1142/s2717554524500140",
"abstract": " This paper presents a novel approach to address the scarcity of labeled data in speech de-identification, a critical task for protecting personal privacy. By leveraging a large language model, we propose a fully automated data augmentation strategy that generates synthetic speech text data enriched with diverse personally identifiable information (PII) entities. This augmented dataset is then used to train the speech-de-identification models, significantly improving its performance on spoken language. To further enhance de-identification accuracy, we explore both pipeline and end-to-end models. While the pipeline approach sequentially applies speech recognition and named entity recognition, the end-to-end model jointly learns these tasks. Our experimental results demonstrate the effectiveness of our data augmentation strategy and the superiority of the end-to-end model in improving PII detection accuracy and robustness. ",
"topics": [
"data_anonymization",
"pii_entity_types",
"nlp_ner_tools"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W4407736598",
"title": "Right to Explanation in Large Language Models: Lessons from the European Union AI Act and General Data Protection Regulation",
"authors": [
"Łukasz Górski",
"Shashishekar Ramakrishna"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/mitp.2024.3518917",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/mitp.2024.3518917",
"abstract": "Innovations in machine learning-based artificial intelligence (AI), culminating in the development of large-scale language models, became a watershed moment for AI research. AI and law research follows suit, and the new regulatory framework is being prepared. In this article, we explore the legal background for explainability of large-scale foundational models, as brought about by the European Union AI Act.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.65,
"venue": "IT Professional",
"language": "en"
},
{
"id": "openaire:10.1145/3594536.3595151",
"title": "Automated Anonymization of Court Decisions",
"authors": [
"Kalliopi Terzidou"
],
"date": "2023-06-19",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/3594536.3595151",
"pdfUrl": "",
"doi": "10.1145/3594536.3595151",
"abstract": "The practice of anonymization of court decisions has been further systematized by EU Member States’ courts, after the entry into force of the General Data Protection Regulation and its transposition into national laws. Anonymization of the parties’ personal information protects their privacy during the publication of judgments, which is necessary for the scrutiny of the judiciary’s reasoning in a given case and the filing of an appeal whenever a party disagrees with the court’s reasoning and/or order. European courts have recently resorted to algorithmic approaches to automate the process of anonymization, which can bestow prompt and consistent application of anonymization rules for court administrations to comply with the applicable personal data protection legislation. These automated solutions can also encompass technical and administrative challenges, ranging from re-ιdentification risks that compromise the protection of the parties’ personal data to the lack of acceptance of the algorithmic system by court staff during their daily work routine. The present paper reviews current anonymization practices conducted through algorithmic techniques by, first, explaining the legal framework underlying the publication and anonymization of court decisions, second, examining three algorithmic solutions for the anonymization of court decisions by different EU Member States, and third, reflecting on their efficiencies and challenges for court administrations.",
"topics": [
"enterprise_privacy_ops",
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/access.2019.2924479",
"title": "Latent-Space-Level Image Anonymization With Adversarial Protector Networks",
"authors": [
"Taehoon Kim",
"Jihoon Yang"
],
"date": "2019-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/access.2019.2924479",
"pdfUrl": "",
"doi": "10.1109/access.2019.2924479",
"abstract": "Along with recent achievements in deep learning empowered by enormous amounts of training data, preserving the privacy of an individual related to the gathered data has been becoming an essential part of the public data collection and publication. Advancements in deep learning threaten traditional image anonymization techniques with model inversion attacks that try to reconstruct the original image from the anonymized image. In this paper, we propose a privacy-preserving adversarial protector network (PPAPNet) as an image anonymization tool to convert an image into another synthetic image that is both realistic and immune to model inversion attacks. Our experiments on various datasets show that PPAPNet can effectively convert a sensitive image into a high-quality and attack-immune synthetic image.",
"topics": [
"document_anonymization",
"data_anonymization",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "europepmc:41583972",
"title": "Mainzelliste: Ten years of pseudonymization, record linkage, and informed consent management.",
"authors": [
"Tremper G",
"Brenner T",
"Ben Amor M",
"Kussel T",
"Lablans M."
],
"date": "2025-12-16",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1016/j.patter.2025.101432",
"pdfUrl": "https://europepmc.org/articles/PMC12827741?pdf=render",
"doi": "10.1016/j.patter.2025.101432",
"abstract": "Record linkage and pseudonymization are crucial tasks in collaborative biomedical research. Data for a patient are rarely stored in one place and therefore often need to be linked and integrated across multiple institutions. Mainzelliste is an open-source software solution designed to solve these challenges by providing a comprehensive and flexible toolkit for pseudonymization, record linkage, and consent management. It supports a variety of pseudonyms, record linkage methods, and modular, informed patient consents. A highly flexible REST application programming interface (API) allows tight integration into existing applications and workflows. Since its initial release in 2015, Mainzelliste has evolved into a vibrant open-source software solution \"by researchers, for researchers\" including a user-friendly graphical interface, support for HL7 FHIR for consent and patient data, and record linkage based on secure multi-party computation, thereby supporting secure and efficient biomedical research.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "europepmc:40421374",
"title": "Legal and ethical implications of AI-based crowd analysis: the AI Act and beyond.",
"authors": [
"Veltmeijer E",
"Gerritsen C."
],
"date": "2025-01-07",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1007/s43681-024-00644-x",
"pdfUrl": "https://europepmc.org/articles/PMC12103326?pdf=render",
"doi": "10.1007/s43681-024-00644-x",
"abstract": "The increasing global population and the consequent rise in crowded environments have amplified the risks of accidents and tragedies. This underscores the need for effective crowd management strategies, with Artificial Intelligence (AI) holding potential to complement traditional methods. While AI offers promise in analysing crowd dynamics and predicting escalations, its deployment raises significant ethical concerns, regarding privacy, bias, accuracy, and accountability. This paper investigates the legal and ethical implications of AI in automated crowd analysis, with a focus on the European perspective. We examine the effect of the GDPR and the recently accepted AI Act on the field. The study then delves into remaining concerns post-legislation and proposes recommendations for ethical deployment. Key findings highlight challenges in notifying individuals of data usage, protecting vulnerable groups, balancing privacy with safety, and mitigating biased outcomes. Recommendations advocate for non-invasive data collection methods, refraining from predicting and decision-making AI systems, contextual considerations, and individual responsibility. The recommendations offer a foundational framework for ethical AI deployment, with universal applicability to benefit citizens globally.",
"topics": [
"jurisdiction_regulatory",
"ai_governance",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "europepmc:39899638",
"title": "Comparison of anonymization techniques regarding statistical reproducibility.",
"authors": [
"Pau D",
"Bachot C",
"Monteil C",
"Vinet L",
"Boucher M",
"Sella N",
"Jegou R."
],
"date": "2025-02-03",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1371/journal.pdig.0000735",
"pdfUrl": "https://europepmc.org/articles/PMC11790161?pdf=render",
"doi": "10.1371/journal.pdig.0000735",
"abstract": "Background
Anonymization opens up innovative ways of using secondary data without the requirements of the GDPR, as anonymized data does not affect anymore the privacy of data subjects. Anonymization requires data alteration, and this project aims to compare the ability of such privacy protection methods to maintain reliability and utility of scientific data for secondary research purposes.Methods
The French data protection authority (CNIL) defines anonymization as a processing activity that consists of using methods to make impossible any identification of people by any means in an irreversible manner. To answer project's objective, a series of analyses were performed on a cohort, and reproduced on four sets of anonymized data for comparison. Four assessment levels were used to evaluate impact of anonymization: level 1 referred to the replication of statistical outputs, level 2 referred to accuracy of statistical results, level 3 assessed data alteration (using Hellinger distances) and level 4 assessed privacy risks (using WP29 criteria).Results
87 items were produced on the raw cohort data and then reproduced on each of the four anonymized data. The overall level 1 replication score ranged from 67% to 100% depending on the anonymization solution. The most difficult analyses to replicate were regression models (sub-score ranging from 78% to 100%) and survival analysis (sub-score ranging from 0% to 100. The overall level 2 accuracy score ranged from 22% to 79% depending on the anonymization solution. For level 3, three methods had some variables with different probability distributions (Hellinger distance = 1). For level 4, all methods had reduced the privacy risk of singling out, with relative risk reductions ranging from 41% to 65%.Conclusion
None of the anonymization methods reproduced all outputs and results. A trade-off has to be find between context risk and the usefulness of data to answer the research question.",
"topics": [
"data_anonymization",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "PLOS digital health",
"language": "en"
},
{
"id": "dblp:journals/aiethics/Grozdanovski25",
"title": "Non-discrimination law, the GDPR, the AI act and the - now withdrawn - AI liability directive proposal offering gateways to pre-trial knowledge of algorithmic discrimination.",
"authors": [
"Ljupcho Grozdanovski"
],
"date": "2025",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/aiethics/Grozdanovski25",
"pdfUrl": "",
"doi": "10.1007/S43681-025-00754-0",
"abstract": "",
"topics": [
"ai_governance",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "AI Ethics",
"language": "en"
},
{
"id": "hal:3677038",
"title": "Preventing Manipulation Attack in Local Differential Privacy Using Verifiable Randomization Mechanism",
"authors": [
"Fumiyuki Kato",
"Yang Cao",
"Masatoshi Yoshikawa"
],
"date": "2021-07-19",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-03677038v1",
"pdfUrl": "https://inria.hal.science/hal-03677038/document",
"doi": "10.1007/978-3-030-81242-3_3",
"abstract": "Local differential privacy (LDP) has been received increasing attention as a formal privacy definition without a trusted server. In a typical LDP protocol, the clients perturb their data locally with a randomized mechanism before sending it to the server for analysis. Many studies in the literature of LDP implicitly assume that the clients honestly follow the protocol; however, two recent studies show that LDP is generally vulnerable under malicious clients. Cao et al. (USENIX Security ’21) and Cheu et al. (IEEE S&P ’21) demonstrated that the malicious clients could effectively skew the analysis (such as frequency estimation) by sending fake data to the server, which is called data poisoning attack or manipulation attack against LDP. In this paper, we propose secure and efficient verifiable LDP protocols to prevent manipulation attacks. Specifically, we leverage Cryptographic Randomized Response Technique (CRRT) as a building block to convert existing LDP mechanisms into a verifiable version. In this way, the server can verify the completeness of executing an agreed randomization mechanism on the client side without sacrificing local privacy. Our proposed method can completely protect the LDP protocol from output manipulation attacks, and significantly mitigates unexpected damage from malicious clients with acceptable computational overhead.",
"topics": [
"data_anonymization",
"llm_privacy_attacks",
"offline_local_processing"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "hal:5097182",
"title": "Surveillance Capitalism and Data Privacy in the Digital Age: Balancing Innovation with Regulatory Compliance",
"authors": [
"Ogochukwu C Nweke",
"Bashiru Salifu Zibo",
"Emmanuel Kweku Amoako Appiah",
"Samuel Osekre"
],
"date": "2024-12-12",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05097182v1",
"pdfUrl": "",
"doi": "10.9734/bpi/bmerp/v9/2640",
"abstract": "Advancements in technology have created the environment for companies to engage in systematic surveillance of individuals and exploit such data for profit without necessarily asking for the user’s permission. This paper therefore seeks to discuss the intricate correlation between surveillance capitalism and data privacy, and how well legislations like the GDPR and the CCPA have worked out. In a systematic literature review of academic works, the study analyses the ways through which surveillance capitalism is enacted, assesses the provided surveillance regulation strategies, and explores the possibilities of the tension between privacy and innovation. The results imply privacy’s prominence as well as the necessity for the implementation of privacy regulation at multiple levels based on the privacy-by-design concept, the use of such technologies as differential privacy, efficient enforcement measures for user privacy protection along the promotion of innovations. The paper concludes with policy recommendations that could improve international standards of data protection and ensure privacy as a right in the global economy.",
"topics": [
"power_knowledge_asymmetry",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "doaj:12d1ce4842b347c4aa1fa4fa0d530dc9",
"title": "Private detection of relatives in forensic genomics using homomorphic encryption",
"authors": [
"Fillipe D. M. de Souza",
"Hubert de Lassus",
"Ro Cammarota"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1186/s12920-024-02037-9",
"pdfUrl": "https://europepmc.org/articles/PMC11575431?pdf=render",
"doi": "10.1186/s12920-024-02037-9",
"abstract": "Abstract Background Forensic analysis heavily relies on DNA analysis techniques, notably autosomal Single Nucleotide Polymorphisms (SNPs), to expedite the identification of unknown suspects through genomic database searches. However, the uniqueness of an individual’s genome sequence designates it as Personal Identifiable Information (PII), subjecting it to stringent privacy regulations that can impede data access and analysis, as well as restrict the parties allowed to handle the data. Homomorphic Encryption (HE) emerges as a promising solution, enabling the execution of complex functions on encrypted data without the need for decryption. HE not only permits the processing of PII as soon as it is collected and encrypted, such as at a crime scene, but also expands the potential for data processing by multiple entities and artificial intelligence services. Methods This study introduces HE-based privacy-preserving methods for SNP DNA analysis, offering a means to compute kinship scores for a set of genome queries while meticulously preserving data privacy. We present three distinct approaches, including one unsupervised and two supervised methods, all of which demonstrated exceptional performance in the iDASH 2023 Track 1 competition. Results Our HE-based methods can rapidly predict 400 kinship scores from an encrypted database containing 2000 entries within seconds, capitalizing on advanced technologies like Intel AVX vector extensions, Intel HEXL, and Microsoft SEAL HE libraries. Crucially, all three methods achieve remarkable accuracy levels (ranging from 96% to 100%), as evaluated by the auROC score metric, while maintaining robust 128-bit security. These findings underscore the transformative potential of HE in both safeguarding genomic data privacy and streamlining precise DNA analysis. Conclusions Results demonstrate that HE-based solutions can be computationally practical to protect genomic privacy during screening of candidate matches for further genealogy analysis in Forensic Genetic Genealogy (FGG).",
"topics": [
"privacy_engineering",
"sector_healthcare",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Health & Genomic PII",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "BMC Medical Genomics",
"language": "en"
},
{
"id": "pubmed:35330598",
"title": "Local Privacy Protection for Sensitive Areas in Multiface Images.",
"authors": [
"Liu, Chao",
"Yang, Jing",
"Zhang, Xuan",
"Zhang, Yining",
"Zhao, Weinan",
"Miao, Fengjuan",
"Shao, Yukun"
],
"date": "2022-03-15",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.18280/ts.370213",
"pdfUrl": "",
"doi": "10.18280/ts.370213",
"abstract": "The privacy protection for face images aims to prevent attackers from accurately identifying target persons through face recognition. Inspired by goal-driven reasoning (reverse reasoning), this paper designs a goal-driven algorithm of local privacy protection for sensitive areas in multiface images (face areas) under the interactive framework of face recognition algorithm, regional growth, and differential privacy. The designed algorithm, named privacy protection for sensitive areas (PPSA), is realized in the following manner: Firstly, the multitask cascaded convolutional network (MTCNN) was adopted to recognize the region and landmark of each face. If the landmark overlaps a subgraph divided from the original image, the subgraph will be taken as the seed for regional growth in the face area, following the growth criterion of the fusion similarity measurement mechanism (FSMM). Different from single-face privacy protection, multiface privacy protection needs to deal with an unknown number of faces. Thus, the allocation of the privacy budget ε directly affects the operation effect of the PPSA algorithm. In our scheme, the total privacy budget ε is divided into two parts: ε _1 and ε _2. The former is evenly allocated to each seed, according to the estimated number of faces ρ contained in the image, while the latter is allocated to the other areas that may consume the privacy budget through dichotomization. Unlike the Laplacian (LAP) algorithm, the noise error of the PPSA algorithm will not change with the image size, for the privacy protection is limited to the face area. The results show that the PPSA algorithm meets the requirements ε -Differential privacy, and image classification is realized by using different image privacy protection algorithms in different human face databases. The verification results show that the accuracy of the PPSA algorithm is improved by at least 16.1%, the recall rate is improved by at least 2.3%, and F 1-score is improved by at",
"topics": [
"offline_local_processing",
"data_anonymization",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "Computational intelligence and neuroscience",
"language": "en"
},
{
"id": "openaire:10.4018/978-1-7998-5728-0.ch005",
"title": "An Overview of Recent Development in Privacy Regulations and Future Research Opportunities",
"authors": [
"Tawei Wang",
"Yen-Yao Wang"
],
"date": "2020-08-21",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.4018/978-1-7998-5728-0.ch005",
"pdfUrl": "https://doi.org/10.4018/978-1-7998-5728-0.ch005",
"doi": "10.4018/978-1-7998-5728-0.ch005",
"abstract": "This chapter provides an overview of several recently proposed or passed privacy-related regulations, including General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Illinois Video Interview Act, Data Broker Regulations in Vermont, and Privacy Bill of Rights Act, and related but very limited studies. Toward the end, several research opportunities are discussed. These research opportunities include (1) economic consequences of these new regulations and (2) the new research framework to capture novel features of these regulations to explain security compliance. The authors further discuss possible research designs to address the proposed research opportunities. This chapter provides both professionals and researchers additional insights on the regulation of privacy issues. ",
"topics": [
"gdpr_compliance",
"linkability_tracking",
"data_broker_surveillance"
],
"painPointTracks": [
"Data Brokers",
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.65,
"venue": "Research Anthology on Privatizing and Securing Data",
"language": "en"
},
{
"id": "openaire:10.37276/sjh.v7i2.533",
"title": "The Limitations of Lex Generalis: Analyzing the Readiness of the GDPR and PDP Law for AI-Based Facial Recognition Technology",
"authors": [
"Komang Suputra Kurniawan",
"I Gede Agus Kurniawan"
],
"date": "2025-11-28",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.37276/sjh.v7i2.533",
"pdfUrl": "",
"doi": "10.37276/sjh.v7i2.533",
"abstract": "The implementation of AI-based FRT creates a fundamental conflict between security innovation and the protection of the human right to personal data. This research aims to (1) analyze the fundamental juridical-ethical challenges of AI-based identity systems; (2) examine the effectiveness and limitations of the GDPR (European Union) and the PDP Law (Indonesia) in responding to these risks; and (3) formulate recommendations for an adaptive regulatory framework. This research employs a normative legal research method, utilizing critical-comparative and prescriptive approaches. The analysis reveals two main findings. First, FRT presents unique systemic risks. These risks include discriminatory algorithmic bias, the normalization of mass surveillance, and an accountability crisis resulting from its “black-box” nature. These risks cannot be mitigated by conventional legal frameworks for privacy. Second, critical analysis proves that the GDPR and the PDP Law, as lex generalis instruments, are normatively and practically insufficient in regulating the specific and predictive dynamics of AI technology. This limitation creates a significant rechtsvacuüm, wherein technology adoption operates without adequate juridical oversight. Therefore, this research concludes that reliance on these two regulations is no longer sufficient. This research recommends a shift in Indonesia’s regulatory paradigm. The prescriptive solution proposed is the adoption of a lex specialis (derivative regulation) framework that is proactive, preventive, and adopts a risk-based approach. This framework is essential to ensure that AI innovation remains aligned with the principles of data protection and human dignity.",
"topics": [
"biometric_surveillance",
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.65,
"venue": "SIGn Jurnal Hukum",
"language": "en"
},
{
"id": "doaj:6b68191d35874658932d9848352898da",
"title": "Technologies of Data Protection and Institutional Decisions for Data Sovereignty",
"authors": [
"Enrico Del Re"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2078-2489/15/8/444",
"pdfUrl": "https://www.mdpi.com/2078-2489/15/8/444/pdf?version=1722331144",
"doi": "10.3390/info15080444",
"abstract": "This paper aims to propose innovative actions of advanced technological solutions and consequent necessary institutional decisions to achieve in a reasonable time the definitive confidential data protection and data sovereignty, based on available scientific results. Confidential data protection is a fundamental and strategic issue in next-generation Internet systems to guarantee data sovereignty and the respect of human rights as stated in the foundation of the United Nations. Even if presently many international regulations are decisive steps to guarantee data protection within normative contexts, they are not adequate to face new technologies, such as facial recognition, automatic profiling, position tracking, biometric data, AI applications, and many others in the future, as they are implemented without any awareness by the interested subjects. Therefore, a new approach to data protection is mandatory based on innovative and disruptive technological solutions. A recent OECD report highlighted the need for the so-called Privacy-Enhancing Technologies (PETs) for the effective protection of confidential data, even more urgent for the coexistence of privacy and data sharing in international contexts. A common feature of these technologies is the use of software methodologies that can run on currently available microprocessors and their present immaturity. More effective and definitive protection can be achieved with another methodological approach based on the paradigm of ‘Data Usage Control’. This new concept guarantees data protection policy by default and initial design and it requires a new architecture of the data and a new HW&SW architecture of the computers. This contribution has a two-fold objective: first, to clarify why regulations alone and present technological proposals are not adequate for the effective and definitive protection of data and, second, to indicate the new necessary technological approach and the simultaneous institutional actions required to achieve the definitive protection and sovereignty of data in reasonable times, based on the results already available in the scientific literature.",
"topics": [
"power_knowledge_asymmetry",
"biometric_surveillance",
"privacy_engineering"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Solutions Market",
"User Behavior / PII Communities"
],
"relevanceScore": 0.65,
"venue": "Information",
"language": "en"
},
{
"id": "doaj:babb4951fb2f4a45945466342805ad30",
"title": "La tutela dei dati biometrici tra GDPR e AI ACT",
"authors": [
"Anna Carla Nazzaro"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://universitypress.unisob.na.it/ojs/index.php/ejplt/article/view/2054",
"pdfUrl": "https://doi.org/10.57230/ejplt242acn",
"doi": "10.57230/ejplt242acn",
"abstract": "Il saggio analizza la tutela dei dati biometrici nell’ambito del GDPR e dell’AI ACT, evidenziando il delicato equilibrio tra protezione della privacy e innovazione tecnologica. Viene esaminata la definizione di dato biometrico e il suo utilizzo per identificazione, autenticazione e categorizzazione, con particolare attenzione ai rischi legati alla discriminazione e all’uso improprio. Si affrontano i divieti di raccolta indiscriminata e le implicazioni etiche dell’impiego dell’IA nel riconoscimento facciale e nell’analisi delle emozioni. Infine, si discute il ruolo della valutazione d’impatto e la necessità di un approccio regolatorio che tuteli i diritti fondamentali.\r\n\r\nThe essay explores the protection of biometric data within the framework of the GDPR and the AI ACT, highlighting the delicate balance between privacy protection and technological innovation. It examines the definition of biometric data and its use for identification, authentication, and categorization, with a focus on the risks of discrimination and misuse. The paper addresses the bans on indiscriminate data collection and the ethical implications of AI in facial recognition and emotion analysis. Finally, it discusses the role of impact assessment and the need for a regulatory approach that safeguards fundamental rights.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "European Journal of Privacy Law & Technologies",
"language": "en"
},
{
"id": "https://openalex.org/W4410987806",
"title": "Improving REST API Security and Software Integrity through Automated PII Detection Tool Using Machine Learning Techniques",
"authors": [
"Akbar Sahata Sakapertana",
"Wan Muhafidz Faldi",
"Andi Ichsan Mahardika",
"Muhammad Alfian",
"Umi Laili Yuhana"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/icocseti63724.2025.11020385",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/icocseti63724.2025.11020385",
"abstract": "The increasing reliance on REST APIs for data transmission has heightened the risk of exposing Personally Identifiable Information (PII). This underscores the need for effective detection systems to safeguard privacy and comply with regulations such as GDPR and Indonesia’s Personal Data Protection Acts. This study introduces a machine learning-driven Personally Identifiable Information (PII) identification system utilizing Support Vector Machines (SVM) to examine semi-structured API responses. The system consists of two primary components: a backend module that executes PII detection and archives results in a database, and an interactive dashboard that allows users to examine, oversee, and administer detection results. The backend exhibits robust performance with elevated accuracy and precision, whereas the dashboard provides functionalities including search, severity filtering, and comprehensive result display to improve user engagement and operational decision-making. Collectively, these elements offer a comprehensive solution for enhancing REST API security and ensuring software processes comply with data privacy standards. Future endeavors will investigate real-time warning systems, sophisticated data visualization, and extensive domain modification to augment the system’s efficacy.",
"topics": [
"enterprise_privacy_ops",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W3095232705",
"title": "Speaker Anonymization for Personal Information Protection Using Voice Conversion Techniques",
"authors": [
"In-Chul Yoo",
"Keonnyeong Lee",
"Seong-Gyun Leem",
"Hyunwoo Oh",
"BongGu Ko",
"Dongsuk Yook"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/access.2020.3035416",
"pdfUrl": "https://ieeexplore.ieee.org/ielx7/6287639/8948470/09247219.pdf",
"doi": "https://doi.org/10.1109/access.2020.3035416",
"abstract": "As speech-based user interfaces integrated in the devices such as AI speakers become ubiquitous, a large amount of user voice data is being collected to enhance the accuracy of speech recognition systems. Since such voice data contain personal information that can endanger the privacy of users, the issue of privacy protection in the speech data has garnered increasing attention after the introduction of the General Data Protection Regulation in the EU, which implies that restrictions and safety measures for the use of speech data become essential. This study aims to filter the speaker-related voice biometrics present in speech data such as voice fingerprint without altering the linguistic content to preserve the usefulness of the data while protecting the privacy of users. To achieve this, we propose an algorithm that produces anonymized speeches by adopting many-to-many voice conversion techniques based on variational autoencoders (VAEs) and modifying the speaker identity vectors of the VAE input to anonymize the speech data. We validated the effectiveness of the proposed method by measuring the speaker-related information and the original linguistic information retained in the resultant speech, using an open source speaker recognizer and a deep neural network-based automatic speech recognizer, respectively. Using the proposed method, the speaker identification accuracy of the speech data was reduced to 0.1-9.2%, indicating successful anonymization, while the speech recognition accuracy was maintained as 78.2-81.3%.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.65,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "s2:a1436408fd4836cc46c49d049ca2b72144d7cba0",
"title": "Privacy-Preserving Medical Advising System on Mobile Devices: On-Device PHI Anonymization, Medical Report Retrieval, and Cloud-Based RAG",
"authors": [
"T. Weerasekara",
"Chinthani Chandeepa",
"Oshan Sandeep Amarasuriya",
"C. Hettiarachchi"
],
"date": "2025-06-24",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/a1436408fd4836cc46c49d049ca2b72144d7cba0",
"pdfUrl": "",
"doi": "10.1145/3721201.3725431",
"abstract": "Ensuring the confidentiality of information and accuracy especially related to medical data is a critical challenge in the development of digital health applications. This paper presents a novel approach for a medical chat application that is intended to preserve user privacy while ensuring the accuracy of responses. On-device privacy-preserving techniques and context-aware medical report retrieval mechanisms are engaged on Android mobile phones with cloud-based retrieval-augmented generation (RAG) in this system. A lightweight, transformer-based language model is leveraged for the anonymization of protected health information (PHI) directly on the user’s mobile device with a medical report storage and a retriever ensuring private and sensitive information never leaves the device in its raw form. The cloud-based subsystem acts as the backend and is responsible for processing the anonymized requests, retrieving relevant medical knowledge, and generating accurate, context-aware responses using a large language model (LLM).CCS Concepts• Computing methodologies → Information extraction; Natural language generation; • Security and privacy → Privacy-preserving protocols.",
"topics": [
"data_anonymization",
"sector_healthcare",
"offline_local_processing"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies",
"language": "en"
},
{
"id": "s2:7c2510fd85c0b8d8c8340a15e2360cbddf91d259",
"title": "My Face My Choice: Privacy Enhancing Deepfakes for Social Media Anonymization",
"authors": [
"U. Ciftci",
"Gokturk Yuksek",
"Ilke Demir"
],
"date": "2022-11-02",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/7c2510fd85c0b8d8c8340a15e2360cbddf91d259",
"pdfUrl": "https://arxiv.org/pdf/2211.01361",
"doi": "10.1109/WACV56688.2023.00142",
"abstract": "Recently, productization of face recognition and identification algorithms have become the most controversial topic about ethical AI. As new policies around digital identities are formed [22], we introduce three face access models in a hypothetical social network, where the user has the power to only appear in photos they approve. Our approach eclipses current tagging systems and replaces unapproved faces with quantitatively dissimilar deepfakes. In addition, we propose new metrics specific for this task, where the deepfake is generated at random with a guaranteed dissimilarity. We explain access models based on strictness of the data flow, and discuss impact of each model on privacy, usability, and performance. We evaluate our system on Facial Descriptor Dataset [61] as the real dataset, and two synthetic datasets with random and equal class distributions. Running seven SOTA face recognizers on our results, MFMC reduces the average accuracy by 61%. Lastly, we extensively analyze similarity metrics, deepfake generators, and datasets in structural, visual, and generative spaces; supporting the design choices and verifying the quality.",
"topics": [
"data_anonymization",
"biometric_surveillance",
"ai_governance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.65,
"venue": "IEEE Workshop/Winter Conference on Applications of Computer Vision",
"language": "en"
},
{
"id": "s2:d8901635f8d8f8495e5bdf9601fd5d5febed7de4",
"title": "Privacy's Peril: Unmasking the Unregulated Underground Market of Data Brokers and the Suggested Framework",
"authors": [
"Rabia Bajwa",
"Farah Tasnur Meem"
],
"date": "2024-10-06",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/d8901635f8d8f8495e5bdf9601fd5d5febed7de4",
"pdfUrl": "",
"doi": "10.48550/arXiv.2410.04606",
"abstract": "The internet is a common place for businesses to collect and store as much client data as possible and computer storage capacity has increased exponentially due to this trend. Businesses utilize this data to enhance customer satisfaction, generate revenue, boost sales, and increase profile. However, the emerging sector of data brokers is plagued with legal challenges. In part I, we will look at what a data broker is, how it collects information, the data industry, and some of the difficulties it encounters. In Part II, we will look at potential options for regulating data brokers. All options are provided in light of the EU General Data Protection Regulation (GDPR). In Part III, we shall present our analysis and findings.",
"topics": [
"gdpr_compliance",
"linkability_tracking",
"data_broker_surveillance"
],
"painPointTracks": [
"Data Brokers",
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.65,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "s2:69f30c6574a9d169068a7e0957bcef70e0d461a1",
"title": "Anonymization and validation of three-dimensional volumetric renderings of computed tomography data using commercially available T1-weighted magnetic resonance imaging-based algorithms",
"authors": [
"Rahil Patel",
"D. Provenzano",
"M. Loew"
],
"date": "2023-11-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/69f30c6574a9d169068a7e0957bcef70e0d461a1",
"pdfUrl": "",
"doi": "10.1117/1.JMI.10.6.066501",
"abstract": "Abstract. Purpose Previous studies have demonstrated that three-dimensional (3D) volumetric renderings of magnetic resonance imaging (MRI) brain data can be used to identify patients using facial recognition. We have shown that facial features can be identified on simulation-computed tomography (CT) images for radiation oncology and mapped to face images from a database. We aim to determine whether CT images can be anonymized using anonymization software that was designed for T1-weighted MRI data. Approach Our study examines (1) the ability of off-the-shelf anonymization algorithms to anonymize CT data and (2) the ability of facial recognition algorithms to identify whether faces could be detected from a database of facial images. Our study generated 3D renderings from 57 head CT scans from The Cancer Imaging Archive database. Data were anonymized using AFNI (deface, reface, and 3Dskullstrip) and FSL’s BET. Anonymized data were compared to the original renderings and passed through facial recognition algorithms (VGG-Face, FaceNet, DLib, and SFace) using a facial database (labeled faces in the wild) to determine what matches could be found. Results Our study found that all modules were able to process CT data and that AFNI’s 3Dskullstrip and FSL’s BET data consistently showed lower reidentification rates compared to the original. Conclusions The results from this study highlight the potential usage of anonymization algorithms as a clinical standard for deidentifying brain CT data. Our study demonstrates the importance of continued vigilance for patient privacy in publicly shared datasets and the importance of continued evaluation of anonymization methods for CT data.",
"topics": [
"data_anonymization",
"enterprise_privacy_ops",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "Journal of Medical Imaging",
"language": "en"
},
{
"id": "arxiv:2211.01147",
"title": "An Easy-to-use and Robust Approach for the Differentially Private De-Identification of Clinical Textual Documents",
"authors": [
"Yakini Tchouka",
"Jean-François Couchot",
"David Laiymani"
],
"date": "2022-11-02",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2211.01147v1",
"pdfUrl": "https://arxiv.org/pdf/2211.01147v1",
"doi": "",
"abstract": "Unstructured textual data is at the heart of healthcare systems. For obvious privacy reasons, these documents are not accessible to researchers as long as they contain personally identifiable information. One way to share this data while respecting the legislative framework (notably GDPR or HIPAA) is, within the medical structures, to de-identify it, i.e. to detect the personal information of a person through a Named Entity Recognition (NER) system and then replacing it to make it very difficult to associate the document with the person. The challenge is having reliable NER and substitution tools without compromising confidentiality and consistency in the document. Most of the conducted research focuses on English medical documents with coarse substitutions by not benefiting from advances in privacy. This paper shows how an efficient and differentially private de-identification approach can be achieved by strengthening the less robust de-identification method and by adapting state-of-the-art differentially private mechanisms for substitution purposes. The result is an approach for de-identifying clinical documents in French language, but also generalizable to other languages and whose robustness is mathematically proven.",
"topics": [
"data_anonymization",
"pii_entity_types",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2101.12099",
"title": "An Analysis Of Protected Health Information Leakage In Deep-Learning Based De-Identification Algorithms",
"authors": [
"Salman Seyedi",
"Li Xiong",
"Shamim Nemati",
"Gari D. Clifford"
],
"date": "2021-01-28",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2101.12099v2",
"pdfUrl": "https://arxiv.org/pdf/2101.12099v2",
"doi": "",
"abstract": "The increasing complexity of algorithms for analyzing medical data, including de-identification tasks, raises the possibility that complex algorithms are learning not just the general representation of the problem, but specifics of given individuals within the data. Modern legal frameworks specifically prohibit the intentional or accidental distribution of patient data, but have not addressed this potential avenue for leakage of such protected health information. Modern deep learning algorithms have the highest potential of such leakage due to complexity of the models. Recent research in the field has highlighted such issues in non-medical data, but all analysis is likely to be data and algorithm specific. We, therefore, chose to analyze a state-of-the-art free-text de-identification algorithm based on LSTM (Long Short-Term Memory) and its potential in encoding any individual in the training set. Using the i2b2 Challenge Data, we trained, then analyzed the model to assess whether the output of the LSTM, before the compression layer of the classifier, could be used to estimate the membership of the training data. Furthermore, we used different attacks including membership inference attack method to attack the model. Results indicate that the attacks could not identify whether members of the training data were distinguishable from non-members based on the model output. This indicates that the model does not provide any strong evidence into the identification of the individuals in the training data set and there is not yet empirical evidence it is unsafe to distribute the model for general use.",
"topics": [
"sector_healthcare",
"data_anonymization",
"llm_privacy_attacks"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII",
"Health & Genomic PII"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2005.11687",
"title": "MASK: A flexible framework to facilitate de-identification of clinical texts",
"authors": [
"Nikola Milosevic",
"Gangamma Kalappa",
"Hesam Dadafarin",
"Mahmoud Azimaee",
"Goran Nenadic"
],
"date": "2020-05-24",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2005.11687v2",
"pdfUrl": "https://arxiv.org/pdf/2005.11687v2",
"doi": "",
"abstract": "Medical health records and clinical summaries contain a vast amount of important information in textual form that can help advancing research on treatments, drugs and public health. However, the majority of these information is not shared because they contain private information about patients, their families, or medical staff treating them. Regulations such as HIPPA in the US, PHIPPA in Canada and GDPR regulate the protection, processing and distribution of this information. In case this information is de-identified and personal information are replaced or redacted, they could be distributed to the research community. In this paper, we present MASK, a software package that is designed to perform the de-identification task. The software is able to perform named entity recognition using some of the state-of-the-art techniques and then mask or redact recognized entities. The user is able to select named entity recognition algorithm (currently implemented are two versions of CRF-based techniques and BiLSTM-based neural network with pre-trained GLoVe and ELMo embedding) and masking algorithm (e.g. shift dates, replace names/locations, totally redact entity).",
"topics": [
"data_anonymization",
"pii_entity_types",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2204.04775",
"title": "Few-Shot Cross-lingual Transfer for Coarse-grained De-identification of Code-Mixed Clinical Texts",
"authors": [
"Saadullah Amin",
"Noon Pokaratsiri Goldstein",
"Morgan Kelly Wixted",
"Alejandro García-Rudolph",
"Catalina Martínez-Costa",
"Günter Neumann"
],
"date": "2022-04-10",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2204.04775v1",
"pdfUrl": "https://arxiv.org/pdf/2204.04775v1",
"doi": "",
"abstract": "Despite the advances in digital healthcare systems offering curated structured knowledge, much of the critical information still lies in large volumes of unlabeled and unstructured clinical texts. These texts, which often contain protected health information (PHI), are exposed to information extraction tools for downstream applications, risking patient identification. Existing works in de-identification rely on using large-scale annotated corpora in English, which often are not suitable in real-world multilingual settings. Pre-trained language models (LM) have shown great potential for cross-lingual transfer in low-resource settings. In this work, we empirically show the few-shot cross-lingual transfer property of LMs for named entity recognition (NER) and apply it to solve a low-resource and real-world challenge of code-mixed (Spanish-Catalan) clinical notes de-identification in the stroke domain. We annotate a gold evaluation dataset to assess few-shot setting performance where we only use a few hundred labeled examples for training. Our model improves the zero-shot F1-score from 73.7% to 91.2% on the gold evaluation set when adapting Multilingual BERT (mBERT) (Devlin et al., 2019) from the MEDDOCAN (Marimon et al., 2019) corpus with our few-shot cross-lingual target corpus. When generalized to an out-of-sample test set, the best model achieves a human-evaluation F1-score of 97.2%.",
"topics": [
"data_anonymization",
"sector_healthcare",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2011.06315",
"title": "Biomedical Named Entity Recognition at Scale",
"authors": [
"Veysel Kocaman",
"David Talby"
],
"date": "2020-11-12",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2011.06315v1",
"pdfUrl": "https://arxiv.org/pdf/2011.06315v1",
"doi": "",
"abstract": "Named entity recognition (NER) is a widely applicable natural language processing task and building block of question answering, topic modeling, information retrieval, etc. In the medical domain, NER plays a crucial role by extracting meaningful chunks from clinical notes and reports, which are then fed to downstream tasks like assertion status detection, entity resolution, relation extraction, and de-identification. Reimplementing a Bi-LSTM-CNN-Char deep learning architecture on top of Apache Spark, we present a single trainable NER model that obtains new state-of-the-art results on seven public biomedical benchmarks without using heavy contextual embeddings like BERT. This includes improving BC4CHEMD to 93.72% (4.1% gain), Species800 to 80.91% (4.6% gain), and JNLPBA to 81.29% (5.2% gain). In addition, this model is freely available within a production-grade code base as part of the open-source Spark NLP library; can scale up for training and inference in any Spark cluster; has GPU support and libraries for popular programming languages such as Python, R, Scala and Java; and can be extended to support other human languages with no code changes.",
"topics": [
"pii_entity_types",
"data_anonymization",
"nlp_ner_tools"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:ria.ua.pt:10773/35124",
"title": "Automated anonymization of legal contracts in Portuguese",
"authors": [
"Martins, Tomás"
],
"date": "2022-11-04",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:ria.ua.pt:10773/35124",
"pdfUrl": "",
"doi": "",
"abstract": "With the introduction of the General Data Protection Regulation, many organizations were left with a large amount of documents containing public information that should have been private. Given that we are talking about quite large quantities of documents, it would be a waste of resources to edit them manually. The objective of this dissertation is the development of an autonomous system for the anonymization of sensitive information in contracts written in Portuguese. This system uses Google Cloud Vision, an API to apply the OCR tecnology, to extract any text present in a document. As there is a possibility that these documents are poorly readable, an image pre-processing is done using the OpenCV library to increase the readability of the text present in the images. Among others, the application of binarization, skew correction and noise removal algorithms were explored. Once the text has been extracted, it will be interpreted by an NLP library. In this project we chose to use spaCy, which contains a Portuguese pipeline trained with the WikiNer and UD Portuguese Bosque datasets. This library not only allows a very complete identification of the part of speech, but also contains four different categories of named entity recognition in its model. In addition to the processing carried out using the spaCy library, and since the Portuguese language does not have a great support, some rule-based algorithms were implemented in order to identify other types of more specific information such as identification number and postal codes. In the end, the information considered confidential is covered by a black rectangle drawn by OpenCV through the coordinates returned by Google Cloud Vision OCR and a new PDF is generated.",
"topics": [
"enterprise_privacy_ops",
"gdpr_compliance",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "",
"language": "en"
},
{
"id": "hal:5264171",
"title": "Empowering Data Sovereignty through Artificial Intelligence: A Framework for Sustainable Smart Energy Systems in Saudi",
"authors": [
"Elham Albaroudi",
"Moustafa Elbehairy",
"Mohammad Nour Eddin Al Hinnawi",
"Mohammad Hatamleh",
"Taha Mansouri",
"Ali Alameer"
],
"date": "2025-09-16",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05264171v1",
"pdfUrl": "",
"doi": "",
"abstract": "As smart energy systems become central to national sustainability strategies, the issue of data sovereignty—the right of nations to govern data generated within their borders—has gained critical importance in the broader context of global digital governance and energy security. However, most existing AI systems lack built-in mechanisms for jurisdictional compliance and local control. This paper investigates how Artificial Intelligence (AI) can support data sovereignty in smart grid environments. Using a comparative multiple-case study approach—including Gaia-X, Microsoft EU Data Boundary, a decentralized energy pilot in India, and Saudi Arabia’s NEOM, which represents a sovereignty-by-design model aligned with Vision 2030—the study examines AI-enabled compliance mechanisms, federated learning, and sovereign cloud infrastructures. Expert interviews with stakeholders in policy, energy, and AI provide further context. Findings show that AI offers strong potential for enforcing sovereignty when supported by aligned legal frameworks and sovereignty-by-design architecture. For example, in India’s pilot project, federated AI reduced cross-border data transfers by more than 70% while maintaining forecasting accuracy. Beyond the energy sector, the proposed conceptual framework has applications in finance, healthcare, and smart cities. In particular, the NEOM case highlights Saudi Arabia’s leadership in embedding ethical and cultural governance into AI-enabled sovereignty. Practical recommendations are made to guide sustainable and ethical AI deployment in digital energy infrastructure. These results support global digital sovereignty goals and align with SDGs related to clean energy, innovation, and governance.",
"topics": [
"power_knowledge_asymmetry",
"jurisdiction_regulatory",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.65,
"venue": "Current Journal of Applied Science and Technology",
"language": "en"
},
{
"id": "ETid-43",
"title": "GDPR Fine: Private company working with data from publicly available sources — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2019-03-26",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-43",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €220,000 | Articles: Art. 14 GDPR | Insufficient fulfilment of information obligations | The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.\n\nAddendum: In the meantime, the court has cancelled the fine due to procedural errors. The amount of the fine has to be determined by the concrete number of data records concerned. However, the Office had not submitted any verifiable evidence in this regard, but had simply assumed that 6 million data sets were involved, which the data controller had denied. Therefore, important statements were missing. In particular, it was incorrect to justify the amount of the fine on the basis of general preventive considerations. Art. 58 GDPR expressly states that a fine imposed must be related to the specific facts of the case. The Polish data protection authority has already announced that the fine will be revised in a new administrative procedure.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-67",
"title": "GDPR Fine: School in Skellefteå — Data Protection Authority of Sweden (Sweden)",
"authors": [
"Data Protection Authority of Sweden"
],
"date": "2019-08-20",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-67",
"pdfUrl": "https://www.datainspektionen.se/globalassets/dokument/beslut/facial-recognition-used-to-monitor-the-attendance-of-students.pdf",
"doi": "",
"abstract": "Fine: €18,630 | Articles: Art. 5 (1) c) GDPR, Art. 9 GDPR, Art. 35 GDPR, Art. 36 GDPR | Insufficient legal basis for data processing | A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "GDPR DPA: Data Protection Authority of Sweden",
"language": "en"
},
{
"id": "ETid-79",
"title": "GDPR Fine: Morele.net — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2019-09-10",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-79",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €660,000 | Articles: Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Polish data protection authority imposed a fine of over PLN 2.8 million (approx. €644,780) on Morele.net for insufficient organisational and technical safeguards, which led to unauthorised access to the personal data of 2.2 million people.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-99",
"title": "GDPR Fine: Deutsche Wohnen SE — Data Protection Authority of Berlin (Germany)",
"authors": [
"Data Protection Authority of Berlin"
],
"date": "2019-10-30",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-99",
"pdfUrl": "https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PM-Bussgeld_DW.pdf",
"doi": "",
"abstract": "Fine: €Unknown | Articles: Art. 5 GDPR | Non-compliance with general data processing principles | In addition to sanctioning violations of privacy by design principles (Art. 5 GDPR, Art. 25 GDPR - see separate entry), the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.65,
"venue": "GDPR DPA: Data Protection Authority of Berlin",
"language": "en"
},
{
"id": "ETid-224",
"title": "GDPR Fine: School in Gdansk (Danzig) (fine imposed against town of Gdansk) — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2020-03-04",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-224",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €0 | Articles: Art. 5 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | Original summary: A school in Gdansk used biometric fingerprint scanners to authenticate students for the payment process in the school canteen. Although the parents had given their written consent to such data processing, the data protection authority considered the processing of the student data to be unlawful, as the consent to data processing was not given voluntarily.\nUpdate: Update: On August 7, 2020, the Provincial Administrative Court in Warsaw overturned the decision of the Polish DPA imposing a fine of EUR 4,600.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-267",
"title": "GDPR Fine: Vis Consulting Sp. z o.o. — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2020-03-09",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-267",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €4,400 | Articles: Art. 31 GDPR, Art. 58 GDPR | Insufficient cooperation with supervisory authority | The company prevented an inspection by the data protection authority. As a result, the company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of the GDPR.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-821",
"title": "GDPR Fine: Furnishyourspace S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2021-08-30",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-821",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00462-2019.pdf",
"doi": "",
"abstract": "Fine: €6,000 | Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 21 (4) GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) imposed a fine of EUR 6,000 on FurnishYourSpace S.L.. The AEPD had received a complaint from the Berlin DPA via the EU Internal Market Information System about the inadequate design of the controller's privacy notice. \nNamely, the identity and contact details of the controller were provided in the privacy notice, but under a misleading heading that gave the impression that they were provided for a business purpose. In addition, the purposes of the processing were not clearly stated. \nNo information was provided regarding the legal basis, the retention period of the personal data and the data subjects' right to object. Also, the privacy notice was confusing and the wording contained grammatical errors and used terms that are not part of common usage.\n\nIn addition, the privacy notice required a tax identification number in order to issue a simplified invoice, i.e., an invoice not exceeding the amount of EUR 3,000. The AEPD found this to be a violation of the principle of legality. \n\nThe fine is composed as follows:\n\nEUR 3,000 for a breach of Art. 12 GDPR and Art. 13 GDPR;\nEUR 1,000 for a breach of Art. 21 (4) GDPR; and\nEUR 2,000 for a breach of Art. 5 (1) a) GDPR and Art. 6 GDPR.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1361",
"title": "GDPR Fine: ACCOR SA — French Data Protection Authority (CNIL) (France)",
"authors": [
"French Data Protection Authority (CNIL)"
],
"date": "2022-08-19",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1361",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €600,000 | Articles: Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. 32 GDPR, L. 34-5 CPCE | Insufficient fulfilment of data subjects rights | The French DPA (CNIL) has imposed a fine of EUR 600,000 on ACCOR SA.\r\n\r\nBoth CNIL and other European DPAS had received complaints against ACCOR from several individuals. \r\n\r\nIn the course of its investigation, CNIL found that hotel guests who made a booking directly with the hotel or on one of the hotel group's websites automatically became recipients of an advertising newsletter as the box for consent to receive the newsletter was pre-ticked. In addition, the CNIL found that due to technical problems, many individuals were unable to opt-out of receiving the promotional emails. \r\n\r\nIn this context, CNIL found that ACCOR had not sufficiently informed data subjects about the processing of their personal data in the context of promotional messages and thus violated Art. 12 GDPR and Art. 13 GDPR. \r\n\r\nFurther, ACCOR had failed to respond to data subjects' requests for access to personal data in a timely manner, and thus the CNIL found a violation of Art. 12 GDPR and Art. 15 GDPR. \r\n\r\nThe company had also failed to comply with the data subjects' right to object due to the technical problems. The CNIL therefore found a violation of Art. 12 GDPR and Art. 21 GDPR. \r\n\r\nFinally, the CNIL found a violation of Art. 32 GDPR because ACCOR allowed the use of passwords that were not sufficiently secure. \r\n\r\nIn imposing the fine, CNIL considered aggravatingly that the violations affected several fundamental principles of personal data protection and constituted a fundamental infringement of the rights of the data subjects, as well as the number of data subjects involved.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "GDPR DPA: French Data Protection Authority (CNIL)",
"language": "en"
},
{
"id": "ETid-1487",
"title": "GDPR Fine: UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2022-11-03",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1487",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00280-2022.pdf",
"doi": "",
"abstract": "Fine: €70,000 | Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 70,000 on UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC (UPS). A person had filed a complaint with the DPA because UPS had delivered a package from them to a neighbor without their consent. The DPA considered this to be an unauthorized disclosure of their data, which was a result of a lack of technical and organizational measures for personal data protection. The DPA also found that this unauthorized disclosure of personal data constituted a violation of the principle of integrity and confidentiality.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.65,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "doaj:027aa86a824d402f901d544ecb773523",
"title": "The State and Personal Data in the Post-GDPR World: Towards a Global Consensus or Regulatory Fragmentation?",
"authors": [
"Igor Dunayev",
"Nataliya Lugovenko"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://periodicals.karazin.ua/tpdu/article/view/25807",
"pdfUrl": "",
"doi": "10.26565/1727-6667-2024-2-02",
"abstract": "This article explores the transformation of the state’s role in regulating personal data in the post-GDPR world. The author analyzes the impact of the EU’s General Data Protection Regulation (GDPR) on the evolution of the global privacy protection landscape, identifying trends towards harmonization and fragmentation of national legislations. The changing functions of the state as a regulator and guarantor of personal data protection in the context of digitalization are unveiled. The potential of blockchain technologies and distributed ledgers in ensuring user control over data is investigated. The influence of the development of the data market and new business models on the regulatory approaches of states and corporations is analyzed. The consequences of the spread of decentralized services for the relationships between the state, business, and civil society are considered. Priority directions for improving Ukrainian legislation in the field of personal data protection are substantiated, taking into account the realities of Web 3.0 and the need to balance innovation and security. The key idea is that the post-GDPR world stands at a crossroads between further fragmentation of the regulatory landscape and a long path towards harmonizing privacy standards. The choice of development trajectory depends on the coordinated political will of states, corporations, and global civil society to protect personal data as a shared value that unites humanity in the digital age. The article delves into the complex interplay of technological, legal, and societal factors shaping the future of data governance, offering insights into the challenges and opportunities ahead. It highlights the need for adaptive and inclusive regulatory frameworks that balance individual rights, economic interests, and public goods in an increasingly data-driven world.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Theory and Practice of Public Administration",
"language": "en"
},
{
"id": "doaj:0288394087224739b981795e34c61839",
"title": "Comparative Insights from the EU’s GDPR and China’s PIPL for Advancing Personal Data Protection Legislation",
"authors": [
"Gulbakyt Bolatbekkyzy"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://ugp.rug.nl/GROJIL/article/view/42173",
"pdfUrl": "",
"doi": "10.21827/grojil.11.1.129-146",
"abstract": "The article outlines the fundamental principles of personal data protection and the legal frameworks that safeguard individuals in the ever-evolving digital world. By examining the regulatory frameworks, strategies, and outcomes of the European Union and China, the study aims to provide insightful lessons and potential best practices that can be adapted to suit specific national contexts. Additionally, it discusses the challenges with interpreting, applying, and enforcing the General Data Protection Regulation (GDPR) of the EU and the Personal Information Protection Law (PIPL) of China. Finally, it highlights the features of the PIPL, which is the country's first comprehensive law controlling the protection of personal information comprehensively. The constant comparative method guided the data analysis, which was based on the publications from the official documents of two respective states, which in turn served as the main source to compile the content of the research. It shows the difficulties and shortfalls of both legislations and offers comparative ideas from China's PIPL and the EU's GDPR for advancing personal data protection laws. Concluding remarks highlight the need for continual discussion and revision of legal frameworks to reconcile the benefits of technological advancement with the defense of fundamental rights in digital space.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Groningen Journal of International Law",
"language": "en"
},
{
"id": "doaj:114aba75155f41418c5489e5c4084463",
"title": "Assessing Compliance in Child-Facing High-Risk AI IoT Devices: Legal Obligations Under the EU’s AI Act and GDPR",
"authors": [
"Mohammed Rashed",
"Yasser Essa"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2673-4001/6/4/79",
"pdfUrl": "",
"doi": "10.3390/telecom6040079",
"abstract": "The rapid and ongoing adoption of smart home products, coupled with the increasing integration of artificial intelligence (AI), particularly in these products, is an undeniable reality. However, as both technologies converge, they also give rise to a range of significant concerns. The EU’s recent AI Act specifically addresses the challenges associated with the use of AI technology. In this study, we examine three AI-integrated products with toy capabilities that are sold in Spain, serving as a case study for the EU market of smart home devices that incorporate AI. Our research aims to identify potential compliance issues with both the AI Act and the General Data Protection Regulation (GDPR). Our results reveal a clear and worrying gap between the existing legislation and the functionalities of these devices. Using a normal user’s approach, we find that the privacy policies for these products, whose features make them high-risk AI systems, AI systems with systemic risk, or both as per the AI Act, fail to provide any information about AI usage, particularly of ChatGPT, which they all integrate. This raises significant concerns, especially as the market for such products will continue to grow. Without rigorous enforcement of existing legislation, the risk of misuse of sensitive personal information becomes even greater, making strict regulatory oversight essential to ensure user protection.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "Telecom",
"language": "en"
},
{
"id": "doaj:07ba357dc4f84aa4b46f79cd47a93a72",
"title": "Enhancing catchment area tools: A de-identification method for integrating clinical trial data with Cancer InFocus",
"authors": [
"Daniel Antonio",
"Todd Burus",
"Tarneka Manning",
"Michael Gurley",
"Giorgio Di Salvo",
"Jorge Andres Heneche",
"Carolyn Passaglia",
"Masha Kocherginsky",
"Melissa A. Simon"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://www.tandfonline.com/doi/10.1080/28322134.2024.2388564",
"pdfUrl": "",
"doi": "10.1080/28322134.2024.2388564",
"abstract": "Background: National Cancer Institute (NCI) designated cancer centers are entrusted with assessing the cancer burden within their catchment areas and using this information to guide research and outreach efforts. Data visualizations, like Cancer InFocus, have emerged as essential tools for facilitating this effort. Integrating clinical trial accrual data can further enhance our understanding of the catchment area. However, these data must be de-identified in accordance with the Health Insurance Portability and Accountability Act (HIPAA). This study introduces a de-identification method through geographic aggregation, ensuring HIPAA compliance and enabling comprehensive catchment area surveillance.Methods: Home addresses of patients enrolled in clinical trials at an NCI-designated Comprehensive Cancer Center were geocoded to census tracts. Tracts with less than 20 accruals were merged using the R geographic aggregation tool. A risk assessment was conducted to ensure low re-identification risk. Accrual rates were calculated and integrated into Cancer InFocus.Results: Successful aggregation exceeded the 20-patient threshold for all merged tracts with low re-identification risk. Disparities between clinical trial accruals and social determinants of health were identified.Discussion: The geographic aggregation method, compliant with HIPAA standards and integrated with Cancer InFocus, can enhance catchment area surveillance, furthering cancer research and outreach by pinpointing area-specific needs.",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.637,
"venue": "Preventive Oncology & Epidemiology",
"language": "en"
},
{
"id": "doaj:c4827a27d0f1424285d6d4f7f9e18450",
"title": "Deep Learning Framework for Advanced De-Identification of Protected Health Information",
"authors": [
"Ahmad Aloqaily",
"Emad E. Abdallah",
"Rahaf Al-Zyoud",
"Esraa Abu Elsoud",
"Malak Al-Hassan",
"Alaa E. Abdallah"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/1999-5903/17/1/47",
"pdfUrl": "",
"doi": "10.3390/fi17010047",
"abstract": "Electronic health records (EHRs) are widely used in healthcare institutions worldwide, containing vast amounts of unstructured textual data. However, the sensitive nature of Protected Health Information (PHI) embedded within these records presents significant privacy challenges, necessitating robust de-identification techniques. This paper introduces a novel approach, leveraging a Bi-LSTM-CRF model to achieve accurate and reliable PHI de-identification, using the i2b2 dataset sourced from Harvard University. Unlike prior studies that often unify Bi-LSTM and CRF layers, our approach focuses on the individual design, optimization, and hyperparameter tuning of both the Bi-LSTM and CRF components, allowing for precise model performance improvements. This rigorous approach to architectural design and hyperparameter tuning, often underexplored in the existing literature, significantly enhances the model’s capacity for accurate PHI tag detection while preserving the essential clinical context. Comprehensive evaluations are conducted across 23 PHI categories, as defined by HIPAA, ensuring thorough security across critical domains. The optimized model achieves exceptional performance metrics, with a precision of 99%, recall of 98%, and F1-score of 98%, underscoring its effectiveness in balancing recall and precision. By enabling the de-identification of medical records, this research strengthens patient confidentiality, promotes compliance with privacy regulations, and facilitates safe data sharing for research and analysis.",
"topics": [
"sector_healthcare",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.637,
"venue": "Future Internet",
"language": "en"
},
{
"id": "doaj:228fffc7ea1a4805be5676f38a188f57",
"title": "GDPR Compliance Assessment for Cross-Border Personal Data Transfers in Android Apps",
"authors": [
"Danny S. Guaman",
"Jose M. Del Alamo",
"Julio C. Caiza"
],
"date": "2021",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/9328756/",
"pdfUrl": "",
"doi": "10.1109/access.2021.3053130",
"abstract": "The pervasiveness of Android mobile applications and the services they support allow the personal data of individuals to be collected and shared worldwide. However, data protection legislations usually require all participants in a personal data flow to ensure an equivalent level of personal data protection, regardless of location. In particular, the European General Data Protection Regulation constrains cross-border transfers of personal data to non-EU countries and establishes specific requirements to carry them out. This article presents a method to systematically assess compliance of Android mobile apps with the requirements for cross-border transfers established by the European data protection regulation. We have validated the method with one hundred Android apps, finding an outstanding 66% of ambiguous, inconsistent and omitted cross-border transfer disclosures.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "doaj:6fa4285172e6452ca498dcd223c803bd",
"title": "Schrems II: Will It Really Increase the Level of Privacy Protection against Mass Surveillance?",
"authors": [
"Václav Stehlík",
"Lusine Vardanyan"
],
"date": "2020",
"platform": "doaj",
"sourceUrl": "https://blr.flaw.uniba.sk/index.php/BLR/article/view/215",
"pdfUrl": "",
"doi": "10.46282/blr.2020.4.2.215",
"abstract": "An important event that once again brought to the forefront issues related to mass surveillance was the judgment of the Court of Justice of the European Union (hereafter referred as CJEU) delivered on July 16, 2020 in the case of Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems (Schrems II). It can be considered as the first serious precedent in the field of surveillance, which is aimed at ensuring privacy in the field of national security. Therefore, it becomes an important issue to assess its impact on the legal framework of international transfers of personal data and on the level of privacy protection. The impact of the judgment on the level of privacy protection and mass surveillance is particularly important now that CОVID-19 contact tracing programs are being widely used. In this research we try to trace the formation of the approach to mass surveillance in the case-law of CJEU before and after the Schrems II. We also try to point out some of the difficulties that the process of cross-border data transfer will face after the Schrems II. The main question of the study is whether the approach of the CJEU developed in the Schrems II will actually increase the privacy protection against mass surveillance. We conclude that the Schrems II is an important decision with serious consequences that go beyond the direct impact on data transfer between the EU and the US. It can have controversial influence of the level of privacy protection. Together with the positive trend of formation of more harmonized global data protection standards it can create many unresolved problems in the field of international data transfer and in economic dimension.",
"topics": [
"jurisdiction_regulatory",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.637,
"venue": "Bratislava Law Review",
"language": "en"
},
{
"id": "https://openalex.org/W2893955306",
"title": "Approach of selected business entities to GDPR implementation",
"authors": [
"Marie Černá",
"Radek Sieber"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "http://doi.org/10.15240/tul/004/2018-2-002",
"pdfUrl": "https://doi.org/10.15240/tul/004/2018-2-002",
"doi": "https://doi.org/10.15240/tul/004/2018-2-002",
"abstract": "Personal data protection represents an issue which began to be dealt with in the context of religious conflicts and came to the fore after the Second World War when possible negative consequences of the misuse of personal data were made visible. Personal data protection is currently mentioned in relation with the implementation of General Data Protection Regulation (GDPR) by EU member countries. The objective of this article is to evaluate attitudes of further specified research sample consisting of entrepreneurial entities doing business in the Czech Republic to the changes set by the new legislative regulation of data protection. This article presents mainly the results of quantitative research based on data gathered through a questionnaire survey processing, identifies the weak areas of GDPR implementation process and proposes possible improvements leading to a more comfortable transition of business entities to the current legislative conditions in the area of personal data protection set by the European Parliament and the Council of the European Union.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "ACC Journal",
"language": "en"
},
{
"id": "europepmc:41402406",
"title": "Hybrid GNN-LSTM defense with differential privacy and secure multi-party computation for edge-optimized neuromorphic autonomous systems.",
"authors": [
"Rekik S",
"Mehmood S."
],
"date": "2025-12-16",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1038/s41598-025-27691-6",
"pdfUrl": "https://europepmc.org/articles/PMC12708677?pdf=render",
"doi": "10.1038/s41598-025-27691-6",
"abstract": "Neuromorphic computing, which is based on spiking neural networks (SNNs) and event cameras, can provide energy-efficient autonomous vehicle (AV) perception, yet is exceedingly susceptible to adversarial perturbations, fault injections, and data poisoning. Conventional defences may prove inadequate on the spot scenarios with a small amount of edge resources. The systemic security solution proposed in the paper consists of a Hybrid Graph Neural Network-Long Short-Term Memory (GNN-LSTM) attack detection model with a Differential Privacy (DP) and Secure Multi-Party Computation (SMPC) solution to privacy and threat-reduction respectively. Quantization and pruning are also used to optimise the framework to support edge deployment. KITTI multimodal experiment results indicate 94.3 percent accuracy and lower the attack success rate by 30 percent. The neuromorphic N-Caltech101 experiments reach an accuracy of 92.4 percent with a drop of 27 percent. These results confirm that the proposed solution can offer substantial, privacy-conscious and resource-efficient security of next-generation neuromorphic autonomous systems against trained adversarial attacks.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "Scientific reports",
"language": "de"
},
{
"id": "europepmc:PPR1040329",
"title": "Differential Privacy Techniques in Machine Learning for Health Record Analysis",
"authors": [
"Paulson D",
"Elvis G."
],
"date": "2025-06-20",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202506.1752.v1",
"pdfUrl": "https://www.preprints.org/frontend/manuscript/6a5ba53b9199755ea99cad6704f117c5/download_pub",
"doi": "10.20944/preprints202506.1752.v1",
"abstract": "The integration of machine learning (ML) into healthcare has revolutionized the analysis of Electronic Health Records (EHRs), enabling more accurate predictions, earlier diagnoses, and personalized treatment strategies. However, the inherent sensitivity and legal protection of health records introduce significant privacy concerns when applying data-driven models to patient information. Traditional de-identification methods have proven insufficient against modern re-identification attacks, necessitating more robust privacy-preserving frameworks. This research explores the application of differential privacy (DP) techniques in machine learning for health record analysis, providing formal privacy guarantees while maintaining analytic utility. Differential privacy introduces controlled randomness into the learning process to obfuscate individual contributions, thereby preventing adversaries from inferring whether any particular patient’s data was included in the training set. This study presents a comprehensive review of DP mechanisms—including the Laplace mechanism, Gaussian mechanism, and privacy budget accounting—in the context of supervised and unsupervised learning models applied to EHRs. A detailed taxonomy of existing DP-enhanced ML frameworks is provided, followed by a critical evaluation of their performance across several public and synthetic health record datasets. Furthermore, this research investigates the trade-offs between model accuracy and privacy guarantees, analyzing how privacy budgets (ε) influence utility in disease prediction, patient stratification, and risk modeling. The paper also introduces an experimental pipeline that integrates DP into deep learning models (e.g., DP-SGD) for structured clinical data and unstructured clinical notes. Special attention is given to challenges such as gradient leakage, overfitting under noise, and handling class imbalance in sensitive datasets. Finally, the study addresses the practical implementation of differe",
"topics": [
"data_anonymization",
"llm_privacy_attacks"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII"
],
"relevanceScore": 0.637,
"venue": "",
"language": "de"
},
{
"id": "europepmc:36850576",
"title": "Task-Specific Adaptive Differential Privacy Method for Structured Data.",
"authors": [
"Utaliyeva A",
"Shin J",
"Choi YH."
],
"date": "2023-02-10",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3390/s23041980",
"pdfUrl": "https://europepmc.org/articles/PMC9966464?pdf=render",
"doi": "10.3390/s23041980",
"abstract": "Data are needed to train machine learning (ML) algorithms, and in many cases often include private datasets that contain sensitive information. To preserve the privacy of data used while training ML algorithms, computer scientists have widely deployed anonymization techniques. These anonymization techniques have been widely used but are not foolproof. Many studies showed that ML models using anonymization techniques are vulnerable to various privacy attacks willing to expose sensitive information. As a privacy-preserving machine learning (PPML) technique that protects private data with sensitive information in ML, we propose a new task-specific adaptive differential privacy (DP) technique for structured data. The main idea of the proposed DP method is to adaptively calibrate the amount and distribution of random noise applied to each attribute according to the feature importance for the specific tasks of ML models and different types of data. From experimental results under various datasets, tasks of ML models, different DP mechanisms, and so on, we evaluate the effectiveness of the proposed task-specific adaptive DP method. Thus, we show that the proposed task-specific adaptive DP technique satisfies the model-agnostic property to be applied to a wide range of ML tasks and various types of data while resolving the privacy-utility trade-off problem.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "Sensors (Basel, Switzerland)",
"language": "de"
},
{
"id": "europepmc:PPR1036800",
"title": "Privacy-Preserving Machine Learning for Electronic Health Records",
"authors": [
"Graham O",
"Hamilton D."
],
"date": "2025-06-13",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202506.1137.v1",
"pdfUrl": "https://www.preprints.org/frontend/manuscript/85b172202b6ac91d405177389257d80c/download_pub",
"doi": "10.20944/preprints202506.1137.v1",
"abstract": "The integration of machine learning (ML) in healthcare has the potential to revolutionize patient care, optimize clinical workflows, and facilitate personalized medicine. However, the utilization of electronic health records (EHRs) for training ML models raises significant privacy concerns due to the sensitive nature of health data. This paper explores the emerging field of privacy-preserving machine learning (PPML) as a critical approach to safeguarding patient confidentiality while enabling the effective analysis of EHRs. We systematically review various PPML techniques, including differential privacy, homomorphic encryption, and federated learning, assessing their applicability in the context of healthcare data. Differential privacy is examined as a method for adding controlled noise to data outputs, ensuring that the contributions of individual patients cannot be easily inferred. We discuss its implementation challenges, particularly in maintaining the trade-off between data utility and privacy guarantees. Homomorphic encryption, which allows computations to be performed on ciphertexts, is analyzed for its capacity to secure sensitive health information during model training and inference. However, we highlight the computational complexity and resource demands associated with this technique, which may limit its practical application in real-world healthcare settings. Federated learning emerges as a promising paradigm that enables decentralized model training across multiple institutions, allowing EHRs to remain localized and secure. This section delves into the benefits of federated learning in facilitating collaborative research while addressing the challenges of communication overhead and model performance. We also consider hybrid approaches that combine multiple privacy-preserving techniques to enhance security without significantly compromising model accuracy. Furthermore, we investigate the ethical and regulatory implications of implementing PPML in healthc",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "de"
},
{
"id": "europepmc:PPR1036823",
"title": "Secure Aggregation Protocols in Federated AI for Anonymized Health Data",
"authors": [
"Graham O",
"Hamilton D."
],
"date": "2025-06-13",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202506.1115.v1",
"pdfUrl": "https://www.preprints.org/frontend/manuscript/f0ed563ebb091a972750911851105ade/download_pub",
"doi": "10.20944/preprints202506.1115.v1",
"abstract": "In the increasingly data-driven landscape of healthcare, the application of Federated Learning (FL) has emerged as a transformative paradigm, enabling the collaborative training of machine learning models across decentralized datasets while preserving data privacy. This approach is particularly pertinent for health data, which is often sensitive and subject to stringent regulatory requirements. However, the integration of secure aggregation protocols within Federated AI systems is crucial for ensuring the confidentiality and integrity of anonymized health data during the aggregation process. This paper comprehensively reviews the state of secure aggregation protocols in the context of Federated AI, emphasizing their role in safeguarding patient privacy while allowing for the effective utilization of health data. We categorize existing secure aggregation methods based on their cryptographic techniques, including homomorphic encryption, secure multiparty computation, and differential privacy, analyzing their strengths and limitations in practical applications. Furthermore, we explore the implications of these protocols on data utility, computational efficiency, and scalability in real-world healthcare settings. By synthesizing recent advancements and ongoing challenges in the field, this study underscores the importance of designing robust aggregation protocols that not only enhance security but also facilitate the seamless integration of diverse health data sources. We propose a framework for evaluating the performance of these protocols, taking into account factors such as communication overhead, resilience against attacks, and adaptability to various federated learning architectures. Our findings indicate that while significant progress has been made, there remains a critical need for ongoing research to balance the trade-offs between security, privacy, and model performance. This paper aims to contribute to the development of more sophisticated secure aggregation ",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "de"
},
{
"id": "europepmc:41737815",
"title": "EUPID-configurable privacy-preserving record linkage in federated health data spaces.",
"authors": [
"Hayn D",
"Sandner E",
"Baumgartner M",
"Jammerbund B",
"Wiesmüller F",
"Beyer S",
"Vinatzer H",
"Rzepka A",
"Donsa K",
"Kreiner K",
"Schreier G."
],
"date": "2026-02-09",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3389/fdgth.2026.1751234",
"pdfUrl": "https://europepmc.org/articles/PMC12927036?pdf=render",
"doi": "10.3389/fdgth.2026.1751234",
"abstract": "Introduction
Rare disease research relies heavily on secondary use of health data due to the scarcity of clinical guidelines and data sharing between research institutions and hospitals. Linking rare disease patients is challenging due to increased re-identification risk in small cohorts, thus limiting the data's potential for research. Privacy-Preserving Record Linkage (PPRL) enables the linkage of disparate datasets while safeguarding the identities of involved participants.Methods
The aim of the present paper is to provide an up-to-date description of the concept and the technical details of the European Patient Identity (EUPID) Services, a configurable PPRL solution which is currently used for rare disease research in Europe to bridge healthcare and research. They support different algorithms for record linkage (configurable selection of quasi-identifiers, various hashing algorithms, phonetic hashing, Bloom filters), re-identification and flexible specification of the pseudonym format. Furthermore, their setup is also flexible whether to install standalone instances or integrate with a central EUPID Services deployment.Results
The EUPID Services have been used in various research applications since 2014. As of July 2025, 6,356 unique patients have been registered to the central EUPID Services within the domain Paediatric Oncology in Europe, and 10,340 pseudonyms for 12 EUPID Contexts have been generated. Within the Austrian Health Data Donation Space, which represents a federated PPRL infrastructure supporting asynchronous record linkage, more than 16 million patients were pseudonymised in six different contexts. Overall, four cases of false negative matches have been identified, which were caused by typing errors. So far, no false positive match has ever been detected.Discussion
In view of the upcoming European legislatives like the European Health Data Space (EHDS), connecting patient data securely and safely will become increas",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.637,
"venue": "",
"language": "de"
},
{
"id": "europepmc:PPR1133489",
"title": "LGPD Benchmark: A Legal Text Corpus for Evaluating Personal Data Pseudonymization in Brazilian Portuguese",
"authors": [
"Filho MAdS",
"Ribas BC."
],
"date": "2025-12-12",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-8309951/v1",
"pdfUrl": "https://doi.org/10.21203/rs.3.rs-8309951/v1",
"doi": "10.21203/rs.3.rs-8309951/v1",
"abstract": "Abstract Compliance with data protection laws, such as Brazil's General Data Protection Law (LGPD), requires automated tools capable of identifying and processing personal information in legal texts. However, there are still no public benchmarks designed for the systematic evaluation of such solutions in the Brazilian context. This work introduces the LGPD Benchmark, the first foundational corpus for evaluating textual pseudonymization techniques in Portuguese legal language. The benchmark consists of 120 synthetic documents covering nine areas of law, annotated according to LGPD-based guidelines. We evaluate large language models (LLMs), such as GPT, Gemini, Claude, and the Brazilian model Sabiá, on tasks involving the recognition of personal and sensitive entities, using classical NER metrics with an emphasis on Recall as a measure of privacy protection. The results indicate that international models achieve higher overall coverage, while the Brazilian model demonstrates competitiveness in formal and structured domains. The LGPD Benchmark provides a public and reproducible baseline for research on text anonymization and regulatory compliance, fostering the development of ethical and transparent solutions aligned with the LGPD.
",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "de"
},
{
"id": "europepmc:40968117",
"title": "Comparison of Three Anonymization Tools for a Health Fitness Study.",
"authors": [
"Francis P",
"Jurak G",
"Leskošek B",
"Otte K",
"Prasser F."
],
"date": "2025-09-18",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1038/s41597-025-05823-x",
"pdfUrl": "https://europepmc.org/articles/PMC12446462?pdf=render",
"doi": "10.1038/s41597-025-05823-x",
"abstract": "One of many challenges to open science is anonymization of personal data so that it may be shared. This paper presents a case study of the anonymization of a dataset containing cardio-respiratory fitness and commuting patterns for Slovenian school children. It evaluates three different anonymization tools, ARX, SDV, and SynDiffix. The fitness study was selected because its small size (N=713) and generally low statistical significance make it particularly challenging for data anonymization. Unlike most prior anonymization tool evaluations, this paper examines whether the scientific conclusions of the original study would have been supported by the anonymized datasets. It also considers the burden imposed on researchers using the tools both for data generation and data analysis.",
"topics": [
"data_anonymization",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "de"
},
{
"id": "doaj:01d58bdd8534482bbc415026fa7c4dab",
"title": "Privacy-Diffusion: Privacy-Preserving Stable Diffusion Without FHE and Differential Privacy",
"authors": [
"Po-Chu Hsu",
"Ziying Yu",
"Shuhei Mise",
"Hideaki Miyaji"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/10971394/",
"pdfUrl": "",
"doi": "10.1109/access.2025.3562563",
"abstract": "Text-to-image generation is trending in the generative artificial intelligence (GenAI) field. Among open-sourced image generation projects, Stable Diffusion is the state-of-the-art. Many artists and service providers customize the diffusion model to generate featured high-quality images. However, there is no protection to the privacy of the input text prompt, output image, and customized model. Privacy is very important since it can increase users’ willingness to use the service and protect the service provider’s intellectual property. Existing privacy-preserving diffusion model require fully homomorphic encryption (FHE) to ensure its privacy and security. Nonetheless, FHE is very time-consuming and may reduce accuracy due to approximations and deteriorate image quality. In this research, we propose Privacy-Diffusion, a privacy-preserving diffusion framework without FHE. By utilizing the irreversible property of neural network layers and the property that the predicted noise in the diffusion process is a normalized Gaussian distribution. Our framework can be applied to all kinds of diffusion models to protect clients’ input text prompt and the generated image from being learned by the server, as well as customized models from being learned by the clients. Our protocol is secure and efficient. Compared with existing research, HE-diffusion, which spent 200% extra time and visible quality loss, our protocol can reach the same security level with only 19% extra time and has no quality loss. To the best of our knowledge, our Privacy-Diffusion is the first protocol that achieves this goal without using FHE and maintain the same high-quality image output as the original model.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "https://openalex.org/W4392481764",
"title": "EU-DSGVO",
"authors": [
"Lukas Feiler",
"Nikolaus Forgó"
],
"date": "2016",
"platform": "OpenAlex",
"sourceUrl": "http://dx.doi.org/10.33196/9783704676733",
"pdfUrl": "",
"doi": "https://doi.org/10.33196/9783704676733",
"abstract": "Fundiert kommentiert - das neue Datenschutzrecht der EUDie im Mai 2018 in Geltung getretene Datenschutz-Grundverordnung der EU (EU-DSGVO) regelt das gesamte Datenschutzrecht in der Europäischen Union neu. Nach einem Vorwort von Jan Philipp Albrecht, Mitglied des Europäischen Parlaments und Berichterstatter für die EU-DSGVO, bietet dieses Werk eine Kommentierung sämtlicher Bestimmungen der EU-DSGVO und verschafft dem Leser eine praktische Einführung in Fragen wie:- Welche Maßnahmen sollten Sie jetzt ergreifen?- Brauchen Sie einen Datenschutzbeauftragten?- Welche Strafen drohen Ihnen?- Wie müssen Sie Ihr Compliance-Management anpassen?- Was bedeuten \"Privacy by Design\" und \"Privacy by Default\"?- Wie setzen Sie das Recht auf Datenportabilität und auf Vergessen um?https://www.youtube.com/watch?v=ycxpQ_aBpmo",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "Verlag Österreich eBooks",
"language": "eo"
},
{
"id": "https://openalex.org/W2054514509",
"title": "Private record matching using differential privacy",
"authors": [
"Ali İnan",
"Murat Kantarcıoğlu",
"Gabriel Ghinita",
"Elisa Bertino"
],
"date": "2010",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1145/1739041.1739059",
"pdfUrl": "",
"doi": "https://doi.org/10.1145/1739041.1739059",
"abstract": "Private matching between datasets owned by distinct parties is a challenging problem with several applications. Private matching allows two parties to identify the records that are close to each other according to some distance functions, such that no additional information other than the join result is disclosed to any party. Private matching can be solved securely and accurately using secure multi-party computation (SMC) techniques, but such an approach is prohibitively expensive in practice. Previous work proposed the release of sanitized versions of the sensitive datasets which allows blocking, i.e., filtering out sub-sets of records that cannot be part of the join result. This way, SMC is applied only to a small fraction of record pairs, reducing the matching cost to acceptable levels. The blocking step is essential for the privacy, accuracy and efficiency of matching. However, the state-of-the-art focuses on sanitization based on k-anonymity, which does not provide sufficient privacy. We propose an alternative design centered on differential privacy, a novel paradigm that provides strong privacy guarantees. The realization of the new model presents difficult challenges, such as the evaluation of distance-based matching conditions with the help of only a statistical queries interface. Specialized versions of data indexing structures (e.g., kd-trees) also need to be devised, in order to comply with differential privacy. Experiments conducted on the real-world Census-income dataset show that, although our methods provide strong privacy, their effectiveness in reducing matching cost is not far from that of k-anonymity based counterparts.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W7115704838",
"title": "GDPR and the algorithmic accountability act",
"authors": [
"Yazğan, Bilge Tuğçe"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.25365/thesis.79909",
"pdfUrl": "https://doi.org/10.25365/thesis.79909",
"doi": "https://doi.org/10.25365/thesis.79909",
"abstract": "Künstliche Intelligenz (KI) gestaltet soziale, wirtschaftliche und rechtliche Lebensbereiche neu und wirft dringende Fragen nach Rechenschaftspflicht, Fairness und dem Schutz der Grundrechte auf. Die Europäische Union hat mit der Datenschutz-Grundverordnung (DSGVO) und dem neu verabschiedeten Gesetz über künstliche Intelligenz (KI-Verordnung) eine führende Rolle übernommen, während die Vereinigten Staaten mit dem Algorithmic Accountability Act (AAA) einen Gesetzesentwurf vorgelegt haben, dessen legislativer Werdegang noch ungewiss ist. Dennoch bleibt umstritten, inwieweit diese Rechtsinstrumente zur Regulierung KI-gestützter Entscheidungsprozesse tatsächlich ausreichen. Diese Arbeit untersucht kritisch, in welchem Umfang diese Instrumente Risiken automatisierter Entscheidungsfindung abfedern. Sie analysiert die dogmatischen Grundlagen der DSGVO, die risikobasierten Verpflichtungen der KI-Verordnung sowie das auf Folgenabschätzungen beruhende Modell des AAA und verortet sie zugleich in den übergeordneten ethischen Prinzipien von Transparenz, Verantwortlichkeit und Menschenwürde. Anhand von Fallstudien zu Rekrutierungsalgorithmen, Kredit-Scoring und biometrischer Überwachung werden die Ansätze der EU und der USA verglichen und Gemeinsamkeiten wie Unterschiede herausgearbeitet. Die Untersuchung kommt zu dem Ergebnis, dass DSGVO und KI-Verordnung zwar starke Rechte und Verbote verankern, ihre Wirksamkeit jedoch durch Unklarheiten etwa in Bezug auf Artikel 22 DSGVO und durch Vollzugsunsicherheiten eingeschränkt wird. Der AAA hingegen eröffnet mit seinen verpflichtenden Folgenabschätzungen ein vielversprechendes Modell prozeduraler Verantwortlichkeit, leidet jedoch unter begrenztem Anwendungsbereich, schwachen Durchsetzungsmechanismen und politisch unsicherem Fortgang. Die Arbeit argumentiert, dass diese Regelwerke nur teilweise adäquat sind: Sie adressieren zentrale Risiken, lassen aber wesentliche Lücken im Bereich der Durchsetzung, des Rechtsschutzes und des Schutzes vulnerabler Gruppen. Um diese Lücken zu schließen, wird vorgeschlagen, die Definitionen von „Hochrisiko-“ und „automatisierten Entscheidungssystemen“ zu präzisieren, stärkere Transparenzpflichten (einschließlich aussagekräftiger Offenlegung von Datennutzung) vorzuschreiben, Stakeholderbeteiligung einzubetten und die internationale regulatorische Zusammenarbeit zu fördern. Unter Einbeziehung einer vulnerabilitätsorientierten Perspektive entwickelt die Arbeit einen neuartigen komparativen Rahmen und zeigt, dass eine wirksame KI-Governance nicht nur rechtliche Harmonisierung, sondern auch ethische Verpflichtungen zu Fairness, Autonomie und Menschenwürde erfordert.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.637,
"venue": "University of Vienna",
"language": "en"
},
{
"id": "s2:1dceda58af4c3d4decc5d4ca96928cd34e698cf2",
"title": "Privacy Preserving Face Recognition Utilizing Differential Privacy",
"authors": [
"Pathum Chamikara Mahawaga Arachchige",
"P. Bertók",
"I. Khalil",
"D. Liu",
"Seyit Ahmet Camtepe"
],
"date": "2020-05-21",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/1dceda58af4c3d4decc5d4ca96928cd34e698cf2",
"pdfUrl": "https://researchrepository.rmit.edu.au/view/delivery/61RMIT_INST/12256326830001341/13256080300001341",
"doi": "10.1016/J.COSE.2020.101951",
"abstract": "Abstract Facial recognition technologies are implemented in many areas, including but not limited to, citizen surveillance, crime control, activity monitoring, and facial expression evaluation. However, processing biometric information is a resource-intensive task that often involves third-party servers, which can be accessed by adversaries with malicious intent. Biometric information delivered to untrusted third-party servers in an uncontrolled manner can be considered a significant privacy leak (i.e. uncontrolled information release) as biometrics can be correlated with sensitive data such as healthcare or financial records. In this paper, we propose a privacy-preserving technique for “controlled information release”, where we disguise an original face image and prevent leakage of the biometric features while identifying a person. We introduce a new privacy-preserving face recognition protocol named PEEP ( P rivacy using E ig E nface P erturbation) that utilizes local differential privacy. PEEP applies perturbation to Eigenfaces utilizing differential privacy and stores only the perturbed data in the third-party servers to run a standard Eigenface recognition algorithm. As a result, the trained model will not be vulnerable to privacy attacks such as membership inference and model memorization attacks. Our experiments show that PEEP exhibits a classification accuracy of around 70% - 90% under standard privacy settings.",
"topics": [
"biometric_surveillance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII"
],
"relevanceScore": 0.637,
"venue": "Computers & security",
"language": "en"
},
{
"id": "s2:e9e07be1f710a83e06bca1db257e91c8f431a7e5",
"title": "My Cookie is a phoenix: detection, measurement, and lawfulness of cookie respawning with browser fingerprinting",
"authors": [
"Imane Fouad",
"C. Santos",
"A. Legout",
"Nataliia Bielova"
],
"date": "2022-07-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/e9e07be1f710a83e06bca1db257e91c8f431a7e5",
"pdfUrl": "https://petsymposium.org/popets/2022/popets-2022-0063.pdf",
"doi": "10.56553/popets-2022-0063",
"abstract": "Stateful and stateless web tracking gathered much attention in the last decade, however they were always measured separately. To the best of our knowledge, our study is the first to detect and measure cookie respawning with browser and machine fingerprinting. We develop a detection methodology that allows us to detect cookies dependency on browser and machine features. Our results show that 1, 150 out of the top 30, 000 Alexa websites deploy this tracking mechanism. We find out that this technique can be used to track users across websites even when third-party cookies are deprecated. Together with a legal scholar, we conclude that cookie respawning with browser fingerprinting lacks legal interpretation under the GDPR and the ePrivacy directive, but its use in practice may breach them, thus subjecting it to fines up to 20 million e.",
"topics": [
"linkability_tracking",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.637,
"venue": "Proceedings on Privacy Enhancing Technologies",
"language": "en"
},
{
"id": "s2:95b95bf927e4e93eab18fea4fc3a2b143d036caf",
"title": "GDPR vs. Big Data & AI in FinTechs",
"authors": [
"Nermin Varmaz"
],
"date": "2020-10-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/95b95bf927e4e93eab18fea4fc3a2b143d036caf",
"pdfUrl": "https://www.econstor.eu/bitstream/10419/270514/1/10_3790_vjh_89_4_55.pdf",
"doi": "10.3790/VJH.89.4.55",
"abstract": "Summary: This article addresses the compliance of the use of Big Data and Artificial Intelligence (AI) by FinTechs with European data protection principles. FinTechs are increasingly replacing traditional credit institutions and are becoming more important in the provision of financial services, especially by using AI and Big Data. The ability to analyze a large amount of different personal data at high speed can provide insights into customer spending patterns, enable a better understanding of customers, or help predict investments and market changes. However, once personal data is involved, a collision with all basic data protection principles stipulated in the European General Data Protection Regulation (GDPR) arises, mostly due to the fact that Big Data and AI meet their overall objectives by processing vast data that lies beyond their initial processing purposes. The author shows that within this ratio, pseudonymization can prove to be a privacy-compliant and thus preferable alternative for the use of AI and Big Data while still enabling FinTechs to identify customer needs.\nZusammenfassung: Dieser Artikel befasst sich mit der Vereinbarkeit der Nutzung von Big Data und Künstlicher Intelligenz (KI) durch FinTechs mit den europäischen Datenschutzgrundsätzen. FinTechs ersetzen zunehmend traditionelle Kreditinstitute und gewinnen bei der Bereitstellung von Finanzdienstleistungen an Bedeutung, insbesondere durch die Nutzung von KI und Big Data. Die Fähigkeit, eine große Menge unterschiedlicher personenbezogener Daten in hoher Geschwindigkeit zu analysieren, kann Einblicke in das Ausgabeverhalten der Kunden geben, ein besseres Verständnis der Kunden ermöglichen oder helfen, Investitionen und Marktveränderungen vorherzusagen. Sobald jedoch personenbezogene Daten involviert sind, kommt es zu einer Kollision mit allen grundlegenden Datenschutzprinzipien, die in der europäischen Datenschutzgrundverordnung (DS-GVO) festgelegt sind, vor allem aufgrund der Tatsache, dass Big Data und KI ihre übergeordneten Ziele durch die Verarbeitung großer Datenmengen erreichen, die über ihre ursprünglichen Verarbeitungszwecke hinausgehen. Der Autor zeigt, dass sich in diesem Verhältnis die Pseudonymisierung als datenschutzkonforme und damit vorzugswürdige Alternative für den Einsatz von KI und Big Data erweisen kann, die FinTechs dennoch in die Lage versetzt, Kundenbedürfnisse zu erkennen.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "s2:b883ac25419baf639619b667ad1648b5ca30ceca",
"title": "Der Widerspruch zwischen dem Cloud Act und der DSGVO – ein organhaftungsrechtliches Konzept zum Vorstandshandeln",
"authors": [],
"date": "2022-08-22",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/b883ac25419baf639619b667ad1648b5ca30ceca",
"pdfUrl": "",
"doi": "10.3726/b20076",
"abstract": "Der am 22. März 2018 verabschiedete „Clarifying Lawful Use of Data Act\" (im Folgenden Cloud Act) erlaubt US-amerikanischen Behörden weitreichende Zugriffe auf Daten von Personen, die von privaten Unternehmen auch außerhalb der USA gespeichert werden. Die DSGVO hingegen verbietet grundsätzlich eine Datenübermittlung in ein Drittland, wie die USA. Die Arbeit gibt einen Überblick über die einzelnen Regelungsgehalte des Cloud Act und der DSGVO und dem daraus resultierenden Widerspruch und zeigt auf, wie Unternehmen mit den divergierenden Verpflichtungen aus dem EU-Datenschutzrecht und dem US-amerikanischen Cloud Act angemessen umgehen können, wenn sie Adressaten einer Offenlegungspflicht gegenüber US-amerikanischen Behörden sind, gleichzeitig jedoch den Rechten und Pflichten der DSGVO unterliegen.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2207.11677",
"title": "Learnable Privacy-Preserving Anonymization for Pedestrian Images",
"authors": [
"Junwu Zhang",
"Mang Ye",
"Yao Yang"
],
"date": "2022-07-24",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2207.11677v1",
"pdfUrl": "https://arxiv.org/pdf/2207.11677v1",
"doi": "10.1145/3503161.3548766",
"abstract": "This paper studies a novel privacy-preserving anonymization problem for pedestrian images, which preserves personal identity information (PII) for authorized models and prevents PII from being recognized by third parties. Conventional anonymization methods unavoidably cause semantic information loss, leading to limited data utility. Besides, existing learned anonymization techniques, while retaining various identity-irrelevant utilities, will change the pedestrian identity, and thus are unsuitable for training robust re-identification models. To explore the privacy-utility trade-off for pedestrian images, we propose a joint learning reversible anonymization framework, which can reversibly generate full-body anonymous images with little performance drop on person re-identification tasks. The core idea is that we adopt desensitized images generated by conventional methods as the initial privacy-preserving supervision and jointly train an anonymization encoder with a recovery decoder and an identity-invariant model. We further propose a progressive training strategy to improve the performance, which iteratively upgrades the initial anonymization supervision. Experiments further demonstrate the effectiveness of our anonymized pedestrian images for privacy protection, which boosts the re-identification performance while preserving privacy. Code is available at \\url{https://github.com/whuzjw/privacy-reid}.",
"topics": [
"data_anonymization",
"reversible_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.637,
"venue": "ACM Multimedia",
"language": "en"
},
{
"id": "arxiv:2510.21591",
"title": "Privacy by Design: Aligning GDPR and Software Engineering Specifications with a Requirements Engineering Approach",
"authors": [
"Oleksandr Kosenkov",
"Ehsan Zabardast",
"Davide Fucci",
"Daniel Mendez",
"Michael Unterkalmsteiner"
],
"date": "2025-10-24",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2510.21591v2",
"pdfUrl": "https://arxiv.org/pdf/2510.21591v2",
"doi": "10.1016/j.infsof.2025.107946",
"abstract": "Context: Consistent requirements and system specifications are essential for the compliance of software systems towards the General Data Protection Regulation (GDPR). Both artefacts need to be grounded in the original text and conjointly assure the achievement of privacy by design (PbD). Objectives: There is little understanding of the perspectives of practitioners on specification objectives and goals to address PbD. Existing approaches do not account for the complex intersection between problem and solution space expressed in GDPR. In this study we explore the demand for conjoint requirements and system specification for PbD and suggest an approach to address this demand. Methods: We reviewed secondary and related primary studies and conducted interviews with practitioners to (1) investigate the state-of-practice and (2) understand the underlying specification objectives and goals (e.g., traceability). We developed and evaluated an approach for requirements and systems specification for PbD, and evaluated it against the specification objectives. Results: The relationship between problem and solution space, as expressed in GDPR, is instrumental in supporting PbD. We demonstrate how our approach, based on the modeling GDPR content with original legal concepts, contributes to specification objectives of capturing legal knowledge, supporting specification transparency, and traceability. Conclusion: GDPR demands need to be addressed throughout different levels of abstraction in the engineering lifecycle to achieve PbD. Legal knowledge specified in the GDPR text should be captured in specifications to address the demands of different stakeholders and ensure compliance. While our results confirm the suitability of our approach to address practical needs, we also revealed specific needs for the future effective operationalization of the approach.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "Inf. Softw. Technol.",
"language": "en"
},
{
"id": "arxiv:2108.07971",
"title": "De-identification of Unstructured Clinical Texts from Sequence to Sequence Perspective",
"authors": [
"Md Monowar Anjum",
"Noman Mohammed",
"Xiaoqian Jiang"
],
"date": "2021-08-18",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2108.07971v2",
"pdfUrl": "https://arxiv.org/pdf/2108.07971v2",
"doi": "10.1145/3460120.3485354",
"abstract": "In this work, we propose a novel problem formulation for de-identification of unstructured clinical text. We formulate the de-identification problem as a sequence to sequence learning problem instead of a token classification problem. Our approach is inspired by the recent state-of -the-art performance of sequence to sequence learning models for named entity recognition. Early experimentation of our proposed approach achieved 98.91% recall rate on i2b2 dataset. This performance is comparable to current state-of-the-art models for unstructured clinical text de-identification.",
"topics": [
"data_anonymization",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "crossref:10.31449/inf.v49i34.9296",
"title": "Blockchain Privacy Transaction Optimization Model Based on Zero-Knowledge Proof",
"authors": [
"Youfang Xu"
],
"date": "2025-08-26",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.31449/inf.v49i34.9296",
"pdfUrl": "https://www.informatica.si/index.php/informatica/article/download/9296/4956",
"doi": "10.31449/inf.v49i34.9296",
"abstract": "With the widespread application of blockchain technology, the security of private transactions has become a bottleneck restricting further development. This project presents a blockchain privacy transaction optimization model utilizing zero-knowledge proof (ZKP). By extracting data features such as transaction volume, transaction frequency, and counterparty trustworthiness, the model dynamically assigns weights through an entropy-based framework for different transaction scenarios. It also adaptively modifies certificate generation and verification strategies using reinforcement learning to enhance efficiency and security. In terms of experiments, a blockchain simulation environment is constructed, and 100,000 transaction data points are used as samples to compare the DA-ZKP algorithm and the traditional zero-knowledge proof algorithm. The experimental results show that the DA-ZKP algorithm reduces the generation time by 35%, the verification time by 28%, and the memory overhead by 22% on average. At the same time, the algorithm has a privacy protection capability comparable to traditional algorithms and can resist replay and tampering attacks. The optimization model and algorithm proposed in this project can effectively improve the efficiency and security of blockchain privacy transactions and provide a new idea for developing blockchain privacy protection technology.",
"topics": [
"privacy_engineering",
"sector_finance"
],
"painPointTracks": [
"Financial & Payment PII",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "Informatica",
"language": "en"
},
{
"id": "openaire:10.30958/ajl.11-1-3",
"title": "Artificial Intelligence in Decision-making: A Test of Consistency between the “EU AI Act” and the “General Data Protection Regulation”",
"authors": [
"Claudio Sarra"
],
"date": "2025-01-02",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.30958/ajl.11-1-3",
"pdfUrl": "https://doi.org/10.30958/ajl.11-1-3",
"doi": "10.30958/ajl.11-1-3",
"abstract": "The recent Regulation that sets down harmonised rules on Artificial Intelligence in the European Union, known as the \"AI Act,\" includes a significant requirement for human oversight in high-risk AI systems during their use (art. 14). This requirement embodies the \"human-in-command\" approach, ensuring both legal and ethical compliance. The AI Act is intended to complement the General Data Protection Regulation (hereinafter GDPR), thereby forming a consistent and comprehensive legal framework. This paper focuses on AI systems producing decisions and examines the consistency of the AI Act's mandatory human oversight measures (art. 14) with GDPR's provisions on decisions based solely on automated processing (art. 22). At first glance, the provisions seem mutually exclusive. Mandatory human oversight under the AI Act could render art. 22 of GDPR inapplicable, as it applies only to decisions made by automated processing, implying no human involvement in decision-making. However, art. 22 of GDPR provides crucial safeguards for individuals, such as the right to human intervention, the ability to express opinions, and the right to contest decisions. This raises questions about whether the AI Act will exhaust these safeguards, and if it is capable of providing equivalent protection for decisions made by AI systems. This paper aims to analytically address these questions and arguments for a revision of the ordinary interpretation of art. 22 of GDPR, § 1. Keywords: AI Act; Algorithmic decisions; GDPR; Human oversight.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "Athens Journal of Law",
"language": "en"
},
{
"id": "crossref:10.54254/2755-2721/2025.po25408",
"title": "Cryptography Techniques in Medical Data Privacy Protection: Applications and Challenges of Homomorphic Encryption, Differential Privacy, and Blockchain",
"authors": [
"Chenyuan Zhang"
],
"date": "2025-07-24",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.54254/2755-2721/2025.po25408",
"pdfUrl": "",
"doi": "10.54254/2755-2721/2025.po25408",
"abstract": "With the rapid development of big data and artificial intelligence technologies, data security has become a critical bottleneck restricting the development of data science. This study systematically explores the innovative applications and implementation challenges of modern cryptographic techniques in the field of data science. The paper first reviews the fundamental theories of cryptography, such as symmetric encryption, asymmetric encryption, and hash functions. It then focuses on the cutting-edge applications of homomorphic encryption in privacy-preserving machine learning, differential privacy in user data analysis, and blockchain in data integrity verification. Through an in-depth analysis of typical cases such as medical data sharing and user behavior modeling, the study reveals the effectiveness and limitations of cryptographic techniques in practical deployment. The study further identifies the main challenges currently faced, including algorithmic computational efficiency, the transition to post-quantum cryptography, and the balance between data privacy and usability. Finally, this paper proposes future development directions for the deep integration of cryptography and data science from both technical evolution and policy-making perspectives. This study provides important theoretical references and methodological guidance for secure computing practices in the field of data science.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "Applied and Computational Engineering",
"language": "en"
},
{
"id": "crossref:10.32890/uumjls2022.13.1.3",
"title": "UNDERSTANDING GDPR: ITS LEGAL IMPLICATIONS AND RELEVANCE TO SOUTH ASIAN PRIVACY REGIMES",
"authors": [
"Md. Toriqul Islam",
"Mariyam Sahula",
"Mohammad Ershadul Karim"
],
"date": "2022-01-31",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.32890/uumjls2022.13.1.3",
"pdfUrl": "",
"doi": "10.32890/uumjls2022.13.1.3",
"abstract": "Emerging as a buzzword, the General Data Protection Regulation (GDPR) has had immense implications on global data protection regimes. The GDPR appears as a worldwide standard for protecting personal data based on the omnibus legal substance, extensive extraterritorial scope, and influential market of the European Union(EU). It resulted in a global wave where countries are either adopting new legislation or modifying existing data privacy laws to comply with the GDPR. Historically, the South Asian region, abode to one-fifth of the world’s people, has strong trade and economic ties with Europe. As reflected in current bilateral or multilateral tradeagreements, the EU tends to be one of the largest trading partners of most South Asian countries. Therefore, it is understandable that the EU’s norms, laws, policies, particularly the GDPR, would have far-reaching impacts on South Asian countries. However, the issue has not been yet evaluated in legal academic settings that require an analysis of GDPR’s overview and its impacts on South Asian privacy regimes. The findings of this doctrinal legal study, together with the sharing of a brief overview of the GDPR and South Asian privacy regimes, reiterate the influence of GDPR in this region. The findings of this research also have the prospects to enlighten the stakeholders in understanding the GDPR and its implications on global as well as South Asian privacy regimes. This article concludes with several suggestions and policy alternatives that policymakers can explorein South Asia and beyond in designing their potential personal data protection policy strategies.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "UUM Journal of Legal Studies",
"language": "en"
},
{
"id": "crossref:10.55529/jls.34.32.41",
"title": "Data Privacy Regulations in Ghana: A Guide to GDPR Compliance for Businesses",
"authors": [
"Zimpah Bikunati Joseph",
"Kwabena Boateng Mensah",
"Zimpah Nafah Abraham"
],
"date": "2023-07-29",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.55529/jls.34.32.41",
"pdfUrl": "",
"doi": "10.55529/jls.34.32.41",
"abstract": "The protection of personal data is a top priority for both individuals and organizations in the modern digital world. In the Ghanaian context, strict data privacy laws are essential to protecting citizens' rights and privacy. The legal foundation for these restrictions is the 1992 constitution of Ghana and Data Protection Act, specifically the Data Protection Act, 2012 (Act 843), which establishes the guidelines for legitimate data processing, the responsibilities of data controllers and processors, and the rights of data subjects. Compliance with local laws, however, may not be sufficient for enterprises operating on a worldwide scale or in international marketplaces as a result of the fact that globalization and digitalization cut across national boundaries. This article delves into Ghana's complex data privacy landscape, illuminating key points and providing suggestions for how businesses can improve their data protection practices by adhering to internationally recognized data protection standards like the General Data Protection Regulation (GDPR) of the European Union. Understanding the fundamental principles of Ghana's Data Protection Act, the scope and applicability of GDPR in Ghana, the importance of data mapping and inventory, the function of Data Protection Impact Assessments (DPIAs), consent and the rights of data subjects, data security and breach notification, and the potential sanctions for non-compliance are some of the key areas of focus. Readers can obtain a profound awareness of Ghana's data privacy landscape and the procedures necessary to successfully align with national and international data protection regulations by navigating this in-depth exploration. Businesses that prioritize compliance with data protection regulations in Ghana are better positioned not only to meet legal requirements but also to foster trust, drive innovation, and contribute to the nation's digital advancement on the global stage. In an ever-evolving digital world where data privacy is paramount.",
"topics": [
"gdpr_compliance",
"data_breach_incident"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Journal of Legal Subjects",
"language": "en"
},
{
"id": "crossref:10.4018/978-1-5225-9489-5.ch011",
"title": "The Impact of the GDPR on Extra-EU Legal Systems",
"authors": [
"Maria Casoria",
"Eman Mahmood AlSarraf"
],
"date": "2020",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.4018/978-1-5225-9489-5.ch011",
"pdfUrl": "https://www.igi-global.com/viewtitle.aspx?TitleId=255201",
"doi": "10.4018/978-1-5225-9489-5.ch011",
"abstract": "The chapter discusses the influence of the General Data Protection Regulation (GDPR) on legal systems extra-EU and particularly the Kingdom of Bahrain, country member to a regional organisation located in the Arabian Gulf denominated Gulf Cooperation Council (GCC), which is exclusive to six states (i.e., Saudi Arabia, United Arab Emirates, Oman, Qatar, and Kuwait in addition to Bahrain). Amongst these countries, Bahrain is the only one that has recently enacted its own separate Personal Data Protection Law (PDPL) mostly resembling the GDPR due to the ever-increasing commercial relationship with business undertakings in Europe. Moreover, the adoption of the data protection law counts as a huge leap forward taken by the kingdom in reforming its legal framework, since it is the state's striving strategy to grow into a midpoint for data centre, just on time for the launch of data centres opening in Bahrain that are endorsed by Amazon Web Services.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Advances in Information Security, Privacy, and Ethics",
"language": "en"
},
{
"id": "crossref:10.69554/msqx9692",
"title": "International personal data transfer: An analysis of Brazil’s legal system and new LGPD under the adequacy standard of the EU GDPR",
"authors": [
"Alexandre Serrano Rajagopalan"
],
"date": "2021-06-01",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.69554/msqx9692",
"pdfUrl": "",
"doi": "10.69554/msqx9692",
"abstract": "The international transfer of personal data is an issue of fundamental importance in data protection. The General Data Protection Regulation (GDPR) has conditioned all data flow to third countries to stringent alternative requirements, the most important of which being the existence of an adequacy decision made by the European Commission finding the level of data protection afforded by that third country to be equivalent to the one provided by the GDPR. This study aims to apply the adequacy standard, as established by the GDPR and interpreted by the Court of Justice of the European Union (CJEU), the Article 29 Working Party and the European Commission, in order to determine whether Brazil has the potential of obtaining a favourable decision from the European Commission. The country’s legal system and new Lei Geral de Proteção de Dados Pessoais (LGPD) were analysed, in depth, with a focus on the three elements the GDPR requires to be taken into account in the course of adequacy findings: a legal framework containing certain core elements, an independent supervisory authority and the international commitments of the country. The results indicate that Brazil’s legal system offers appropriate tools capable of providing data subjects with an adequate level of protection, which, subject to future regulation on the time limits for compliance with certain privacy rights, can be considered equivalent to the level of protection guaranteed by the GDPR. Such a finding, should it be confirmed by the European Commission in the future, would have the effect of allowing the transfer of personal data from Europe to Brazil.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "openaire:50|datacite____::c38b5fafa3eaf5b04c82416bc9cc6a8b",
"title": "Look Twice before You Leap: A Rational Agent Framework for Localized Adversarial Anonymization",
"authors": [
"Duan, Donghang",
"Zheng, Xu"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.48550/arxiv.2512.06713",
"pdfUrl": "",
"doi": "10.48550/arxiv.2512.06713",
"abstract": "Current LLM-based text anonymization frameworks usually rely on remote API services from powerful LLMs, which creates an inherent \"privacy paradox\": users must somehow disclose data to untrusted third parties for superior privacy preservation. Moreover, directly migrating these frameworks to local small-scale models (LSMs) offers a suboptimal solution with catastrophic collapse in utility based on our core findings. Our work argues that this failure stems not merely from the capability deficits of LSMs, but from the inherent irrationality of the greedy adversarial strategies employed by current state-of-the-art (SoTA) methods. We model the anonymization process as a trade-off between Marginal Privacy Gain (MPG) and Marginal Utility Cost (MUC), and demonstrate that greedy strategies inevitably drift into an irrational state. To address this, we propose Rational Localized Adversarial Anonymization (RLAA), a fully localized and training-free framework featuring an Attacker-Arbitrator-Anonymizer (A-A-A) architecture. RLAA introduces an arbitrator that acts as a rationality gatekeeper, validating the attacker's inference to filter out feedback providing negligible benefits on privacy preservation. This mechanism enforces a rational early-stopping criterion, and systematically prevents utility collapse. Extensive experiments on different datasets demonstrate that RLAA achieves the best privacy-utility trade-off, and in some cases even outperforms SoTA on the Pareto principle. Our code and datasets will be released upon acceptance.",
"topics": [
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"User Behavior / PII Communities"
],
"relevanceScore": 0.637,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "openaire:S1568494625013262",
"title": "Truthful text sanitization guided by inference attacks",
"authors": [
"Ildikó Pilán",
"Benet Manzanares-Salor",
"David Sánchez",
"Pierre Lison"
],
"date": "2025-12-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1016/j.asoc.2025.114013",
"pdfUrl": "",
"doi": "10.1016/j.asoc.2025.114013",
"abstract": "Text sanitization aims to rewrite parts of a document to prevent disclosure of personal information. The central challenge of text sanitization is to strike a balance between privacy protection (avoiding the leakage of personal information) and utility preservation (retaining as much as possible of the document's original content). To this end, we introduce a novel text sanitization method based on generalizations, that is, broader but still informative terms that subsume the semantic content of the original text spans. The approach relies on the use of instruction-tuned large language models (LLMs) and is divided into two stages. Given a document including text spans expressing personally identifiable information (PII), the LLM is first applied to obtain truth-preserving replacement candidates for each text span and rank those according to their abstraction level. Those candidates are then evaluated for their ability to protect privacy by conducting inference attacks with the LLM. Finally, the system selects the most informative replacement candidate shown to be resistant to those attacks. This two-stage process produces replacements that effectively balance privacy and utility. We also present novel metrics to evaluate these two aspects without needing to manually annotate documents. Results on the Text Anonymization Benchmark show that the proposed approach, implemented with Mistral 7B Instruct, leads to enhanced utility, with only a marginal (< 1 p.p.) increase in re-identification risk compared to fully suppressing the original spans. Furthermore, our approach is shown to be more truth-preserving than existing methods such as Microsoft Presidio's synthetic replacements.",
"topics": [
"data_anonymization",
"nlp_ner_tools"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/msec.2019.2935701",
"title": "The General Data Protection Regulation: From a Data Protection Authority's (Technical) Perspective",
"authors": [
"Ronald Petrlic"
],
"date": "2019-11-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/msec.2019.2935701",
"pdfUrl": "",
"doi": "10.1109/msec.2019.2935701",
"abstract": "For the first time, technical data protection plays a major role in privacy law with the enactment of the General Data Protection Regulation (GDPR). A number of obligations for controllers and the rights of data subjects in the GDPR refer to technical aspects. From a data protection authority's technical perspective, in this article, the challenges and open questions that persist one year after the application of the GDPR are discussed.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1163/2211906x-13020004",
"title": "The Extraterritoriality of the gdpr and Its Effect on gcc Businesses",
"authors": [
"Alshaleel, Mohammed"
],
"date": "2024-08-07",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1163/2211906x-13020004",
"pdfUrl": "",
"doi": "10.1163/2211906x-13020004",
"abstract": "Abstract This article considers the extraterritoriality of the General Data Protection Regulation (gdpr) and its effect on Gulf Cooperation Council (gcc) businesses. Given the robust economic ties to the European Union (EU), many gcc businesses fall under the scope of the gdpr. This article argues that the territorial gateways through which the gdpr applies are much wider than might be thought and so may capture many gcc businesses, and that while the personal data protection laws in the gcc countries have been influenced to varying degrees by the gdpr, there are significant disparities, especially regarding their approach to data protection. This suggests that the level of data protection in the gcc countries is not equivalent to that offered by the gdpr. The article is divided into six sections, covering the EU’s data protection laws, framework evolution, gdpr’s impact on gcc businesses, and gcc’s data protection framework.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.47405/mjssh.v7i9.1776",
"title": "The Magnitude of GDPR To Malaysia",
"authors": [
"Muhammad Faiz Bin Abu Samah",
"Mohd Bahrin Bin Othman"
],
"date": "2022-09-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.47405/mjssh.v7i9.1776",
"pdfUrl": "",
"doi": "10.47405/mjssh.v7i9.1776",
"abstract": "The European Union (“EU”) General Data Protection Regulation (“GDPR”) governs any individuals or companies that stores or processes personal information about EU citizens within EU states even if it does not involve a business presence within the EU. Malaysian businesses need to comply with the GDPR as failure to comply will cause disruption or discontinuance of business. This paper aims to understand and evaluate the scope of the GDPR and its effect on personal data protection in Malaysia. It employs a doctrinal qualitative approach by examining the GDPR and the Malaysia Personal Data Protection Act 2010. This paper suggests that the GDPR provides a more comprehensive law with its holistic principles and rights which may provide lessons for Malaysia in protecting personal data as the area covered by the GDPR is broader specifically the non-commercial transactions, its wider range of rights and the extraterritorial applicability.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.4324/9781003252191-4",
"title": "Informational privacy post GDPR – end of the road or the start of a long journey?",
"authors": [
"Diker Vanberg, Aysem"
],
"date": "2020-07-09",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.4324/9781003252191-4",
"pdfUrl": "",
"doi": "10.4324/9781003252191-4",
"abstract": "The General Data Protection Regulation (GDPR) is a far-reaching legal instrument that regulates the collection and use of personal data by private actors, individuals and by governments. In this respect, the GDPR is indeed a key legal instrument for protecting informational privacy. This article will analyse and discuss the impact of the GDPR on the right to privacy particularly in the context of data protection. It also explores whether the GDPR in itself is adequate to ensure the right to privacy in the European Union (EU) and whether the protection provided by the GDPR can be supplemented by other means. The article finds that while the GDPR is a significant step in the right direction to protect informational privacy, it is certainly not the end of the journey. It argues that on its own, the GDPR cannot fully address the imbalance of power between data subjects and data controllers. Hence, it needs to be complemented by other regulatory tools such as the ePrivacy Regulation, EU competition law and Consumer Protection rules. Furthermore, some provisions in the GDPR must be revisited in the near future to ensure they do not become obsolete.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.25234/pv/23972",
"title": "GDPR COMPLIANCE CHALLENGES IN CROATIAN MICRO, SMALL AND MEDIUM SIZED ENTERPRISES",
"authors": [
"Anamarija Mladinić",
"Zdravko Vukić",
"Ante Rončević"
],
"date": "2023-12-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.25234/pv/23972",
"pdfUrl": "",
"doi": "10.25234/pv/23972",
"abstract": "The General Data Protection Regulation (EU) 2016/679 which applies uniformly since 25th May 2018 in the European Economic Area (EEA) requires small and medium enterprises (SMEs) to respect the right to personal data protection of their clients, customers, and employees. The GDPR is designed to strengthen the data protection rights of all individuals within the EEA ensuring more effective protection for consumers and increased privacy considerations for businesses. However, even after more than four years of its entry into full application, the implementation of the GDPR is still an issue for Croatian SMEs, who, unlike the larger companies, very often lack the human and financial resources to comply with the data protection legal framework. This paper covers theoretical considerations and results of an online survey conducted with 345 SMEs in the Republic of Croatia with the aim to gain insights into their GDPR compliance hurdles. The results of the study have shown that the level of understanding of obligations arising from the GDPR among Croatian SMEs is rather low and that compliance with the data protection legal framework is not at a satisfactory level.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-030-39237-6_8",
"title": "Developed Framework Based on Cognitive Computing to Support Personal Data Protection Under the GDPR",
"authors": [
"Soraya Sedkaoui",
"Dana Simian"
],
"date": "2020-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-030-39237-6_8",
"pdfUrl": "",
"doi": "10.1007/978-3-030-39237-6_8",
"abstract": "The General Data Protection Regulation (GDPR) has entered into force in the European Union (EU) since 25 May 2018 in order to satisfy present difficulties related to private information protection. This regulation involves significant structural for companies, but also stricter requirements for personal data collection, management, and protection. In this context, companies need to create smart solutions to allow them to comply with the GDPR and build a feeling of confidence in order to map all their personal data. In these conditions, cognitive computing could be able to assist companies extract, protect and anonymize sensitive structured and unstructured data. Therefore, this article proposes a framework that can serve as an approach or guidance for companies that use cognitive computing methods to meet GDPR requirements. The goal of this work is to examine the smart system as a data processing and data protection solution to contribute to GDPR compliance.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:3677033",
"title": "Comparing Local and Central Differential Privacy Using Membership Inference Attacks",
"authors": [
"Daniel Bernau",
"Jonas Robl",
"Philip W. Grassal",
"Steffen Schneider",
"Florian Kerschbaum"
],
"date": "2021-07-19",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-03677033v1",
"pdfUrl": "https://inria.hal.science/hal-03677033/document",
"doi": "10.1007/978-3-030-81242-3_2",
"abstract": "Attacks that aim to identify the training data of neural networks represent a severe threat to the privacy of individuals in the training dataset. A possible protection is offered by anonymization of the training data or training function with differential privacy. However, data scientists can choose between local and central differential privacy, and need to select meaningful privacy parameters $$\\epsilon $$ϵ. A comparison of local and central differential privacy based on the privacy parameters furthermore potentially leads data scientists to incorrect conclusions, since the privacy parameters are reflecting different types of mechanisms.Instead, we empirically compare the relative privacy-accuracy trade-off of one central and two local differential privacy mechanisms under a white-box membership inference attack. While membership inference only reflects a lower bound on inference risk and differential privacy formulates an upper bound, our experiments with several datasets show that the privacy-accuracy trade-off is similar for both types of mechanisms despite the large difference in their upper bound. This suggests that the upper bound is far from the practical susceptibility to membership inference. Thus, small $$\\epsilon $$ϵ in central differential privacy and large $$\\epsilon $$ϵ in local differential privacy result in similar membership inference risks, and local differential privacy can be a meaningful alternative to central differential privacy for differentially private deep learning besides the comparatively higher privacy parameters.",
"topics": [
"data_anonymization",
"llm_privacy_attacks"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W3152303720",
"title": "Addressing the Failure of Anonymization: Guidance from the European Union’s General Data Protection Regulation",
"authors": [
"Elizabeth Frasher"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://academiccommons.columbia.edu/doi/10.7916/d8-m21f-de08/download",
"pdfUrl": "https://doi.org/10.7916/d8-zgve-y962",
"doi": "https://doi.org/10.7916/d8-zgve-y962",
"abstract": "It is common practice for companies to “anonymize” the consumer data that they collect. In fact, U.S. data protection laws and Federal Trade Commission guidelines encourage the practice of anonymization by exempting anonymized data from the privacy and data security requirements they impose. Anonymization involves removing personally identifiable information (“PII”) from a dataset so that, in theory, the data cannot be traced back to its data subjects. In practice, however, anonymization fails to irrevocably protect consumer privacy due to the potential for deanonymization—the linking of anonymized data to auxiliary information to re-identify data subjects. Because U.S. data protection laws provide safe harbors for anonymized data, re-identified data subjects receive no statutory privacy protections at all—a fact that is particularly troublesome given consumers’ dependence on technology and today’s climate of ubiquitous data collection. By adopting an all-or-nothing approach to anonymization, the United States has created no means of incentivizing the practice of anonymization while still providing data subjects statutory protections. This Note argues that the United States should look to the risk-based approach taken by the European Union under the General Data Protection Regulation. Their data protection laws utilize multiple tiers of anonymization, which vary in their potential for deanonymization. Under this approach, pseudonymized data—i.e., certain data that has had PII removed but can still be linked to auxiliary information to re-identify data subjects—falls within the scope of the governing law, but receives relaxed requirements designed to incentivize pseudonymization and thereby reduce the risk of data subject identification. This approach both strikes a balance between data privacy and data utility, and affords data subjects the benefit of anonymity in addition to statutory protections ranging from choice to transparency.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.11117/rdp.v18i100.6197",
"title": "Ethical Dimensions of the GDPR, AI Regulation, and Beyond",
"authors": [
"Hielke Hijmans",
"Charles Raab"
],
"date": "2022-01-27",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.11117/rdp.v18i100.6197",
"pdfUrl": "https://www.portaldeperiodicos.idp.edu.br/direitopublico/article/download/6197/pdf",
"doi": "10.11117/rdp.v18i100.6197",
"abstract": "Our digital society is changing rapidly, with emerging new technologies such as artificial intelligence (AI) and machine learning, robotics, and the internet of things. These changes trigger new fundamental ethical questions relating to privacy, data protection and other values, including human rights and the way they are affected by the extensive and intensive use of data for analytical and practical innovations. This article explores these ethical dimensions and the extent to which the European Union’s General Data Protection Regulation (GDPR) of 2018 takes ethics into account in relation to these socio-technical developments. More briefly, it looks similarly but more selectively at the EU’s proposed AI Act of 2021, which aims to regulate AI in relation to levels of risk.It concludes with some observations on desirable institutional arrangements for making and applying ethical judgements in the regulation of advanced technologies that use personal data. ",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "Direito Público",
"language": "en"
},
{
"id": "openaire:10.47960/3029-3200.2025.1.2.54",
"title": "Toward Integrated Compliance with GDPR and the EU AI Act Based on Empirical Findings",
"authors": [
"Tonći Kaleb",
"Ivan Markić"
],
"date": "2025-07-17",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.47960/3029-3200.2025.1.2.54",
"pdfUrl": "",
"doi": "10.47960/3029-3200.2025.1.2.54",
"abstract": "This paper explores how the European Union is shaping rules for data and artificial intelligence (AI) through two key regulations: the General Data Protection Regulation (GDPR) and the EU Artificial Intelligence Act (AI Act). Those two regulations cover data topics, focusing on different aspects, both bringing challenges for organizations and individuals. This paper includes a survey conducted among data protection professionals to understand better how organizations deal with these challenges in practice. The results show that many organizations still have areas for improvement, especially when combining privacy and AI responsibilities. Based on this, the paper offers a simple and practical framework that helps organizations follow the GDPR and the AI Act in a transparent and integrated way. The goal is to support better decision-making, reduce legal and technical risks, and help with the responsible and trusted use of data and AI in the EU. GDPR, AI Act, Data Governance, Risk Management, Privacy, Compliance, EU Regulation",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1111/bjet.13576",
"title": "Ensuring privacy through synthetic data generation in education",
"authors": [
"Qinyi Liu",
"Ronas Shakya",
"Jelena Jovanovic",
"Mohammad Khalil",
"Javier de la Hoz‐Ruiz"
],
"date": "2025-02-19",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1111/bjet.13576",
"pdfUrl": "",
"doi": "10.1111/bjet.13576",
"abstract": "Abstract High‐volume, high‐quality and diverse datasets are crucial for advancing research in the education field. However, such datasets often contain sensitive information that poses significant privacy challenges. Traditional anonymisation techniques fail to meet the privacy standards required by regulations like GDPR, prompting the need for more robust solutions. Synthetic data have emerged as a promising privacy‐preserving approach, allowing for the generation and sharing of datasets that mimic real data while ensuring privacy. Still, the application of synthetic data alone on educational datasets remains vulnerable to privacy threats such as linkage attacks. Therefore, this study explores for the first time the application of private synthetic data , which combines synthetic data with differential privacy mechanisms, in the education sector. By considering the dual needs of data utility and privacy, we investigate the performance of various synthetic data generation techniques in safeguarding sensitive educational information. Our research focuses on two key questions: the capability of these techniques to prevent privacy threats and their impact on the utility of synthetic educational datasets. Through this investigation, we aim to bridge the gap in understanding the balance between privacy and utility of advanced privacy‐preserving techniques within educational contexts. Practitioner notes ",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Br. J. Educ. Technol.",
"language": "en"
},
{
"id": "openaire:10.4018/979-8-3693-9137-2.ch010",
"title": "AI-Powered Synthetic Data Generation for Training Vision Models Ensuring Privacy, Good Governance and Responsible AI in the Era of Digital Sovereignty",
"authors": [
"Harsh Klapeshkumar Dave",
"Kamal Sutaria",
"Amit Ganatra"
],
"date": "2025-08-29",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.4018/979-8-3693-9137-2.ch010",
"pdfUrl": "",
"doi": "10.4018/979-8-3693-9137-2.ch010",
"abstract": "This chapter explores synthetic data's transformative role in computer vision model training, emphasizing privacy and responsible AI in the context of digital sovereignty. Starting with an overview of computer vision and deep learning, the chapter explains how these technologies enable machines to interpret visual data. Synthetic data, created to mirror real-world scenarios, emerges as a solution for protecting privacy, enabling training without exposing sensitive information. Through diverse case studies, it demonstrates how synthetic data can eliminate identifiable features, supporting privacy-centric, ethical AI. Readers gain a comprehensive understanding of the technical and accountable frameworks that make synthetic data crucial in advancing responsible AI while safeguarding digital privacy and fostering innovation.",
"topics": [
"ai_governance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.55041/ijsrem51981",
"title": "Privacy-Preserving Diabetes Analytics using Homomorphic Encryption in the Cloud: A Review",
"authors": [
"Ayyapparaj T",
"Dr. K. Pradeepa"
],
"date": "2025-08-22",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.55041/ijsrem51981",
"pdfUrl": "",
"doi": "10.55041/ijsrem51981",
"abstract": "This review investigates the convergence of homomorphic encryption, cloud computing, and the analysis of diabetes data. It brings together recent progress in methods that protect user privacy. The paper also looks at how different system designs work. It then compares how well various homomorphic encryption types perform. These include Partially Homomorphic Encryption (PHE), Somewhat Homomorphic Encryption (SHE), and Fully Homomorphic Encryption (FHE). PHE allows specific operations, like addition or multiplication, on encrypted data. SHE permits a limited number of both addition and multiplication operations. FHE, the most advanced, allows any computation on encrypted data. The study also covers rules about data privacy. This is especially important for laws like HIPAA in the United States and GDPR in Europe. These rules aim to safeguard sensitive health information. Finally, the work offers a visual way to think about processing diabetes data securely in the cloud. This framework helps users understand how their information stays private. It addresses the critical need for secure handling of personal health information in the growing field of cloud-based health analytics.",
"topics": [
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "s2:a0329d4c59eb6263b4856b1c1e3bd59a84624737",
"title": "Service for the Pseudonymization of Electronic Healthcare Records Based on ISO/EN 13606 for the Secondary Use of Information",
"authors": [
"R. Somolinos",
"A. Carrero",
"M. Hernando",
"Mario Pascual Carrasco",
"J. C. Tello",
"Ricardo Sánchez-de-Madariaga",
"J. A. Fragua",
"Pablo Serrano-Balazote",
"C. H. Salvador"
],
"date": "2015-11-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/a0329d4c59eb6263b4856b1c1e3bd59a84624737",
"pdfUrl": "https://oa.upm.es/35429/1/INVE_MEM_2014_192054.pdf",
"doi": "10.1109/JBHI.2014.2360546",
"abstract": "The availability of electronic health data favors scientific advance through the creation of repositories for secondary use. Data anonymization is a mandatory step to comply with current legislation. A service for the pseudonymization of electronic healthcare record (EHR) extracts aimed at facilitating the exchange of clinical information for secondary use in compliance with legislation on data protection is presented. According to ISO/TS 25237, pseudonymization is a particular type of anonymization. This tool performs the anonymizations by maintaining three quasi-identifiers (gender, date of birth, and place of residence) with a degree of specification selected by the user. The developed system is based on the ISO/EN 13606 norm using its characteristics specifically favorable for anonymization. The service is made up of two independent modules: the demographic server and the pseudonymizing module. The demographic server supports the permanent storage of the demographic entities and the management of the identifiers. The pseudonymizing module anonymizes the ISO/EN 13606 extracts. The pseudonymizing process consists of four phases: the storage of the demographic information included in the extract, the substitution of the identifiers, the elimination of the demographic information of the extract, and the elimination of key data in free-text fields. The described pseudonymizing system was used in three telemedicine research projects with satisfactory results. A problem was detected with the type of data in a demographic data field and a proposal for modification was prepared for the group in charge of the drawing up and revision of the ISO/EN 13606 norm.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.637,
"venue": "IEEE journal of biomedical and health informatics",
"language": "en"
},
{
"id": "openaire:10.15680/ijirset.2025.1405015",
"title": "Anonymization Techniques for Large-Scale Health Databases a Critical Review",
"authors": [
"Vladyslav Malanin"
],
"date": "2025-05-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.15680/ijirset.2025.1405015",
"pdfUrl": "",
"doi": "10.15680/ijirset.2025.1405015",
"abstract": "As health data grows exponentially, it makes it easier for privacy to be invaded when dealing with large medical databases. This paper examines various techniques for advanced anonymization and pseudonymization that assist in complying with the General Data Protection Regulation and the Health Insurance Portability and Accountability Act. It reviews the leading techniques, assesses their advantages and disadvantages, and discusses when they are useful for processing health-related data. It also focuses on how techniques that help preserve the usefulness of data like tokenization, hashing, and encryption also protect a patient’s privacy. The effectiveness of every technique in terms of privacy, exploring data, and matching large healthcare systems is evaluated. The paper emphasizes the importance of creating a consistent approach to data privacy when concluding, focusing on the main difficulties, ethical questions, and new technologies that are being developed.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "International Journal of Innovative Research in Science Engineering and Technology",
"language": "en"
},
{
"id": "s2:23d9c5e8e22dc4b190e6178e8ec2b4a631c3f8d6",
"title": "BT24 Pseudonymization for artificial intelligence skin lesion datasets: a real-world feasibility study",
"authors": [
"T. Chin",
"G. Chin",
"James Sutherland",
"Andrew Coon",
"Colin A Morton",
"C. Fleming"
],
"date": "2024-06-28",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/23d9c5e8e22dc4b190e6178e8ec2b4a631c3f8d6",
"pdfUrl": "https://academic.oup.com/bjd/article-pdf/191/Supplement_1/i199/58328737/ljae090.421.pdf",
"doi": "10.1093/bjd/ljae090.421",
"abstract": "The use of patient data for artificial intelligence (AI) research should be transparent, rigorous and accountable. In the UK, the General Data Protection Regulation, Data Protection Act 2018 and General Medical Council govern data handling and patients’ rights to privacy. We report on our multistep pseudonymization protocol for real-world skin lesion datasets, in preparation for research within a trusted research environment (TRE). Firstly, patients referred from primary care are triaged for community locality and imaging centre (CLIC) suitability. There, trained healthcare professionals capture lesion images (dermoscopic, macroscopic and regional) and patient information using a mobile application on trust-certified devices. Training is standardized across all CLIC sites, with specific anonymization training on removing in-frame clothing and jewellery, device positioning, and magnification to minimize identifiable features like eyes, nose and ears. Lesion datasets (paired images and clinical information) are subsequently transferred to an image management system (IMS) hosted on our trust-secured network. Within the IMS, images are manually inspected, and those with identifiable tattoos and piercings are excluded. All regional images are also excluded from transfer to the TRE. Before transfer to the TRE, images undergo a further round of review. Data fields are manually checked for identifiable patient information, patient names are removed, and dates of birth are rounded to 3-month granularity. The job ID, patient’s hospital number, date of clinical episode and responsible photographer are replaced with randomly generated project-specific identifiers. In an initial study period, 658 of 963 (68%) captured lesion datasets have undergone IMS manual inspection. Of these, 24 lesion datasets were excluded for identifiable features, 10 (41%) for more than one-third of the face being visible, 9 (38%) for full iris visibility, and 5 (21%) for tattoos. On breakdown by anatomical location these images were of the face (19, 80%), torso (2, 8%), limbs (2, 8%) and neck (1, 4%). The remaining 634 datasets (96%) were securely transferred to the TRE, where a further 5% were excluded due to potential identifiability. Although full anonymization is desirable, it is usually achieved by aggregating patient data. Pseudonymization, which allows for future reidentification in a secured fashion, strikes the balance between patient data privacy and clinical governance, while retaining a level of granularity sufficient for meaningful analysis. Currently, this protocol is manually intensive with room to partly automate. Use of common standardized protocols will strengthen the public trust in clinical AI.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "British Journal of Dermatology",
"language": "en"
},
{
"id": "s2:b1ab0c5492790def713ccbe57482b78652b2ff50",
"title": "A pseudonymization tool for Hungarian",
"authors": [
"Péter Hatvani",
"L. Laki",
"Yang Zijian Győző"
],
"date": "2023",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/b1ab0c5492790def713ccbe57482b78652b2ff50",
"pdfUrl": "http://publikacio.uni-eszterhazy.hu/7709/1/AMI_online_1467.pdf",
"doi": "10.33039/ami.2023.08.009",
"abstract": ". In today’s world, the volume of documents being generated is growing exponentially, making the protection of personal data an increasingly crucial task. Anonymization plays a vital role in various fields, but its implementation can be challenging. While advancements in natural language processing research have resulted in more accurate named entity recognition (NER) models, relying on an NER system to remove names from a text may compromise its fluency and coherence. In this paper, we introduce a novel approach to pseudonymization, specifically tailored for the Hungarian language, which addresses the challenges associated with maintaining text fluency and coherence. Our method employs a pipeline that integrates various NER models, morphological parsing, and generation modules. Instead of merely recognizing and removing named entities, as in conventional approaches, our pipeline utilizes a morphological generator to consistently replace names with alternative names throughout the document. This process ensures the preservation of both text coherence and anonymity. To assess the efficacy of our method, we conducted evaluations on multiple corpora, with results consistently indicating that our pipeline surpasses traditional approaches in performance. Our innovative approach paves the way for new pseudonymization possibilities across a diverse range of fields and applications.",
"topics": [
"data_anonymization",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.637,
"venue": "Annales Mathematicae et Informaticae",
"language": "en"
},
{
"id": "openaire:10.2139/ssrn.3275783",
"title": "Blockchain and the European Union General Data Protection Regulation: The CNIL's Perspective",
"authors": [
"Florian Martin-Bariteau"
],
"date": "2018-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2139/ssrn.3275783",
"pdfUrl": "",
"doi": "10.2139/ssrn.3275783",
"abstract": "The Commission Nationale Informatique et Libertes (CNIL), has published “Blockchain: Premiers elements d’analyse de la CNIL”, a document on blockchain and the European Union General Data Protection Regulation (GDPR). This document was released by the French Data Protection Authority (DPA) as a working policy paper and offers an overview of its initial reflection on the Blockchain technology and its compliance with the GDPR. The CNIL notes the GDPR has been created to regulate data use, rather than any particular form of technology. As such, and without surprise to anyone familiar with privacy law, the CNIL states the GDPR applies to the use of blockchain in any instance where personal data is handled. However, this working paper is a very raw analysis. In our opinion, the document raises more questions than it answers – and highlights some legal uncertainty with respect to the qualifications of different actors on a blockchain under the GDPR taxonomy. In several areas, the CNIL highlights that more reflection is needed on its end, and that this reflection needs to be undertaken at the European level.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.23919/mipro.2018.8400234",
"title": "Will the GDPR slow down development of smart cities?",
"authors": [
"Vojkovic, Goran"
],
"date": "2018-05-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.23919/mipro.2018.8400234",
"pdfUrl": "",
"doi": "10.23919/mipro.2018.8400234",
"abstract": "After four (4) years of preparation and debate the General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018. The EU General Data Protection Regulation replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, but also to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. This Regulation is a legal act which is mandatory and fully valid for all EU Member States. Thereby, Member States may additionally regulate certain areas of personal data protection. Apart from being more appropriate for today's era of fast speed Internet and Internet of things (IOT), the new Regulation is essentially more extensive, more accurate, and involves the questions of personal data risk. Considering the fact that personal data is being processed in the E-business and E- government, and in addition to introduction of some smart-city functions, it's possible to indirectly collect personal data. The GDPR is extremely important and it's one of the key legal documents for the further development of the digital economy and administration. As this year's MIPRO almost coincides with the date of full implementation of the Regulation, it was an additional incentive to decide on a subject of invited lecture on GDPR.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:2125760",
"title": "A MOOC on Privacy by Design and the GDPR",
"authors": [
"Simone Fischer-Hübner",
"Leonardo A. Martucci",
"Lothar Fritsch",
"Tobias Pulls",
"Sebastian Herold",
"Leonardo H. Iwaya",
"Stefan Alfredsson",
"Albin Zuccato"
],
"date": "2018-09-18",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-02125760v1",
"pdfUrl": "https://inria.hal.science/hal-02125760/document",
"doi": "10.1007/978-3-319-99734-6_8",
"abstract": "In this paper we describe how we designed a massive open online course (mooc) on Privacy by Design with a focus on how to achieve compliance with the eu gdpr principles and requirements in it engineering and management. This mooc aims at educating both professionals and undergraduate students, i.e., target groups with distinct educational needs and requirements, within a single course structure. We discuss why developing and publishing such a course is a timely decision and fulfills the current needs of the professional and undergraduate education. The mooc is organized in five modules, each of them with its own learning outcomes and activities. The modules focus on different aspects of the gdpr that data protection officers have to be knowledgeable about, ranging from the legal basics, to data protection impact assessment methods, and privacy-enhancing technologies. The modules were delivered using hypertext, digital content and three video production styles: slides with voice-over, talking heads and interviews. The main contribution of this work is the roadmap on how to design a highly relevant mooc on privacy by design and the gdpr aimed at an heterogeneous audience.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1136/amiajnl-2012-001020",
"title": "BoB, a best-of-breed automated text de-identification system for VHA clinical documents",
"authors": [
"Oscar, Ferrández",
"Brett R, South",
"Shuying, Shen",
"F Jeffrey, Friedlin",
"Matthew H, Samore",
"Stéphane M, Meystre"
],
"date": "2012-09-04",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1136/amiajnl-2012-001020",
"pdfUrl": "",
"doi": "10.1136/amiajnl-2012-001020",
"abstract": "De-identification allows faster and more collaborative clinical research while protecting patient confidentiality. Clinical narrative de-identification is a tedious process that can be alleviated by automated natural language processing methods. The goal of this research is the development of an automated text de-identification system for Veterans Health Administration (VHA) clinical documents.We devised a novel stepwise hybrid approach designed to improve the current strategies used for text de-identification. The proposed system is based on a previous study on the best de-identification methods for VHA documents. This best-of-breed automated clinical text de-identification system (aka BoB) tackles the problem as two separate tasks: (1) maximize patient confidentiality by redacting as much protected health information (PHI) as possible; and (2) leave de-identified documents in a usable state preserving as much clinical information as possible.We evaluated BoB with a manually annotated corpus of a variety of VHA clinical notes, as well as with the 2006 i2b2 de-identification challenge corpus. We present evaluations at the instance- and token-level, with detailed results for BoB's main components. Moreover, an existing text de-identification system was also included in our evaluation.BoB's design efficiently takes advantage of the methods implemented in its pipeline, resulting in high sensitivity values (especially for sensitive PHI categories) and a limited number of false positives.Our system successfully addressed VHA clinical document de-identification, and its hybrid stepwise design demonstrates robustness and efficiency, prioritizing patient confidentiality while leaving most clinical information intact.",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.69554/qsst9019",
"title": "Comparing the benefits of pseudonymisation and anonymisation under the GDPR",
"authors": [
"Mike Hintze",
"Khaled El Emam"
],
"date": "2018-12-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.69554/qsst9019",
"pdfUrl": "",
"doi": "10.69554/qsst9019",
"abstract": "Many organisations are trying to obtain more value from their data to improve their products and services, offer new ones and optimise their own internal operations. For example, more chief data officers, or similar roles, are being created to drive such data-enabled transitions. With the General Data Protection Regulation (GDPR) in place, these organisations need to determine the lawful basis for such activities. De-identification techniques, such as pseudonymisation and anonymisation, can play an important role in facilitating such secondary uses and disclosures of data. In regard to de-identification, the GDPR introduces nuances that have not previously been seen, recognising the existence of different levels of de-identification and explicitly adding references to pseudonymisation as an intermediate form of de-identification. This paper explores the nuances introduced by the GDPR, compares the benefits of the different levels of de-identification found in the regulation, and provides practical guidance for using de-identification as a tool for addressing different GDPR compliance obligations.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.17159/1727-3781/2021/v24i0a10727",
"title": "Personal Data Security in South Africa’s Financial Services Market: The Protection of Personal Information Act 4 of 2013 and the European Union General Data Protection Regulation Compared",
"authors": [
"Tapiwa V Warikandwa"
],
"date": "2021-05-21",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.17159/1727-3781/2021/v24i0a10727",
"pdfUrl": "",
"doi": "10.17159/1727-3781/2021/v24i0a10727",
"abstract": "The contemporary global financial services market has witnessed a substantial increase in cybercrime which places consumers’ personal data at risk. Rapid increases in cybercrime linked to the financial services market have driven financial market regulators to pass novel laws and regulations aimed at curbing the rate of occurrence of cybercrimes connected to personal data sharing. To that end, banks and/or financial services companies in Europe have swiftly moved to comply with the European Union’s General Data Protection Regulation. Whilst personal data protection regulation is not a new concept in Europe, most African countries (with exception of South Africa) do not have laws and regulations on personal data protection. With the financial services market being extremely vulnerable to cyber risks owing to the digitisation of the financial services sector, it is important to assess the suitability of South Africa’s current regulatory framework concerning the protection of personal data. This article thus examines South Africa’s Protection of Personal Information Act 4 of 2013 with a view to ascertaining its suitability and/or adequacy in protecting personal data in the country’s financial services market. With the global Covid-19 pandemic bringing about concerns related to rapid increases in cyber-attacks in the financial services market owing to the increased sharing of the sensitive personal data of consumers, there is also need to test the POPIA’s conformity with the strict European Union GDPR personal data protection guidelines.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:1534775",
"title": "Privacy Consensus in Anonymization Systems via Game Theory",
"authors": [
"Rosa Karimi Adl",
"Mina Askari",
"Ken Barker",
"Reihaneh Safavi-Naini"
],
"date": "2012-07-11",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-01534775v1",
"pdfUrl": "https://inria.hal.science/hal-01534775/document",
"doi": "10.1007/978-3-642-31540-4_6",
"abstract": "Privacy protection appears as a fundamental concern when personal data is collected, stored, and published. Several anonymization methods have been proposed to address privacy issues in private datasets. Every anonymization method has at least one parameter to adjust the level of privacy protection considering some utility for the collected data. Choosing a desirable level of privacy protection is a crucial decision and so far no systematic mechanism exists to provide directions on how to set the privacy parameter. In this paper, we model this challenge in a game theoretic framework to find consensual privacy protection levels and recognize the characteristics of each anonymization method. Our model can potentially be used to compare different anonymization methods and distinguish the settings that make one anonymization method more appealing than the others. We describe the general approach to solve such games and elaborate the procedure using k-anonymity as a sample anonymization method. Our simulations of the game results in the case of k-anonymity reveals how the equilibrium values of k depend on the number of quasi-identifiers, maximum number of repetitive records, anonymization cost, and public’s privacy behaviour.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1145/3139550.3139562",
"title": "Blind De-anonymization Attacks using Social Networks",
"authors": [
"Lee, Wei-Han",
"Liu, Changchang",
"Ji, Shouling",
"Mittal, Prateek",
"Lee, Ruby"
],
"date": "2017-10-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/3139550.3139562",
"pdfUrl": "",
"doi": "10.1145/3139550.3139562",
"abstract": "It is important to study the risks of publishing privacy-sensitive data. Even if sensitive identities (e.g., name, social security number) were removed and advanced data perturbation techniques were applied, several de-anonymization attacks have been proposed to re-identify individuals. However, existing attacks have some limitations: 1) they are limited in de-anonymization accuracy; 2) they require prior seed knowledge and suffer from the imprecision of such seed information. We propose a novel structure-based de-anonymization attack, which does not require the attacker to have prior information (e.g., seeds). Our attack is based on two key insights: using multi-hop neighborhood information, and optimizing the process of de-anonymization by exploiting enhanced machine learning techniques. The experimental results demonstrate that our method is robust to data perturbations and significantly outperforms the state-of-the-art de-anonymization techniques by up to $10\\times$ improvement.",
"topics": [
"data_anonymization",
"nlp_ner_tools"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "europepmc:37416449",
"title": "A certified de-identification system for all clinical text documents for information extraction at scale.",
"authors": [
"Radhakrishnan L",
"Schenk G",
"Muenzen K",
"Oskotsky B",
"Ashouri Choshali H",
"Plunkett T",
"Israni S",
"Butte AJ."
],
"date": "2023-07-04",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1093/jamiaopen/ooad045",
"pdfUrl": "https://academic.oup.com/jamiaopen/article-pdf/6/3/ooad045/50801018/ooad045.pdf",
"doi": "10.1093/jamiaopen/ooad045",
"abstract": "Objectives
Clinical notes are a veritable treasure trove of information on a patient's disease progression, medical history, and treatment plans, yet are locked in secured databases accessible for research only after extensive ethics review. Removing personally identifying and protected health information (PII/PHI) from the records can reduce the need for additional Institutional Review Boards (IRB) reviews. In this project, our goals were to: (1) develop a robust and scalable clinical text de-identification pipeline that is compliant with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule for de-identification standards and (2) share routinely updated de-identified clinical notes with researchers.Materials and methods
Building on our open-source de-identification software called Philter, we added features to: (1) make the algorithm and the de-identified data HIPAA compliant, which also implies type 2 error-free redaction, as certified via external audit; (2) reduce over-redaction errors; and (3) normalize and shift date PHI. We also established a streamlined de-identification pipeline using MongoDB to automatically extract clinical notes and provide truly de-identified notes to researchers with periodic monthly refreshes at our institution.Results
To the best of our knowledge, the Philter V1.0 pipeline is currently the first and only certified, de-identified redaction pipeline that makes clinical notes available to researchers for nonhuman subjects' research, without further IRB approval needed. To date, we have made over 130 million certified de-identified clinical notes available to over 600 UCSF researchers. These notes were collected over the past 40 years, and represent data from 2757016 UCSF patients.",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "europepmc:32871006",
"title": "Mainzelliste SecureEpiLinker (MainSEL): privacy-preserving record linkage using secure multi-party computation.",
"authors": [
"Stammler S",
"Kussel T",
"Schoppmann P",
"Stampe F",
"Tremper G",
"Katzenbeisser S",
"Hamacher K",
"Lablans M."
],
"date": "2022-03-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1093/bioinformatics/btaa764",
"pdfUrl": "https://academic.oup.com/bioinformatics/advance-article-pdf/doi/10.1093/bioinformatics/btaa764/33705419/btaa764.pdf",
"doi": "10.1093/bioinformatics/btaa764",
"abstract": "Motivation
Record Linkage has versatile applications in real-world data analysis contexts, where several datasets need to be linked on the record level in the absence of any exact identifier connecting related records. An example are medical databases of patients, spread across institutions, that have to be linked on personally identifiable entries like name, date of birth or ZIP code. At the same time, privacy laws may prohibit the exchange of this personally identifiable information (PII) across institutional boundaries, ruling out the outsourcing of the record linkage task to a trusted third party. We propose to employ privacy-preserving record linkage (PPRL) techniques that prevent, to various degrees, the leakage of PII while still allowing for the linkage of related records.Results
We develop a framework for fault-tolerant PPRL using secure multi-party computation with the medical record keeping software Mainzelliste as the data source. Our solution does not rely on any trusted third party and all PII is guaranteed to not leak under common cryptographic security assumptions. Benchmarks show the feasibility of our approach in realistic networking settings: linkage of a patient record against a database of 10 000 records can be done in 48 s over a heavily delayed (100 ms) network connection, or 3.9 s with a low-latency connection.Availability and implementation
The source code of the sMPC node is freely available on Github at https://github.com/medicalinformatics/SecureEpilinker subject to the AGPLv3 license. The source code of the modified Mainzelliste is available at https://github.com/medicalinformatics/MainzellisteSEL.Supplementary information
Supplementary data are available at Bioinformatics online.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "europepmc:PPR1148352",
"title": "Operationally Audit-Ready Dual-Flow Compliance Pipelines for Conformance Matrices: An Ontology-Based Metamodel with GDPR and EU AI Act Instantiation",
"authors": [
"Goncalves A",
"Correia A."
],
"date": "2026-01-26",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202601.1812.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202601.1812.v1",
"doi": "10.20944/preprints202601.1812.v1",
"abstract": "Artificial intelligence (AI) risk systems deployed in high-stakes decision-support settings are increasingly expected to be operationally audit-ready: they must demonstrate, through verifiable evidence, that applicable governance requirements were implemented, monitored, and maintained during real-world operation. In practice, audit readiness often breaks down not because documentation is absent, but because trace links between normative requirements, operational controls, and both pipeline artefacts and evidence items are fragmented, inconsistent, and costly to verify. To address this gap, this paper establishes a foundation for audit-ready conformance matrices grounded in a dual-flow, layered architecture that couples an upstream, conventional technical pipeline with a downstream compliance pipeline engineered to operationalise governance requirements as explicit controls, evidence specifications, gates, decision records, corrective actions, and accountability hooks. The approach delivers five core artefacts: (i) an ontology-aligned interoperability layer leveraging the Data Privacy Vocabulary (DPV) and the AI Risk Ontology (AIRO); (ii) a conformance-matrix metamodel defining the entities and relations required to represent requirements, controls, artefacts, and evidence; (iii) deterministic mapping rules that bind controls to concrete operational artefacts and run-scoped evidence items; (iv) a case-by-case instantiation workflow producing distinct matrix instances for specific pipelines and contexts; and (v) a multi-regime alignment mechanism that preserves a stable trace structure across regimes. While multi-regime by design, the paper provides a primary instantiation for the General Data Protection Regulation (GDPR) and the European Union Artificial Intelligence Act (EU AI Act). Conceptual validation is provided through competency questions, consistency checks, and an illustrative instantiation over an AI risk pipeline. Overall, the work reframes Compliance-by-",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "europepmc:PPR1145834",
"title": "Engineering Explainable AI Systems for GDPR-Aligned Decision Transparency: A Modular Framework for Continuous Compliance",
"authors": [
"Goncalves A",
"Correia A."
],
"date": "2026-01-21",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202601.1610.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202601.1610.v1",
"doi": "10.20944/preprints202601.1610.v1",
"abstract": "Explainability is increasingly expected to support not only interpretation, but also accountability, human oversight, and auditability in high-risk Artificial Intelligence (AI) systems. However, in many deployments, explanations are generated as isolated technical reports, remaining weakly connected to decision provenance, governance actions, audit logs, and regulatory documentation. This short communication introduces XAI-Compliance-by-Design, a modular engineering framework for explainable artificial intelligence (XAI) systems that routes explainability outputs and related technical traces into structured, audit-ready evidence throughout the AI lifecycle, designed to align with key obligations under the European Union Artificial Intelligence Act (EU AI Act) and the General Data Protection Regulation (GDPR). The framework specifies (i) a modular architecture that separates technical evidence generation from governance consumption through explicit interface points for emitting, storing, and querying evidence, and (ii) a Technical–Regulatory Correspondence Matrix—a mapping table linking regulatory anchors to concrete evidence artefacts and governance triggers. As this communication does not report measured results, it also introduces an Evidence-by-Design evaluation protocol defining measurable indicators, baseline configurations, and required artefacts to enable reproducible empirical validation in future work. Overall, the contribution is a practical blueprint that clarifies what evidence must be produced, where it is generated in the pipeline, and how it supports continuous compliance and auditability efforts without relying on post-hoc explanations.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "europepmc:41406978",
"title": "Mass-Scale G2B Data Sharing in an Emergency: between the GDPR, Data Governance Act, and European Health Data Space.",
"authors": [
"Parziale A",
"Pulice E",
"Mascalzoni D."
],
"date": "2025-11-19",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1163/15718093-bja10158",
"pdfUrl": "",
"doi": "10.1163/15718093-bja10158",
"abstract": "During the COVID-19 pandemic, government-to-business (G2B) data sharing became a vital practice, exemplified by the 2021 Israeli Ministry of Health-Pfizer agreement. This established a large-scale data sharing operation outside of research and data protection regulations and oversight. This paper explores two related questions: (i) whether an EU Member State could replicate this scenario, and (ii) whether EU data legislation provides sufficient protection against excessive G2B data sharing. The analysis of the General Data Protection Regulation, Data Governance Act, and European Health Data Space shows that (i) despite the uncertain definitions of research and personal data, it would be difficult for an EU Member State to replicate this scenario; and (ii) despite its many grey areas and flexibilities, EU data legislation offers protection against excessive G2B data sharing. This highlights the need to explore alternative strategies to facilitate data sharing that can address public health emergencies promptly while safeguarding fundamental rights.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "European journal of health law",
"language": "en"
},
{
"id": "europepmc:PPR1129862",
"title": "XAI-Compliance-by-Design: A Modular Framework for GDPR- and AI Act-Aligned Decision Transparency in High-Risk AI Systems",
"authors": [
"Goncalves A",
"Correia A."
],
"date": "2025-12-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202512.0062.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202512.0062.v1",
"doi": "10.20944/preprints202512.0062.v1",
"abstract": "High-risk Artificial Intelligence (AI) systems deployed in cybersecurity and privacy-critical contexts must satisfy not only demanding performance targets but also stringent obligations for transparency, accountability and human oversight under the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AI Act). Existing approaches often treat these concerns in isolation: explainable AI (XAI) methods are added ad hoc to machine learning pipelines, while governance and regulatory frameworks remain largely conceptual and weakly connected to the concrete artefacts produced in practice. This article proposes \\textit{XAI-Compliance-by-Design}, a modular framework that integrates XAI techniques, compliance-by-design principles and trustworthy Machine Learning Operations (MLOps) practices into a unified architecture for high-risk AI systems in cybersecurity and privacy domains. The framework follows a dual-flow design that couples an upstream technical pipeline (data, model, explanation and monitoring) with a downstream governance pipeline (policy, oversight, audit and decision-making), orchestrated by a Compliance-by-Design Engine and a technical–regulatory correspondence matrix aligned with the GDPR, the AI Act and ISO/IEC~42001. The framework is instantiated and evaluated through an end-to-end, Python-based proof of concept using a synthetic, intrusion detection system (IDS)-inspired anomaly detection scenario with a Random Forest classifier, SHAP and LIME explanations, drift indicators and tamper-evident evidence bundles and decision dossiers. The results show that, even in a modest, toy setting with limited predictive performance, the framework systematically produces verifiable artefacts that support auditability and accountability across the model lifecycle. By linking explanation reports, drift statistics and compliance logs to concrete regulatory provisions, the approach illustrates how organisations operating high-risk AI for cybersecurity ",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:5067435",
"title": "Ensuring GDPR Compliance and Security in a Clinical Data Warehouse: Challenges and Insights from a University Hospital (Preprint)",
"authors": [
"Christine Riou",
"Mohamed El Azzouzi",
"Anne Hespel",
"Emeric Guillou",
"Gouenou Coatrieux",
"Marc Cuggia"
],
"date": "2024",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05067435v1",
"pdfUrl": "https://hal.science/hal-05067435/document",
"doi": "10.2196/63754",
"abstract": "Background: The European Union's General Data Protection Regulation (GDPR) has profoundly influenced health data management, with significant implications for clinical data warehouses (CDWs). In 2021, France pioneered a national framework for GDPR-compliant CDW implementation, established by its data protection authority (Commission Nationale de l'Informatique et des Libertés). This framework provides detailed guidelines for health care institutions, offering a unique opportunity to assess practical GDPR implementation in health data management. Objective: This study evaluates the real-world applicability of France's CDW framework through its implementation at a major university hospital. It identifies practical challenges for its implementation by health institutions and proposes adaptations relevant to regulatory authorities in order to facilitate research in secondary use data domains. Methods: A systematic assessment was conducted in May 2023 at the University Hospital of Rennes, which manages data for over 2 million patients through the eHOP CDW system. The evaluation examined 116 criteria across 13 categories using a dual-assessment approach validated by information security and data protection officers. Compliance was rated as met, unmet, or not applicable, with criteria classified as software-related (n=25) or institution-related (n=91). Results: Software-related criteria showed 60% (n=15) compliance, with 28% (n=7) noncompliant or partially compliant and 12% (n=3) not applicable. Institution-related criteria achieved 72% (n=28) compliance for security requirements. Key challenges included managing genetic data, implementing automated archiving, and controlling data exports. The findings revealed effective privacy protection measures but also highlighted areas requiring regulatory adjustments to better support research. Conclusions: This first empirical assessment of a national CDW compliance framework offers valuable insights for health care institutions implementing GDPR requirements. While the framework establishes robust privacy protections, certain provisions may overly constrain research activities. The study identifies opportunities for framework evolution, balancing data protection with research imperatives.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "JMIR Medical Informatics",
"language": "en"
},
{
"id": "europepmc:40070923",
"title": "Data altruism and the \"consent\" question: a study into the \"consent\" models used under the GDPR and how the data altruism mechanism can act as a potential solution for the research community in the reuse of health data.",
"authors": [
"Christofidou M",
"Arvanitis TN",
"Kalra D",
"Lea N",
"Shabani M",
"Coorevits P."
],
"date": "2025-02-25",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3389/fmed.2024.1489925",
"pdfUrl": "https://europepmc.org/articles/PMC11894576?pdf=render",
"doi": "10.3389/fmed.2024.1489925",
"abstract": "Introduction
The General Data Protection Regulation (\"GDPR\") legal basis for obtaining consent for the processing of personal data for research purposes, where those purposes cannot be fully specified in advance, is provided for in Articles 6, 7 and Recital 33. However, GDPR's requirements for obtaining consent, as to the secondary use and sharing of data in research, have been argued to have generated confusion, whilst the conflicts between the Regulation itself, its practical application and research ethics are well-documented (1). The requirements for \"informed consent\", as defined within the GDPR, have not been well defined in the context of genome research or clinical trials (2), which has in turn led to the implementation and interpretation of the lawful basis to span into different idiosyncratic models. This naturally has fed into the uncertainty of how the legal basis can be applied in practice and calls for an investigation into the requirements for consent to be \"informed\" in the context of health research. This work aims to provide a scoping review and analysis of relevant publications with ultimate purpose to examine whether the concept of 'data altruism', as stipulated within Article 2 (10) of the Data Governance Act (\"DGA\"), addresses the gaps left behind by the application of the legal basis of 'consent', under the GDPR (Art. 6 (1) and 7), in so far as the secondary uses of data for research are concerned. In this light the article, by exploring available solutions found in relevant literature and used in practice in national and European projects, examines how 'data altruism' can add any value and work as a cohesive solution that the research community can use.Objectives
The article, through its research, intends to answer the following questions:What gaps has the GDPR left when it comes to the interpretation and practical application of \"consent\" towards the secondary use of health data;Can the DGA, through the mechanism of 'data alt",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "Frontiers in medicine",
"language": "en"
},
{
"id": "europepmc:39135367",
"title": "A health-conformant reading of the GDPR's right not to be subject to automated decision-making.",
"authors": [
"van Kolfschooten HB."
],
"date": "2024-08-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1093/medlaw/fwae029",
"pdfUrl": "https://europepmc.org/articles/PMC11347939?pdf=render",
"doi": "10.1093/medlaw/fwae029",
"abstract": "As the use of Artificial Intelligence (AI) technologies in healthcare is expanding, patients in the European Union (EU) are increasingly subjected to automated medical decision-making. This development poses challenges to the protection of patients' rights. A specific patients' right not to be subject to automated medical decision-making is not considered part of the traditional portfolio of patients' rights. The EU AI Act also does not contain such a right. The General Data Protection Regulation (GDPR) does, however, provide for the right 'not to be subject to a decision based solely on automated processing' in Article 22. At the same time, this provision has been severely critiqued in legal scholarship because of its lack of practical effectiveness. However, in December 2023, the Court of Justice of the EU first provided an interpretation of this right in C-634/21 (SCHUFA)-although in the context of credit scoring. Against this background, this article provides a critical analysis of the application of Article 22 GDPR to the medical context. The objective is to evaluate whether Article 22 GDPR may provide patients with the right to refuse automated medical decision-making. It proposes a health-conformant reading to strengthen patients' rights in the EU.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "Medical law review",
"language": "en"
},
{
"id": "pubmed:40244890",
"title": "Ensuring General Data Protection Regulation Compliance and Security in a Clinical Data Warehouse From a University Hospital: Implementation Study.",
"authors": [
"Riou, Christine",
"El Azzouzi, Mohamed",
"Hespel, Anne",
"Guillou, Emeric",
"Coatrieux, Gouenou",
"Cuggia, Marc"
],
"date": "2025-04-17",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1186/s12910-021-00647-x",
"pdfUrl": "",
"doi": "10.1186/s12910-021-00647-x",
"abstract": "BACKGROUND: The European Union's General Data Protection Regulation (GDPR) has profoundly influenced health data management, with significant implications for clinical data warehouses (CDWs). In 2021, France pioneered a national framework for GDPR-compliant CDW implementation, established by its data protection authority (Commission Nationale de l'Informatique et des Libertés). This framework provides detailed guidelines for health care institutions, offering a unique opportunity to assess practical GDPR implementation in health data management. OBJECTIVE: This study evaluates the real-world applicability of France's CDW framework through its implementation at a major university hospital. It identifies practical challenges for its implementation by health institutions and proposes adaptations relevant to regulatory authorities in order to facilitate research in secondary use data domains. METHODS: A systematic assessment was conducted in May 2023 at the University Hospital of Rennes, which manages data for over 2 million patients through the eHOP CDW system. The evaluation examined 116 criteria across 13 categories using a dual-assessment approach validated by information security and data protection officers. Compliance was rated as met, unmet, or not applicable, with criteria classified as software-related (n=25) or institution-related (n=91). RESULTS: Software-related criteria showed 60% (n=15) compliance, with 28% (n=7) noncompliant or partially compliant and 12% (n=3) not applicable. Institution-related criteria achieved 72% (n=28) compliance for security requirements. Key challenges included managing genetic data, implementing automated archiving, and controlling data exports. The findings revealed effective privacy protection measures but also highlighted areas requiring regulatory adjustments to better support research. CONCLUSIONS: This first empirical assessment of a national CDW compliance framework offers valuable insights for health care institutions im",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "JMIR medical informatics",
"language": "en"
},
{
"id": "pubmed:36282992",
"title": "When is the processing of data from medical implants lawful? The legal grounds for processing health-related personal data from ICT implantable medical devices for treatment purposes under EU data protection law.",
"authors": [
"Lindstad, Sarita",
"Ludvigsen, Kaspar Rosager"
],
"date": "2023-08-25",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1093/medlaw/fwac038",
"pdfUrl": "",
"doi": "10.1093/medlaw/fwac038",
"abstract": "Medicine is one of the biggest use cases for emerging information technologies. Data processing brings huge advantages but forces lawmakers and practitioners to balance between privacy, autonomy, accessibility, and functionality. ICT-connected Implantable Medical Devices plant themselves firmly between traditional medical equipment and software that processes health-related personal data, and these implants face many data management challenges. It is essential that healthcare providers and others can identify and understand the legal grounds they rely on to process data. The European Union is currently updating its framework, and the special provisions in the GDPR, the current ePrivacy Directive, and the coming ePrivacy Regulation all provide enhanced thresholds for processing data. This article provides an overview and explanation of the applicability of the rules and the legal grounds for processing data. We find that only a cumulative application of the GDPR and the ePrivacy rules ensure adequate protection of this data and present the legal grounds for processing in these cases. We discuss the challenges in obtaining and maintaining valid consent and necessity as a legal ground for processing and offer use case-specific discussions of the role of consent long-term and the lack of an adequate 'vital interest' exception in the ePrivacy rules.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "Medical law review",
"language": "en"
},
{
"id": "pubmed:34868197",
"title": "Recommendations for Creating Codes of Conduct for Processing Personal Data in Biobanking Based on the GDPR art.40.",
"authors": [
"Krekora-Zając, Dorota",
"Marciniak, Błażej",
"Pawlikowski, Jakub"
],
"date": "2021-11-12",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1007/978-3-030-49388-2_22",
"pdfUrl": "",
"doi": "10.1007/978-3-030-49388-2_22",
"abstract": "Personal data protection has become a fundamental normative challenge for biobankers and scientists researching human biological samples and associated data. The General Data Protection Regulation (GDPR) harmonises the law on protecting personal data throughout Europe and allows developing codes of conduct for processing personal data based on GDPR art. 40. Codes of conduct are a soft law measure to create protective standards for data processing adapted to the specific area, among others, to biobanking of human biological material. Challenges in this area were noticed by the European Data Protection Supervisor on data protection and Biobanking and BioMolecular Resources Research Infrastructure-European Research Infrastructure Consortium (BBMRI.ERIC). They concern mainly the specification of the definitions of the GDPR and the determination of the appropriate legal basis for data processing, particularly for transferring data to other European countries. Recommendations indicated in the article, which are based on the GDPR, guidelines published by the authority and expert bodies, and our experiences regarding the creation of the Polish code of conduct, should help develop how a code of conduct for processing personal data in biobanks should be developed.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Frontiers in genetics",
"language": "en"
},
{
"id": "pubmed:33583200",
"title": "Data Sharing Under the General Data Protection Regulation: Time to Harmonize Law and Research Ethics?",
"authors": [
"Vlahou, Antonia",
"Hallinan, Dara",
"Apweiler, Rolf",
"Argiles, Angel",
"Beige, Joachim",
"Benigni, Ariela",
"Bischoff, Rainer",
"Black, Peter C",
"Boehm, Franziska",
"Céraline, Jocelyn",
"Chrousos, George P",
"Delles, Christian",
"Evenepoel, Pieter",
"Fridolin, Ivo",
"Glorieux, Griet",
"van Gool, Alain J",
"Heidegger, Isabel",
"Ioannidis, John P A",
"Jankowski, Joachim",
"Jankowski, Vera",
"Jeronimo, Carmen",
"Kamat, Ashish M",
"Masereeuw, Rosalinde",
"Mayer, Gert",
"Mischak, Harald",
"Ortiz, Alberto",
"Remuzzi, Giuseppe",
"Rossing, Peter",
"Schanstra, Joost P",
"Schmitz-Dräger, Bernd J",
"Spasovski, Goce",
"Staessen, Jan A",
"Stamatialis, Dimitrios",
"Stenvinkel, Peter",
"Wanner, Christoph",
"Williams, Stephen B",
"Zannad, Faiez",
"Zoccali, Carmine",
"Vanholder, Raymond"
],
"date": "2021-02-15",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1161/HYPERTENSIONAHA.120.16340",
"pdfUrl": "",
"doi": "10.1161/HYPERTENSIONAHA.120.16340",
"abstract": "The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Hypertension (Dallas, Tex. : 1979)",
"language": "en"
},
{
"id": "s2:7f33c48740c384ed896b5666f6bb8ba0b486f8df",
"title": "Why and how we should care about the General Data Protection Regulation",
"authors": [
"R. Crutzen",
"Gjalt-Jorn Ygram Peters",
"Christopher Mondschein"
],
"date": "2018-11-18",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/7f33c48740c384ed896b5666f6bb8ba0b486f8df",
"pdfUrl": "https://doi.org/10.1080/08870446.2019.1606222",
"doi": "10.1080/08870446.2019.1606222",
"abstract": "Abstract The General Data Protection Regulation (GDPR) is the new European Union-wide (EU) law on data protection, which is a great step towards more comprehensive and more far-reaching protection of individuals' personal data. In this editorial, we describe why and how we – as researchers within the field of health psychology – should care about the GDPR. In the first part, we explain when the GDPR is applicable, who is accountable for data protection, and what is covered by the notions of personal data and processing. In the second part, we explain aspects of the GDPR that are relevant for researchers within the field of health psychology (e.g., obtaining informed consent, data minimisation, and open science). We focus on questions that researchers may ask themselves in their daily practice. Compliance with the GDPR requires adopting research practices (e.g., data minimisation and anonymization procedures) that are not yet commonly used, but serve the fundamental right to protection of personal data of study participants.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Psychology and Health",
"language": "en"
},
{
"id": "pubmed:30907730",
"title": "OpenEHR and General Data Protection Regulation: Evaluation of Principles and Requirements.",
"authors": [
"Gonçalves-Ferreira, Duarte",
"Sousa, Mariana",
"Bacelar-Silva, Gustavo M",
"Frade, Samuel",
"Antunes, Luís Filipe",
"Beale, Thomas",
"Cruz-Correia, Ricardo"
],
"date": "2019-03-25",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1109/CCST.2017.8167835",
"pdfUrl": "",
"doi": "10.1109/CCST.2017.8167835",
"abstract": "BACKGROUND: Concerns about privacy and personal data protection resulted in reforms of the existing legislation in the European Union (EU). The General Data Protection Regulation (GDPR) aims to reform the existing directive on the topic of personal data protection of EU citizens with a strong emphasis on more control of the citizens over their data and in the establishment of rules for the processing of personal data. OpenEHR is a standard that embodies many principles of interoperable and secure software for electronic health records (EHRs) and has been advocated as the best approach for the development of hospital information systems. OBJECTIVE: This study aimed to understand to what extent the openEHR standard can help in the compliance of EHR systems to the GDPR requirements. METHODS: A list of requirements for an EHR to support GDPR compliance and also a list of the openEHR design principles were made. The requirements were categorized and compared with the principles by experts on openEHR and GDPR. RESULTS: A total of 50 GDPR requirements and 8 openEHR design principles were identified. The openEHR principles conformed to 30% (15/50) of GDPR requirements. All the openEHR principles were aligned with GDPR requirements. CONCLUSIONS: This study showed that the openEHR principles conform well to GDPR, underlining the common wisdom that truly realizing security and privacy requires it to be built in from the start. By using an openEHR-based EHR, the institutions are closer to becoming compliant with GDPR while safeguarding the medical data.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "JMIR medical informatics",
"language": "en"
},
{
"id": "pubmed:30706988",
"title": "Impact of the General Data Protection Regulation on Clinical Proteomics Research.",
"authors": [
"Critselis, Elena"
],
"date": "2019-02-13",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1002/prca.201800199",
"pdfUrl": "",
"doi": "10.1002/prca.201800199",
"abstract": "The recently implemented General Data Protection Regulation (GDPR) has promising attributes for ensuring the protection of personal data collected and processed for clinical proteomic investigations. However, there exist ever increasing alarming concerns regarding its implications upon the future of clinical proteomics research both within and beyond the European Union. The main issues of concern regard GDPR legislative requirements for informed consent for study subjects' data collection and processing, data anonymization, and data storage and/or sharing, particularly in research areas which readily utilize databanks and biobanks, such as clinical proteomics investigations. The potential impacts of the aforementioned issues upon on-going and future clinical proteomics investigations are detailed, whilst recommendations for potentially resolving these emerging issues are proposed. Consensus between government, legislative, and research stakeholders, as well as impact assessments of final measures to be applied for medical research, is necessary so as to ensure the favorable perpetuation of clinical proteomics investigations and subsequent impact upon optimal patient health.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Proteomics. Clinical applications",
"language": "en"
},
{
"id": "pubmed:29187736",
"title": "Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation.",
"authors": [
"Shabani, Mahsa",
"Borry, Pascal"
],
"date": "2017-11-29",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1038/ejhg.2015.239",
"pdfUrl": "",
"doi": "10.1038/ejhg.2015.239",
"abstract": "Genetic data contain sensitive health and non-health-related information about the individuals and their family members. Therefore, adopting adequate privacy safeguards is paramount when processing genetic data for research or clinical purposes. One of the major legal instruments for personal data protection in the EU is the new General Data Protection Regulation (GDPR), which has entered into force in May 2016 and repealed the Directive 95/46/EC, with an ultimate goal of enhancing effectiveness and harmonization of personal data protection in the EU. This paper explores the major provisions of the new Regulation with regard to processing genetic data, and assesses the influence of such provisions on reinforcing the legal safeguards when sharing genetic data for research purposes. The new Regulation attempts to elucidate the scope of personal data, by recognizing pseudonymized data as personal (identifiable) data, and including genetic data in the catalog of special categories of data (sensitive data). Moreover, a set of new rules is laid out in the Regulation for processing personal data under the scientific research exemption. For instance, further use of genetic data for scientific research purposes, without obtaining additional consent will be allowed, if the specific conditions is met. The new Regulation has already fueled concerns among various stakeholders, owing to the challenges that may emerge when implementing the Regulation across the countries. Notably, the provided definition for pseudonymized data has been criticized because it leaves too much room for interpretations, and it might undermine the harmonization of the data protection across the countries.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "European journal of human genetics : EJHG",
"language": "en"
},
{
"id": "doaj:1f36809fd06d420db479560e23d13ab5",
"title": "PENGEMBANGAN ANTARMUKA APLIKASI MENGGUNAKAN PRINSIP GENERAL DATA PROTECTION REGULATION",
"authors": [
"Poetri Lestari Lokapitasari Belluano",
"Herman Herman",
"Benny Leonard Enrico Panggabean"
],
"date": "2019",
"platform": "doaj",
"sourceUrl": "http://jurnal.fikom.umi.ac.id/index.php/ILKOM/article/view/400",
"pdfUrl": "",
"doi": "10.33096/ilkom.v11i1.400.59-66",
"abstract": "General Data Protection Regulations (GDRP) regulation which is used to substantiate or individual data protection. the principle of gdpr is transparency where the application users have the right to make changes and access to personal data. so, companies are asked to be transparent about the reasons for collecting the data and the purpose of the data usage. GDPR has purpose to develop personal data protection and user privacy data by managing update data in the form of real-time notification. the method is used for Convention over Configuration paradigm. Prototyping model is used to describe application system workflow using graphics, DBMS management (using PostgreSQL). In Conclusion, prototype web application information system which applies data protection information using the principle of GDRP at user by managing data information updates in the form of real-time notification.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Ilkom Jurnal Ilmiah",
"language": "en"
},
{
"id": "doaj:8598c0e2e59941058791ff83ef6d41b7",
"title": "RESEARCH ON ERROR PROBABILITY ASSESSMENT IN USER PERSONAL DATA PROCESSING IN GDPR-COMPLIANT BUSINESS PROCESS MODELS",
"authors": [
"Andrii Kopp",
"Dmytro Orlovskyi",
"Oleksii Kizilov",
"Olha Halatova"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "http://samit.khpi.edu.ua/article/view/309113",
"pdfUrl": "",
"doi": "10.20998/2079-0023.2024.01.05",
"abstract": "The only right strategy for businesses and government organizations in Ukraine and other countries that may face aggression is to recognize themselves as a potential target for cyberattacks by the aggressor (both by its government agencies and related cybercriminal groups) and take appropriate measures in accordance with the European Union’s General Data Protection Regulation (GDPR). The main purpose of the GDPR is to regulate the rights to personal data protection and to protect EU citizens from data leaks and breaches of confidentiality, which is especially important in today’s digital world, where the processing and exchange of personal data are integral parts of almost every business process. Therefore, the GDPR encourages organizations to transform their day-to-day business processes that are involved in managing, storing, and sharing customers’ personal data during execution. Thus, business process models created in accordance with the GDPR regulations must be of high quality, just like any other business process models, and the probability of errors in them must be minimal. This is especially important with regard to the observance of human rights to personal data protection, since low-quality models can become sources of errors, which, in turn, can lead to a breach of confidentiality and data leakage of business process participants. This paper analyzes recent research and publications, proposes a method for analyzing business process models that ensure compliance with the GDPR regulations, and tests its performance based on the analysis of BPMN models of business processes for obtaining consent to data processing and withdrawal of consent to user data processing. As a result, the probability of errors in the considered business process models was obtained, which suggests the possibility of confidentiality violations and data leaks of the participants of the considered business processes associated with these errors, and appropriate recommendations were made.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Вісник Національного технічного університету \"ХПÌ\": Системний аналіз, управління та інформаційні технології",
"language": "en"
},
{
"id": "hal:3703759",
"title": "“Identity Management by Design” with a Technical Mediator Under the GDPR",
"authors": [
"Anne Steinbrück"
],
"date": "2020-09-21",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-03703759v1",
"pdfUrl": "https://inria.hal.science/hal-03703759/document",
"doi": "10.1007/978-3-030-72465-8_10",
"abstract": "The Charter of Fundamental Rights of the European Union (CFR) and the GDPR refer to the protection of personal data and personal identities. In the General Data Protection Regulation (GDPR) the term of personal data contains the protection of the physical, physiological, genetic, psychological, economic, cultural and social identities, Art. 4 para. 1 GDPR. This legal definition introduces the understanding of “identity” in a pluralistic sense. Thus, the notion of pluralistic and dynamic identities should be translated in a “privacy by design” mechanism. This notion of pluralistic identities would mirror a differentiated protection for personal identities based the right of informational self-determination, Art. 7, 8 CFR. Thus, the data subject should be enabled to develop the personal identity in an online-context in the same manner as it is done in an offline-context. This includes the opportunity for the data subject to control personal identities in their static “Idem-part” such as the name and their dynamic “Ipse-part” realized by the behavior (based on the philosophical theory by Ricœur). These parts of the personal identity should be visualized with a “dashboard” that allows the data subject to control and manage the personal identities. This “dashboard” should include an impartial technical mediator that embodies an effective, non-discriminatory and structured process. Such a technical mediator should be specified in an “identity management by design” mechanism based on Art. 25 GDPR in order to achieve an effective privacy protection in the era of Big Data.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:5525714",
"title": "Assisting the early development stages of privacy-aware software: the PRIAM tooled metamodel for GDPR",
"authors": [
"Selena Lamari",
"Nadjia Benblidia",
"Chouki Tibermacine",
"Christelle Urtado",
"Sylvain Vauttier"
],
"date": "2026-06",
"platform": "hal",
"sourceUrl": "https://imt-mines-ales.hal.science/hal-05525714v1",
"pdfUrl": "",
"doi": "10.1016/j.infsof.2026.108065",
"abstract": "Context: As software systems are more tailored to users, personal data is collected and exploited more than ever before. This situation raises the issue of user privacy protection. Conforming to personal data protection regulations, such as the European General Data Protection Regulation (GDPR), has thus become a legal obligation for application providers. However, there are no widely adopted proposals to formalize, implement, and assess compliance with the personal data privacy protection required by GDPR. Objective: In order to help application developers in the early stages of the development process, our overarching objective is to propose a tooled software engineering approach to integrate personal data protection capabilities, thus contributing to the development-by-design of privacy-aware software aligned with GDPR requirements. Method: We developed a method called PRIAM (PRIvacy Assessment Method) that goes beyond a conceptual description of the regulation by incorporating concrete, actionable software artifacts. This article presents the cornerstone of this method – PRIAM metamodel – along with its companion artifacts. Results: PRIAM metamodel captures the main concepts of GDPR and is then supported by a domain-specific language, user stories, and a dedicated database schema. The comprehensiveness and relevance of PRIAM metamodel have been qualitatively evaluated by GDPR experts through a questionnaire. Complementarily, an AI-based evaluation has been conducted, using some Large Language Models (LLMs), opening perspectives for fast, iterative evaluations of metamodels that formalize regulation texts. Besides, the practicality and usefulness of PRIAM metamodel and all its companion artifacts are highlighted through the running example of a Sport center management application, where privacy enforcement features, tailored to the specific personal data of the application, are generated and integrated. Conclusion: These two elements assert the viability of our proposal as a practical solution for assisting the development of privacy-aware applications that are compliant with GDPR requirements, thanks to customizable sets of actual development artifacts, systematically derived from a validated comprehensive formalization of the regulation articles.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Information and Software Technology",
"language": "en"
},
{
"id": "https://openalex.org/W3014192648",
"title": "Legal and Technical Feasibility of the GDPR’s Quest for Explanation of Algorithmic Decisions: of Black Boxes, White Boxes and Fata Morganas",
"authors": [
"Maja Brkan",
"Grégory Bonnet"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1017/err.2020.10",
"pdfUrl": "https://www.cambridge.org/core/services/aop-cambridge-core/content/view/7324CDE80A300179C170C5BA8CA7E851/S1867299X20000100a.pdf/div-class-title-legal-and-technical-feasibility-of-the-gdpr-s-quest-for-explanation-of-algorithmic-decisions-of-black-boxes-white-boxes-and-fata-morganas-div.pdf",
"doi": "https://doi.org/10.1017/err.2020.10",
"abstract": "Understanding of the causes and correlations for algorithmic decisions is currently one of the major challenges of computer science, addressed under an umbrella term “explainable AI (XAI)”. Being able to explain an AI-based system may help to make algorithmic decisions more satisfying and acceptable, to better control and update AI-based systems in case of failure, to build more accurate models, and to discover new knowledge directly or indirectly. On the legal side, the question whether the General Data Protection Regulation (GDPR) provides data subjects with the right to explanation in case of automated decision-making has equally been the subject of a heated doctrinal debate. While arguing that the right to explanation in the GDPR should be a result of interpretative analysis of several GDPR provisions jointly, the authors move this debate forward by discussing the technical and legal feasibility of the explanation of algorithmic decisions. Legal limits, in particular the secrecy of algorithms, as well as technical obstacles could potentially obstruct the practical implementation of this right. By adopting an interdisciplinary approach, the authors explore not only whether it is possible to translate the EU legal requirements for an explanation into the actual machine learning decision-making, but also whether those limitations can shape the way the legal right is used in practice.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.637,
"venue": "European Journal of Risk Regulation",
"language": "en"
},
{
"id": "hal:3744307",
"title": "Automatically Proving Purpose Limitation in Software Architectures",
"authors": [
"Kai Bavendiek",
"Tobias Mueller",
"Florian Wittner",
"Thea Schwaneberg",
"Christian-Alexander Behrendt",
"Wolfgang Schulz",
"Hannes Federrath",
"Sibylle Schupp"
],
"date": "2019-06-25",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-03744307v1",
"pdfUrl": "https://inria.hal.science/hal-03744307/document",
"doi": "10.1007/978-3-030-22312-0_24",
"abstract": "The principle of purpose limitation is one of the corner stones in the European General Data Protection Regulation. Automatically verifying whether a software architecture is capable of collecting, storing, or otherwise processing data without a predefined, precise, and valid purpose, and more importantly, whether the software architecture allows for re-purposing the data, greatly helps designers, makers, auditors, and customers of software. In our case study, we model the architecture of an existing medical register that follows a rigid Privacy by Design approach and assess its capability to process data only for the defined purposes. We demonstrate the process by verifying one instance that satisfies purpose limitation and two that are at least critical cases. We detect a violation scenario where data belonging to a purpose-specific consent are passed on for a different and maybe even incompatible purpose.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:5368761",
"title": "A quantitative approach to the GDPR’s anonymisation and “appropriate technical and organisational measures” tests",
"authors": [
"Nils Holzenberger",
"Winston Maxwell"
],
"date": "2025-09-09",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05368761v1",
"pdfUrl": "https://hal.science/hal-05368761/document",
"doi": "10.1016/j.clsr.2025.106173",
"abstract": "This article examines two tests from the European General Data Protection Regulation (GDPR): (1) the test for anonymisation (the ''anonymisation test''), and (2) the test for applying ''appropriate technical and organisational measures'' to protect personal data (the ''ATOM test''). Both tests depend on vague legal standards and have given rise to legal disputes and differing interpretations among data protection authorities and courts, including in the context of machine learning. Under the anonymisation test, data are sufficiently anonymised when the risk of identification is ''insignificant'' taking into account ''all means reasonably likely to be used'' by an attacker. Under the ATOM test, measures to protect personal data must be ''appropriate'' with regard to the risks of data loss. Here, we use methods from law and economics to transform these two qualitative tests into quantitative approaches that can be visualized on a graph. For the anonymisation test, we chart different attack efforts and identification probabilities, and propose this as a methodology to help stakeholders discuss what attack efforts are ''reasonably likely'' to be deployed and their likelihood of success. For the ATOM test, we use the Learned Hand formula from law and economics to chart the incremental costs and benefits of privacy protection measures to identify the point where those measures maximize social welfare. The Hand formula permits the negative effects of privacy protection measures, such as the loss of data utility and negative impacts on model fairness, to be taken into account when defining what level of protection is ''appropriate''. We apply our proposed framework to several scenarios, applying the anonymisation test to a Large Language Model, and the ATOM test to a database protected with differential privacy.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Computer Law & Security Review",
"language": "en"
},
{
"id": "hal:1635002",
"title": "The Right to Be Forgotten: Towards Machine Learning on Perturbed Knowledge Bases",
"authors": [
"Bernd Malle",
"Peter Kieseberg",
"Edgar Weippl",
"Andreas Holzinger"
],
"date": "2016-08-31",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-01635002v1",
"pdfUrl": "https://inria.hal.science/hal-01635002/document",
"doi": "10.1007/978-3-319-45507-5_17",
"abstract": "Today’s increasingly complex information infrastructures represent the basis of any data-driven industries which are rapidly becoming the 21st century’s economic backbone. The sensitivity of those infrastructures to disturbances in their knowledge bases is therefore of crucial interest for companies, organizations, customers and regulating bodies. This holds true with respect to the direct provisioning of such information in crucial applications like clinical settings or the energy industry, but also when considering additional insights, predictions and personalized services that are enabled by the automatic processing of those data. In the light of new EU Data Protection regulations applying from 2018 onwards which give customers the right to have their data deleted on request, information processing bodies will have to react to these changing jurisdictional (and therefore economic) conditions. Their choices include a re-design of their data infrastructure as well as preventive actions like anonymization of databases per default. Therefore, insights into the effects of perturbed/anonymized knowledge bases on the quality of machine learning results are a crucial basis for successfully facing those future challenges. In this paper we introduce a series of experiments we conducted on applying four different classifiers to an established dataset, as well as several distorted versions of it and present our initial results.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:5363237",
"title": "Deep Learning Models for Automatic De-identification of Clinical Text",
"authors": [
"Ravichandra Sriram",
"Siva Sathya Sundaram",
"S. Lourdumarie Sophie"
],
"date": "2023-01-04",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-05363237v1",
"pdfUrl": "https://inria.hal.science/hal-05363237/document",
"doi": "10.1007/978-3-031-39811-7_10",
"abstract": "In health care, clinical narratives play an essential part in the diagnosis and treatment of patients. In recent times, many organizations have stored these clinical narratives as electronic health records (EHR). The EHR is an organized collection of patient health information in digital format. These EHR’s are an extensive collection of medical information, and they provide novel and rich data for clinical research. EHR also contains the patient’s identities, such as name, address, mobile number, etc. These patient identities must be de-identified before use for clinical research to protect the patient’s privacy. Clinical De-identification intends to detect and eliminate Protected Health Information (PHI) from medical data to facilitate data exchange and publication. This study aims to elucidate how the research community interprets and defines the terms like de-identification and anonymization and the steps involved in the process. A thorough review has been made to provide information on how deep learning approaches are used and how reliable they are.",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:5078717",
"title": "Capturing the Basics of the GDPR in a Well-Founded Legal Domain Modular Ontology",
"authors": [
"Mirna El Ghosh",
"Habib Abdulrab"
],
"date": "2021-12-23",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-03583782v1",
"pdfUrl": "https://hal.science/hal-03583782/document",
"doi": "10.3233/FAIA210378",
"abstract": "The primary goal of the General Data Protection Regulation (GDPR) is to regulate the rights and duties of citizens and organizations over personal data protection. Implementing the GDPR is recently gaining much importance for legal reasoning and compliance checking purposes. In this work, we aim to capture the basics of GDPR in a well-founded legal domain modular ontology named OPPD (Ontology for the Protection of Personal Data). Ontology-Driven Conceptual Modeling (ODCM), ontology layering, modularization, and reuse processes are applied. These processes aim to support the ontology engineer in overcoming the complexity of the legal knowledge and developing an ontology model faithful to reality. ODCM is used for grounding OPPD in the Unified Foundational Ontology (UFO). Ontology modularization and layering aim to simplify the ontology building process. Ontology reuse focuses on selecting and reusing Conceptual Ontology Patterns (COPs) from UFO and the legal core ontology UFO-L. OPPD intends to overcome the lack of a representation of legal procedures that most ontologies encountered. The potential use of OPPD is proposed to formalize the GDPR rules by combining ontological reasoning and Logic Programming.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "s2:b0f98c37d350c8969f1d9dabf2edb1b41b8f67e3",
"title": "Privacy-Preserving Collaborative Data Anonymization with Sensitive Quasi-Identifiers",
"authors": [
"Kok-Seng Wong",
"Nguyen Anh Tu",
"Dinh-Mao Bui",
"S. Ooi",
"M. Kim"
],
"date": "2019-11-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/b0f98c37d350c8969f1d9dabf2edb1b41b8f67e3",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/8951225/8962131/08962140.pdf?arnumber=8962140",
"doi": "10.1109/CMI48017.2019.8962140",
"abstract": "Collaborative anonymization deals with a group of respondents in a distributed environment. Unlike in centralized settings, no respondent is willing to reveal his or her records to any party due to the privacy concerns. This creates a challenge for anonymization, and it requires a level of trust among respondents. In this paper, we study a collaborative anonymization protocol that aims to increase the confidence of respondents during data collection. Unlike in existing works, our protocol does not reveal the complete set of quasi-identifier (QID) to the data collector (e.g., agency) before and after the data anonymization process. Because QID can be both sensitive values and identifying values, we allow the respondents to hide sensitive-QID attributes from other parties. Our protocol ensures that the desired protection level (i.e., k-anonymity) can be verified before the respondents submit their records to the agency. Furthermore, we allow honest respondents to indict a malicious agency if it modifies the intermediate results or not following the protocol faithfully.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.637,
"venue": "IEEE International Conference on Control, Measurement and Instrumentation",
"language": "en"
},
{
"id": "https://openalex.org/W2791956175",
"title": "GDPR: A new challenge for personal data protection",
"authors": [
"Erne Mraznica"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.5937/bankarstvo1704166m",
"pdfUrl": "https://scindeks-clanci.ceon.rs/data/pdf/1451-4354/2017/1451-43541704166M.pdf",
"doi": "https://doi.org/10.5937/bankarstvo1704166m",
"abstract": "On May, 4th 2016 the General Data Protection Regulation (GDPR) was published in the Official Gazette of the EU, which will be in force from May, 25th 2018. The goal of the Regulation is the harmonization of the personal data protection at the EU level, the larger extent of control for the persons whose data are being processed (data subjects) and the improved management of modern risks in this area. Banks, by the nature of their business, are among the largest processors of personal data and during the process of complying with the GDPR will be in the position to conduct a full assessment of their existing regulatory and infrastructural personal data protection framework. At the same time, this will be an opportunity to correct the potential shortcomings in the existing processes and to significantly raise awareness about the organization of personal data protection standards, especially having in mind the strict sanctions in case of non-compliance.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Bankarstvo",
"language": "en"
},
{
"id": "s2:8bfeb6b4cb2f419b67cf4aa6a0951f1e35ff5a7f",
"title": "Coping with the General Data Protection Regulation; Anonymization through Multi-Party Computation Technology",
"authors": [
"W. van Haaften",
"Alex Sangers",
"Tom M. van Engers",
"Somayeh Djafari"
],
"date": "2020",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/8bfeb6b4cb2f419b67cf4aa6a0951f1e35ff5a7f",
"pdfUrl": "",
"doi": "10.38023/4d7c39e9-126a-4617-aebf-9bb88e9bc81f",
"abstract": "Analysing combined data sets can result in signifi cant added value for many organisations, but the GDPR has put strict constraints on processing personal data. Anonymization by using Multi-Party Computation (MPC) however may off er organizations some relief of the perceived burden of GDPR under specifi c conditions. In this paper, we will explain the mechanisms behind this technology and illustrate its use by a health care case where medical data have to be combined for creating a prediction model, without revealing any sensitive personal data. We will argue why the use of this type of MPC would allow us to anonymize the highly sensitive personal data within the specifi c boundaries of the case and conclude our paper with some reflection on MPC in the context of the GDPR.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Jusletter-IT",
"language": "en"
},
{
"id": "https://openalex.org/W2764080676",
"title": "Tracking Walls, Take-It-Or-Leave-It Choices, the GDPR, and the ePrivacy Regulation",
"authors": [
"Frederik Zuiderveen Borgesius",
"Sanne Kruikemeier",
"Sophie C. Boerman",
"Natali Helberger"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.21552/edpl/2017/3/9",
"pdfUrl": "https://arxiv.org/pdf/2510.25339",
"doi": "https://doi.org/10.21552/edpl/2017/3/9",
"abstract": "On the internet, we encounter take-it-or-leave-it choices regarding our privacy on a daily basis. In Europe, online tracking for targeted advertising generally requires the internet users’ consent to be lawful. Some websites use a tracking wall, a barrier that visitors can only pass if they consent to tracking by third parties. When confronted with such a tracking wall, many people click ‘I agree’ to tracking. A survey that we conducted shows that most people find tracking walls unfair and unacceptable. We analyse under which conditions the ePrivacy Directive and the General Data Protection Regulation allow tracking walls. We provide a list of circumstances to assess when a tracking wall makes consent invalid. We also explore how the EU lawmaker could regulate tracking walls, for instance in the ePrivacy Regulation. It should be seriously considered to ban tracking walls, at least in certain circumstances.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "European Data Protection Law Review",
"language": "en"
},
{
"id": "s2:829eb336a607d1a5c23db29d9ae3827b97594f66",
"title": "A False Sense of Privacy: Towards a Reliable Evaluation Methodology for the Anonymization of Biometric Data",
"authors": [
"Simon Hanisch",
"Julian Todt",
"J. Patino",
"Nicholas W. D. Evans",
"Thorsten Strufe"
],
"date": "2023-04-04",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/829eb336a607d1a5c23db29d9ae3827b97594f66",
"pdfUrl": "https://petsymposium.org/popets/2024/popets-2024-0008.pdf",
"doi": "10.56553/popets-2024-0008",
"abstract": "Biometric data contains distinctive human traits such as facial features or gait patterns. The use of biometric data permits an individuation so exact that the data is utilized effectively in identification and authentication systems. But for this same reason, privacy protections become indispensably necessary. Privacy protection is extensively afforded by the technique of anonymization. Anonymization techniques protect sensitive personal data from biometrics by obfuscating or removing information that allows linking records to the generating individuals, to achieve high levels of anonymity. However, our understanding and possibility to develop effective anonymization relies, in equal parts, on the effectiveness of the methods employed to evaluate anonymization performance. In this paper, we assess the state-of-the-art methods used to evaluate the performance of anonymization techniques for facial images and for gait patterns. We demonstrate that the state-of-the-art evaluation methods have serious and frequent shortcomings. In particular, we find that the underlying assumptions of the state-of-the-art are quite unwarranted. State-of-the-art methods generally assume a difficult recognition scenario and thus a weak adversary. However, that assumption causes state-of-the-art evaluations to grossly overestimate the performance of the anonymization. Therefore, we propose a strong adversary which is aware of the anonymization in place. This adversary model implements an appropriate measure of anonymization performance. We improve the selection process for the evaluation dataset, and we reduce the numbers of identities contained in the dataset while ensuring that these identities remain easily distinguishable from one another. Our novel evaluation methodology surpasses the state-of-the-art because we measure worst-case performance and so deliver a highly reliable evaluation of biometric anonymization techniques.",
"topics": [
"data_anonymization",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII"
],
"relevanceScore": 0.637,
"venue": "Proceedings on Privacy Enhancing Technologies",
"language": "en"
},
{
"id": "hal:3243793",
"title": "SGX-IR: Secure Information Retrieval with Trusted Processors",
"authors": [
"Fahad Shaon",
"Murat Kantarcioglu"
],
"date": "2020-06-25",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-03243643v1",
"pdfUrl": "https://inria.hal.science/hal-03243643/document",
"doi": "10.1007/978-3-030-49669-2_21",
"abstract": "To preserve the security and the privacy of the data need for cloud applications, encrypting the data before outsourcing has emerged as an important tool. Furthermore, to enable efficient processing over the encrypted data stored in the cloud, utilizing efficient searchable symmetric encryption (SSE) schemes became popular. Usually, SSE schemes require an encrypted index to be built for efficient query processing. If the data owner has limited power, building this encrypted index before data is outsourced to the cloud could become a computational bottleneck. At the same time, secure outsourcing of encrypted index building using techniques such as homomorphic encryption is too costly for large data. Instead, in this work, we use a trusted processor, e.g, Intel Software Guard eXtension (SGX), to build a secure information retrieval system that provides better security guarantee and performance improvements. Unlike other related works, we focus on securely building the encrypted index in the cloud computing environment using the SGX, and show that the encrypted index could be used for executing keyword queries over text documents and face recognition detection in image documents. Finally, we show the effectiveness of our system via extensive empirical evaluation.",
"topics": [
"privacy_engineering",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "s2:ca61954dc221f0c630a29d01a0e14aa13b932dbf",
"title": "Guideline for Data Anonymization for Data Privacy in Thailand",
"authors": [
"Jiraphat Lapwattanaworakul",
"Chetneti Srisa-An",
"Supanit Angsirikul"
],
"date": "2022-11-10",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/ca61954dc221f0c630a29d01a0e14aa13b932dbf",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/10067166/10067253/10067859.pdf?arnumber=10067859",
"doi": "10.1109/InCIT56086.2022.10067859",
"abstract": "PDPA is the first Data protection law in Thailand. The laws have been effectively enforced since June 2022. A data breach is a serious problem for all firms that hold personal data. The other bigger problem is data privacy. All government agencies have mandates to collect a lot of personal data but have to care about how to publish that information to their users. National statistics agencies are responsible for collecting data from surveys. Hospitals or the healthcare industries need to release microdata of medical records for research and other public benefit purposes. Those organizations are forced by laws to protect data privacy. Data anonymization is a promising technique for data privacy but there is no absolute guideline for a real implementation. A K-anonymity algorithm is implemented for demonstration. There is a trade-off between anonymity and utility. There is no standard or guideline for data anonymization in Thailand; therefore, this research paper is to construct a guideline for data anonymization in Thailand.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "International Conference on Information Technology",
"language": "en"
},
{
"id": "s2:7ed3ee82ca7830158d20d67fca08b9029ada5682",
"title": "On the Role of Data Anonymization in Machine Learning Privacy",
"authors": [
"Navoda Senavirathne",
"V. Torra"
],
"date": "2020-12-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/7ed3ee82ca7830158d20d67fca08b9029ada5682",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/9342897/9342964/09343198.pdf?arnumber=9343198",
"doi": "10.1109/TrustCom50675.2020.00093",
"abstract": "Data anonymization irrecoverably transforms the raw data into a protected version by eliminating direct identifiers and removing sufficient details from indirect identifiers in order to minimize the risk of re-identification when there is a requirement for data publishing. Nevertheless, data protection laws (i.e., GDPR) do not consider anonymized data as personal data thus allowing them to be freely used, analysed, shared and monetized without a compliance risk. Motivated by the above advantages, it is plausible that the data controllers anonymize the data before releasing them for any data analysis tasks such as machine learning (ML); which is applied in a wide variety of domains where personal data are used. Moreover, in recent research, it has shown that ML models are vulnerable to privacy attacks as they retain sensitive information from the training data. Taking all of these facts into consideration, in this work we explore the interplay between data anonymization and ML with the ultimate aim of clarifying whether data anonymization is sufficient to achieve privacy for ML under different adversarial scenarios. We also discuss the challenges and opportunities of integrating these two domains. As per our findings, it is conspicuous that in order to substantially minimize the privacy risks in ML, existing data anonymization techniques have to be applied with high privacy levels that cause a deterioration in model utility.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "International Conference on Trust, Security and Privacy in Computing and Communications",
"language": "en"
},
{
"id": "https://openalex.org/W2780316586",
"title": "AI-supported decision-making under the general data protection regulation",
"authors": [
"Maja Brkan"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1145/3086512.3086513",
"pdfUrl": "https://dl.acm.org/doi/10.1145/3086512.3086513",
"doi": "https://doi.org/10.1145/3086512.3086513",
"abstract": "The purpose of this paper is to analyse the rules of the General Data Protection Regulation on automated decision making in the age of Big Data and to explore how to ensure transparency of such decisions, in particular those taken with the help of algorithms. The GDPR, in its Article 22, prohibits automated individual decision-making, including profiling. On the first impression, it seems that this provision strongly protects individuals and potentially even hampers the future development of AI in decision making. However, it can be argued that this prohibition, containing numerous limitations and exceptions, looks like a Swiss cheese with giant holes in it. Moreover, in case of automated decisions involving personal data of the data subject, the GDPR obliges the controller to provide the data subject with 'meaningful information about the logic involved' (Articles 13 and 14). If we link this information to the rights of data subject, we can see that the information about the logic involved needs to enable him/her to express his/her point of view and to contest the automated decision. While this requirement fits well within the broader framework of GDPR's quest for a high level of transparency, it also raises several queries particularly in cases where the decision is taken with the help of algorithms: What exactly needs to be revealed to the data subject? How can an algorithm-based decision be explained? Apart from technical obstacles, we are facing also intellectual property and state secrecy obstacles to this 'algorithmic transparency'.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.637,
"venue": "Proceedings of the 16th edition of the International Conference on Articial Intelligence and Law",
"language": "en"
},
{
"id": "s2:68ab6f09bf5a1e934a294f2fed19d088f91a5764",
"title": "Analysis of Data Anonymization Techniques",
"authors": [
"Joana Ferreira Marques",
"Jorge Bernardino"
],
"date": "2020",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/68ab6f09bf5a1e934a294f2fed19d088f91a5764",
"pdfUrl": "https://doi.org/10.5220/0010142302350241",
"doi": "10.5220/0010142302350241",
"abstract": ": The privacy of personal data is a very important issue these days. How to process the data and use it for analysis without compromising the individual’s identity is a critical task and must be done in order to ensure the anonymity of this data. To try to unanimously unify this anonymity, laws and regulations such as GDPR were created. In this paper, GDPR will be described and the concepts of anonymization and pseudonymization will be explained. We present some of the main anonymization techniques and efficient software to support the application of these techniques. The main objective is to understand which techniques offer a higher level of anonymization, the strengths and weakness of each one and the advantages in its use.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "International Conference on Knowledge Engineering and Ontology Development",
"language": "en"
},
{
"id": "https://openalex.org/W2947015797",
"title": "Addressing the Failure of Anonymization",
"authors": [
"Elizabeth Brasher"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://journals.library.columbia.edu/index.php/CBLR/article/view/1217",
"pdfUrl": "https://journals.library.columbia.edu/index.php/CBLR/article/view/1217",
"doi": "https://doi.org/10.7916/cblr.v2018i1.1217",
"abstract": "It is common practice for companies to “anonymize” the consumer data that they collect. In fact, U.S. data protection laws and Federal Trade Commission guidelines encourage the practice of anonymization by exempting anonymized data from the privacy and data security requirements they impose. Anonymization involves removing personally identifiable information (“PII”) from a dataset so that, in theory, the data cannot be traced back to its data subjects. In practice, however, anonymization fails to irrevocably protect consumer privacy due to the potential for deanonymization—the linking of anonymized data to auxiliary information to re-identify data subjects. Because U.S. data protection laws provide safe harbors for anonymized data, re-identified data subjects receive no statutory privacy protections at all—a fact that is particularly troublesome given consumers’ dependence on technology and today’s climate of ubiquitous data collection. By adopting an all-or-nothing approach to anonymization, the United States has created no means of incentivizing the practice of anonymization while still providing data subjects statutory protections. This Note argues that the United States should look to the risk-based approach taken by the European Union under the General Data Protection Regulation. Their data protection laws utilize multiple tiers of anonymization, which vary in their potential for deanonymization. Under this approach, pseudonymized data—i.e., certain data that has had PII removed but can still be linked to auxiliary information to re-identify data subjects—falls within the scope of the governing law, but receives relaxed requirements designed to incentivize pseudonymization and thereby reduce the risk of data subject identification. This approach both strikes a balance between data privacy and data utility, and affords data subjects the benefit of anonymity in addition to statutory protections ranging from choice to transparency.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Columbia Business Law Review",
"language": "en"
},
{
"id": "https://openalex.org/W2910338073",
"title": "Do algorithms rule the world? Algorithmic decision-making and data protection in the framework of the GDPR and beyond",
"authors": [
"Maja Brkan"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1093/ijlit/eay017",
"pdfUrl": "https://cris.maastrichtuniversity.nl/en/publications/4a2e7cb5-7cc5-4c9d-b4d9-fa3b6fa644fa",
"doi": "https://doi.org/10.1093/ijlit/eay017",
"abstract": "The purpose of this article is to analyse the rules of the General Data Protection Regulation (GDPR) and the Directive on Data Protection in Criminal Matters on automated decision-making and to explore how to ensure transparency of such decisions, in particular those taken with the help of algorithms. Both legal acts impose limitations on automated individual decision-making, including profiling. While these limitations of automated decisions might come across as a forceful fortress strongly protecting individuals and potentially even hampering the future development of Artificial Intelligence in decision-making, the relevant provisions nevertheless contain numerous exceptions allowing for such decisions. While the Directive on Data Protection in Criminal Matters worryingly does not seem to give the data subject the possibility to familiarize herself with the reasons for such a decision, the GDPR obliges the controller to provide the data subject with ‘meaningful information about the logic involved’ (Articles 13(2)(f), 14(2)(g) and 15(1)(h)), thus raising the much-debated question whether the data subject should be granted a ‘right to explanation’ of the automated decision. This article seeks to go beyond the semantic question of whether this right should be designated as the ‘right to explanation’ and argues that the GDPR obliges the controller to inform the data subject of the reasons why an automated decision was taken. While such a right would in principle fit well within the broader framework of the GDPR’s quest for a high level of transparency, it also raises several queries: What exactly needs to be revealed to the data subject? How can an algorithm-based decision be explained? The article aims to explore these questions and to identify challenges for further research regarding explainability of automated decisions.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.637,
"venue": "International Journal of Law and Information Technology",
"language": "en"
},
{
"id": "openaire:10477",
"title": "Privacy Enhanced Cloud-Based Facial Recognition",
"authors": [
"Tao Yang",
"Yuhang Zhang",
"Jie Sun",
"Xun Wang"
],
"date": "2021-03-13",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/s11063-021-10477-y",
"pdfUrl": "",
"doi": "10.1007/s11063-021-10477-y",
"abstract": "Homomorphic encryption is a significant method to protect user privacy in cloud computing environment. Due to the computation efficiency issue, there is still not many homomorphic encryption applications for common users. In this paper,we try to use homomorphic encryption to enhance the privacy in cloud-based face recognition system. By balancing the workload between client and server,and reimplementing the similarity measurement function, our homomorphic encryption version’s performance is almost the same as the original version in terms of accuracy and time consumption. Our work is especially beneficial to many face recognition methods that are using Euclidian distance as their similarity metric.",
"topics": [
"biometric_surveillance",
"privacy_engineering"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1145/2684200.2684296",
"title": "Effectiveness of Fully Homomorphic Encryption to Preserve the Privacy of Biometric Data",
"authors": [
"Wilson Abel Alberto Torres",
"Nandita Bhattacharjee",
"Bala Srinivasan"
],
"date": "2014-12-04",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/2684200.2684296",
"pdfUrl": "",
"doi": "10.1145/2684200.2684296",
"abstract": "Biometrics offers higher accuracy for personal recognition as well as provides greater security than traditional methods because of its properties. However, ironically, these properties are also weaknesses because biometric data is permanently linked with an individual and cannot be revoked or cancelled, especially when biometric data is compromised, which can lead to a serious privacy issue. By reviewing current approaches, fully homomorphic encryption (FHE) is considered as a promising solution for this privacy issue because of its ability to perform computations in the encrypted domain. We studied the effectiveness of FHE when it is used in biometric systems. The main contributions of this paper are the implementation of a privacy-preserving iris biometric authentication protocol adapted to lattice-based FHE and a sound security analysis of authentication and privacy. This work is concluded with some factors to be addressed to enhance privacy as well as some considerations to improve the performance of this implementation.",
"topics": [
"privacy_engineering",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:6987",
"title": "Ensuring privacy in face recognition: a survey on data generation, inference and storage",
"authors": [
"Zhifang Sun",
"Zhe Liu"
],
"date": "2025-05-02",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/s42452-025-06987-2",
"pdfUrl": "",
"doi": "10.1007/s42452-025-06987-2",
"abstract": "Abstract As facial recognition technology plays an increasingly pivotal role in biometric authentication, its potential threats to individual privacy have raised significant societal concerns. This paper provides a survey of privacy-preserving techniques across the three critical stages of facial recognition: data generation, model inference, and data storage. We explore challenges and methodologies for safeguarding privacy within facial recognition systems, given growing concerns over biometric data misuse. In particular, we highlight the shift from traditional datasets to synthetic counterparts, leveraging generative models like GANs and diffusion models to create diverse and realistic facial imagery without compromising privacy. At the model inference stage, we discuss privacy-preserving approaches, including transformation-based methods and cryptographic techniques such as homomorphic encryption. Finally, we examine the vulnerabilities of face templates and the cryptographic protections against inversion attacks. Our survey underscores the importance of balancing recognition accuracy with privacy preservation and calls for concerted research and policy efforts to advance privacy-centric face recognition technologies that respect individual rights while maintaining operational efficacy.",
"topics": [
"biometric_surveillance",
"privacy_engineering"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "Discover Applied Sciences",
"language": "en"
},
{
"id": "openaire:10.1109/sped.2019.8906553",
"title": "GDPR compliance in Video Surveillance and Video Processing Application",
"authors": [
"Eduard Barnoviciu",
"Veta Ghenescu",
"Serban-Vasile Carata",
"Marian Ghenescu",
"Roxana Mihaescu",
"Mihai Chindea"
],
"date": "2019-10-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/sped.2019.8906553",
"pdfUrl": "",
"doi": "10.1109/sped.2019.8906553",
"abstract": "In this paper we will present what is the General Data Protection Regulation (GDPR) and its impact on businesses that use and market video surveillance systems. We will detail the regulations and guidelines of both GDPR and the European Data Protection Supervisor (EDPS) regarding the recording and processing of personal and sensitive data and why it is classified as high-risk. We will consider the impact of these laws and regulations on the the field that we are operating in, namely machine learning applied for video analytics. To do that, we will briefly present two of our applications that are affected by those changes: Facial Recognition and Identification and Person Detection and how to adapt them to be GDPR-compliant. Finally we will also present a lightweight piece of software that can be easily applied to existing software with minimal computational overhead.",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "International Conference on Speech Technology and Human-Computer Dialogue",
"language": "en"
},
{
"id": "openaire:0927-3379(20190601)44:3;1-9",
"title": "Satellite Imagery, Very High-Resolution and Processing-Intensive Image Analysis: Potential Risks Under the GDPR",
"authors": [
"Cristiana Santos",
"Lucien Rapp"
],
"date": "2019-06-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.54648/aila2019018",
"pdfUrl": "",
"doi": "10.54648/aila2019018",
"abstract": "Brendan main trends are currently developing in the satellite imagery industry: the increasing availability of very high spatial and temporal resolution satellite imagery, and the outsourcing of processing-intensive image analysis. Alongside the foreseeable improvements of facial recognition technology and other image recognition software, such synergies carry the potential for identification of individuals, and thus for privacy, data protection and ethical risks. The intent of this article is to discuss the possibility of identification of individuals through high resolution images under the broad definition provided by the general data protection regulation, and to explain the risks therein. We further suggest risk-mitigation approaches for incoming space data policies.",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Air & Space Law",
"language": "en"
},
{
"id": "https://openalex.org/W3124443940",
"title": "Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation",
"authors": [
"Sandra Wachter",
"Brent Mittelstadt",
"Luciano Floridi"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1093/idpl/ipx005",
"pdfUrl": "https://academic.oup.com/idpl/article-pdf/7/2/76/17932196/ipx005.pdf",
"doi": "https://doi.org/10.1093/idpl/ipx005",
"abstract": "Since approval of the EU General Data Protection Regulation (GDPR) in 2016, it has been widely and repeatedly claimed that the GDPR will legally mandate a ‘right to explanation’ of all decisions made by automated or artificially intelligent algorithmic systems. This right to explanation is viewed as an ideal mechanism to enhance the accountability and transparency of automated decision-making. However, there are several reasons to doubt both the legal existence and the feasibility of such a right. In contrast to the right to explanation of specific automated decisions claimed elsewhere, the GDPR only mandates that data subjects receive meaningful, but properly limited, information (Articles 13-15) about the logic involved, as well as the significance and the envisaged consequences of automated decision-making systems, what we term a ‘right to be informed’. Further, the ambiguity and limited scope of the ‘right not to be subject to automated decision-making’ contained in Article 22 (from which the alleged ‘right to explanation’ stems) raises questions over the protection actually afforded to data subjects. These problems show that the GDPR lacks precise language as well as explicit and well-defined rights and safeguards against automated decision-making, and therefore runs the risk of being toothless. We propose a number of legislative and policy steps that, if taken, may improve the transparency and accountability of automated decision-making when the GDPR comes into force in 2018.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.637,
"venue": "International Data Privacy Law",
"language": "en"
},
{
"id": "https://openalex.org/W2895782836",
"title": "The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements",
"authors": [
"Vanessa Ayala-Rivera",
"Liliana Pasquale"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/re.2018.00023",
"pdfUrl": "http://hdl.handle.net/10197/10526",
"doi": "https://doi.org/10.1109/re.2018.00023",
"abstract": "The General Data Protection Regulation (GDPR) aims to protect personal data of EU residents and can impose severe sanctions for non-compliance. Organizations are currently implementing various measures to ensure their software systems fulfill GDPR obligations such as identifying a legal basis for data processing or enforcing data anonymization. However, as regulations are formulated vaguely, it is difficult for practitioners to extract and operationalize legal requirements from the GDPR. This paper aims to help organizations understand the data protection obligations imposed by the GDPR and identify measures to ensure compliance. To achieve this goal, we propose GuideMe, a 6-step systematic approach that supports elicitation of solution requirements that link GDPR data protection obligations with the privacy controls that fulfill these obligations and that should be implemented in an organization's software system. We illustrate and evaluate our approach using an example of a university information system. Our results demonstrate that the solution requirements elicited using our approach are aligned with the recommendations of privacy experts and are expressed correctly.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W3040026531",
"title": "Personal data protection and academia: GDPR issues and multi-modal data-collections \"in the wild\"",
"authors": [
"Ingo Siegert",
"Vered Silber‐Varod",
"Nehoray Carmi",
"Paweł Kamocki"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.36965/ojakm.2020.8(1)16-31",
"pdfUrl": "http://www.iiakm.org/ojakm/articles/2020/volume8_1/OJAKM_Volume8_1pp16-31.pdf",
"doi": "https://doi.org/10.36965/ojakm.2020.8(1)16-31",
"abstract": "The European Union (EU) General Data Protection Regulations (GDPR) has a direct impact on research activities, as it raises the awareness of personal rights not only among the scientists but also among the data-subjects scientists process information from. This paper presents the dilemma related to the privacy of audio and video data, compliance with the EU GDPR, and techniques to anonymize and pseudonymize such data. We further discuss issues of “in the wild” personal data collection by focusing on multi-modal collections, mainly of audio, video via these channels. Throughout this paper we define relevant core issues and highlight two challenges of “in the wild” data collection: Internet crawling and public data collecting. In the last section, some exemplary use cases are demonstrating the raised issues, illuminating how GDPR affects the collection of publicly available data; how privacy concerns influence participant behavior, and which de-anonymization levels can be reached with what kind of data. The key point we present is that the identity of the participants is revealed in the voice or video signal, while the latter is at the same time the object of the research. One implication is that the research community has to actively disconnect the data from the personal information on the participants. Hence the importance of a process of anonymity or omission of data for research activity. This entail the development of an infrastructure for data access control to enable data sharing among researchers",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Online Journal of Applied Knowledge Management",
"language": "en"
},
{
"id": "https://openalex.org/W4391742685",
"title": "Ensuring Electronic Health Record (EHR) Privacy using Zero Knowledge Proofs (ZKP) and Secure Encryption Schemes on Blockchain",
"authors": [
"Ranaweera T.A.V.Y",
"Hewage H.N.H",
"Hapuhinna H.K.D.W.M.C.B.",
"Preethilal K.L.K.T",
"Amila Senarathne",
"Laneesha Ruggahakotuwa"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/icac60630.2023.10417417",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/icac60630.2023.10417417",
"abstract": "In the haste of EHR digitization, the protection of patient data becomes paramount, casting a spotlight on small healthcare clinics grappling with the threats of an ever more interconnected healthcare sector. That is due to the existing centralized system and traditional password-based authentications which cause a single point of failure. Besides this patient consent for EHR sharing is narrowed to a one-time consent. To overcome these problems, this study suggests a robust solution that makes data sharing utilizing blockchain while achieving privacy using web-based Zero Knowledge Proofs (ZKP) authentication and Homomorphic Encryption (HE). The research also considers securely outsourcing EHRs to research organizations to improve data exchange for research purposes. Along with patient-controlled encryption, consent control, and time-limited data access, it also explores dynamic consent management while complying with healthcare standards. Lastly, this study stream-lines secure data sharing with insurance providers while ensuring patient privacy and defending against insurance fraud.",
"topics": [
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W4385650719",
"title": "Artificial Intelligence Ethics and Challenges in Healthcare Applications: A Comprehensive Review in the Context of the European GDPR Mandate",
"authors": [
"Mohammad Amini",
"Marcia Jesus",
"Davood Fanaei Sheikholeslami",
"Paulo Alves",
"Aliakbar Hassanzadeh Benam",
"Fatemeh Hariri"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3390/make5030053",
"pdfUrl": "https://www.mdpi.com/2504-4990/5/3/53/pdf?version=1691412599",
"doi": "https://doi.org/10.3390/make5030053",
"abstract": "This study examines the ethical issues surrounding the use of Artificial Intelligence (AI) in healthcare, specifically nursing, under the European General Data Protection Regulation (GDPR). The analysis delves into how GDPR applies to healthcare AI projects, encompassing data collection and decision-making stages, to reveal the ethical implications at each step. A comprehensive review of the literature categorizes research investigations into three main categories: Ethical Considerations in AI; Practical Challenges and Solutions in AI Integration; and Legal and Policy Implications in AI. The analysis uncovers a significant research deficit in this field, with a particular focus on data owner rights and AI ethics within GDPR compliance. To address this gap, the study proposes new case studies that emphasize the importance of comprehending data owner rights and establishing ethical norms for AI use in medical applications, especially in nursing. This review makes a valuable contribution to the AI ethics debate and assists nursing and healthcare professionals in developing ethical AI practices. The insights provided help stakeholders navigate the intricate terrain of data protection, ethical considerations, and regulatory compliance in AI-driven healthcare. Lastly, the study introduces a case study of a real AI health-tech project named SENSOMATT, spotlighting GDPR and privacy issues.",
"topics": [
"gdpr_compliance",
"ai_governance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Machine Learning and Knowledge Extraction",
"language": "en"
},
{
"id": "https://openalex.org/W2953501993",
"title": "Technological Sovereignty: Protecting Citizens’ Digital Rights in the AI-driven and post-GDPR Algorithmic and City-Regional European Realm",
"authors": [
"Igor Calzada"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1080/13673882.2018.00001038",
"pdfUrl": "https://regions.regionalstudies.org/ezine/article/technological-sovereignty-protecting-citizens-digital-rights-in-the-ai-driven-and-post-gdpr-algorithmic-and-city-regional-european-realm/?print=pdf",
"doi": "https://doi.org/10.1080/13673882.2018.00001038",
"abstract": "Igor Calzada discusses how the algorithmic, AI (Artificial Intelligence)-driven, and post-GDPR (General Data Protection Regulation) European realm affects citizenship. Drawing on evidence from previous publications, and particularly stemming from his case study of Barcelona, he builds upon a rationale through which citizens, at least in European cities and regions-unlike in the U.S. and China-are increasingly being considered decision-makers rather than mere passive data providers. He elucidates that Europe is now likely to speak with its own voice by taking the lead of the technological humanism approach, and for the first time globally by opening up an avant-garde, strategic AI overarching vision, wherein cities could federate themselves within a networked regional ecosystem and claim technological sovereignty in order to protect digital rights of their fellow citizens.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.637,
"venue": "Regions Magazine",
"language": "en"
},
{
"id": "https://openalex.org/W2799370108",
"title": "The European General Data Protection Regulation: An instrument for the globalization of privacy standards?",
"authors": [
"Colin J. Bennett"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3233/ip-180002",
"pdfUrl": "https://content.iospress.com:443/download/information-polity/ip180002?id=information-polity%2Fip180002",
"doi": "https://doi.org/10.3233/ip-180002",
"abstract": "The recent revelations about Cambridge Analytica and the breach that allowed the harvesting of the personal information of some 87 million Facebook users (at latest count) has pushed privacy protection to the front pages, and focussed attention on \"surveillance capitalism\" (Zuboff, 2017) and on the capture of personal data as the central resource for the \"platform economy\". As Facebook reels from the scandal, and rushes to rebuild consumer confidence, it has also pledged to apply the standards contained in the European Union's General Data Protection Regulation (GDPR) to its global operations, if not all of them and if not immediately At no time in the past 40 years, has the protection of privacy been so prominently, globally and intensively debated. How did it get to this point?",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.637,
"venue": "Information Polity",
"language": "en"
},
{
"id": "s2:3ecb693a86b4b191c5928ba1af5595d5200c6280",
"title": "De-Identification of Electronic Medical Records Using Large Language Models: A Case Study",
"authors": [
"D. Vallejo-Sanchez",
"A. F. Giraldo-Forero",
"A. Orozco-Duque"
],
"date": "2025-08-27",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/3ecb693a86b4b191c5928ba1af5595d5200c6280",
"pdfUrl": "",
"doi": "10.1109/STSIVA66383.2025.11156825",
"abstract": "De-identification of electronic health records (EHRs) is essential to safeguard patient privacy, particularly when such data are utilized for large-scale population studies. In this study, we assess the performance of locally deployed large language models (LLMs) both general-purpose and domain-specific in de-identifying maternal EHRs. To evaluate general-purpose LLMs, we employ a combination of prompt engineering techniques and post-processing strategies aimed at improving the accuracy and robustness of the anonymization process. These models are then compared against a domain-specific LLM fine-tuned for de-identification tasks. Our results show that general-purpose LLMs exhibit significant limitations in performing named entity recognition (NER), underscoring the advantages of task-specific tuning for sensitive medical applications.",
"topics": [
"data_anonymization",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.637,
"venue": "2025 XXV Symposium of Image, Signal Processing, and Artificial Vision (STSIVA)",
"language": "en"
},
{
"id": "s2:5e8e283f5f3c2a49d5983d4b54582ee45e1c4e54",
"title": "Implementation of the ECOWAS Supplementary Act on Personal Data Protection: Lessons from the EU GDPR",
"authors": [
"Dennis Agelebe"
],
"date": "2020-12-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/5e8e283f5f3c2a49d5983d4b54582ee45e1c4e54",
"pdfUrl": "",
"doi": "10.69554/bmxq5769",
"abstract": "The process of accessing information about any individual is fast becoming beyond the control of private individuals as long as internet technology continues to penetrate more areas of our routine lives. The question has always been how far private individuals can regulate how their private information is accessed, processed and for what purpose. The European Union (EU) has made the General Data Protection Regulation (GDPR) for the purpose of filling the regulatory gap in protecting the right to data privacy of Europeans under the Data Protection Directive (1995). For the EU as a supranational organisation, the regulatory system is designed to be protective of the privacy right of every citizen within and outside the EU because it has the institutional capacity to sanction business entities that breach the GDPR. The Economic Community of West African States (ECOWAS) has adopted the Supplementary Act on Personal Data Protection. Although the ECOWAS has the outlook of a supranational community, it lacks the institutional structure that should make its laws enforceable across the member states. With its present structure, however, the ECOWAS Act is still a model instrument for data protection in the African region and can be improved upon. This paper examines the ECOWAS Act and studies the structure and implementation of the GDPR to understand why the act may not effectively be enforced across the member states without the reform of the ECOWAS.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "s2:b1345574fe4e3b2d8e5e7f572f7feba5e646a5a2",
"title": "Efficiency Optimization Techniques in Privacy-Preserving Federated Learning With Homomorphic Encryption: A Brief Survey",
"authors": [
"Qipeng Xie",
"Siyang Jiang",
"Linshan Jiang",
"Yongzhi Huang",
"Zhihe Zhao",
"Salabat Khan",
"Wangchen Dai",
"Zhe Liu",
"Kaishun Wu"
],
"date": "2024-07-15",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/b1345574fe4e3b2d8e5e7f572f7feba5e646a5a2",
"pdfUrl": "",
"doi": "10.1109/JIOT.2024.3382875",
"abstract": "Federated learning (FL) offers distributed machine learning on edge devices. However, the FL model raises privacy concerns. Various techniques, such as homomorphic encryption (HE), differential privacy, and multiparty cooperation, are used to address the privacy issues of the FL model. Among them, HE ensures greater security and privacy since end-to-end encryption maintains data privacy throughout the computation process. Compared with other privacy-preserving techniques, HE does not require the establishment of a trusted environment or protocol among multiple parties and does not involve any artificial noise that can impair system performance. Unfortunately, it suffers from efficiency overhead when applied to privacy-preserving FL (PPFL). Some existing surveys on PPFL discuss the generic construction and organization of PPFL from the perspective of practical HE deployment in PPFL. However, none of them covers the efficiency optimization of HE when applied to PPFL. This article conducts a comprehensive review of the efficiency optimization of HE when applied to PPFL. First, we review general optimization strategies and discuss their limitations when applied directly to HE-based PPFL. Second, an overview of algorithmic, hardware, and hybrid optimizations is provided, along with a discussion of their adaptation. Additionally, we provide a detailed taxonomy of optimizations. Finally, we suggest future HE-based PPFL research directions.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "IEEE Internet of Things Journal",
"language": "en"
},
{
"id": "s2:4b0ac18e8fdbc8544141c0704cb46a1d18195d5d",
"title": "FheFL: Fully Homomorphic Encryption Friendly Privacy-Preserving Federated Learning with Byzantine Users",
"authors": [
"Y. Rahulamathavan",
"Charuka Herath",
"Xiaolan Liu",
"S. Lambotharan",
"C. Maple"
],
"date": "2023-06-08",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/4b0ac18e8fdbc8544141c0704cb46a1d18195d5d",
"pdfUrl": "http://arxiv.org/pdf/2306.05112",
"doi": "10.48550/arXiv.2306.05112",
"abstract": "The federated learning (FL) technique was developed to mitigate data privacy issues in the traditional machine learning paradigm. While FL ensures that a user's data always remain with the user, the gradients are shared with the centralized server to build the global model. This results in privacy leakage, where the server can infer private information from the shared gradients. To mitigate this flaw, the next-generation FL architectures proposed encryption and anonymization techniques to protect the model updates from the server. However, this approach creates other challenges, such as malicious users sharing false gradients. Since the gradients are encrypted, the server is unable to identify rogue users. To mitigate both attacks, this paper proposes a novel FL algorithm based on a fully homomorphic encryption (FHE) scheme. We develop a distributed multi-key additive homomorphic encryption scheme that supports model aggregation in FL. We also develop a novel aggregation scheme within the encrypted domain, utilizing users' non-poisoning rates, to effectively address data poisoning attacks while ensuring privacy is preserved by the proposed encryption scheme. Rigorous security, privacy, convergence, and experimental analyses have been provided to show that FheFL is novel, secure, and private, and achieves comparable accuracy at reasonable computational cost.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "s2:f96d67aeea87c5eaf18104cce8e245b7f473771b",
"title": "Data Privacy and System Security for Banking on Clouds using Homomorphic Encryption",
"authors": [
"Sonam Mittal",
"P. Jindal",
"K. Ramkumar"
],
"date": "2021-05-21",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/f96d67aeea87c5eaf18104cce8e245b7f473771b",
"pdfUrl": "",
"doi": "10.1109/INCET51464.2021.9456345",
"abstract": "In recent times, the use of cloud computing has gained popularity all over the world in the context of performing smart computations on big data. The privacy of sensitive data of the client is of utmost important issues. Data leakage or hijackers may theft significant information about the client that ultimately may affect the reputation and prestige of its owner (bank) and client (customers). In general, to save the privacy of our banking data it is preferred to store, process, and transmit the data in the form of encrypted text. But now the main concern leads to secure computation over encrypted text or another possible way to perform computation over clouds makes data more vulnerable to hacking and attacks. Existing classical encryption techniques such as RSA, AES, and others provide secure transaction procedures for data over clouds but these are not fit for secure computation over data in the clouds. In 2009, Gentry comes with a solution for such issues and presents his idea as Homomorphic encryption (HE) that can perform computation over encrypted text without decrypting the data itself. Now a day’s privacy-enhancing techniques (PET) are there to explore more potential benefits in security issues and useful in historical cases of privacy failure. Differential privacy, Federated analysis, homomorphic encryption, zero-knowledge proof, and secure multiparty computation are a privacy-enhancing technique that may useful in financial services as these techniques provide a fully-fledged mechanism for financial institutes. With the collaboration of industries, these techniques are may enable new data-sharing agreements for a more secure solution over data. In this paper, the primary concern is to investigate the different standards and properties of homomorphic encryption in digital banking and financial institutions.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "2021 2nd International Conference for Emerging Technology (INCET)",
"language": "en"
},
{
"id": "s2:7ccc416bf89412098aeae1f38281bda0264a8a6e",
"title": "Blockchain-Based Anonymization Methods with Smart Contract for Data Expiry: Toward GDPR-Compliant Lifecycle Management",
"authors": [
"A. Pavliv"
],
"date": "2025-11-28",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/7ccc416bf89412098aeae1f38281bda0264a8a6e",
"pdfUrl": "",
"doi": "10.23939/acps2025.02.173",
"abstract": "This paper introduces a privacy-preserving framework for blockchain systems using the Smart Contract for Data Expiry (SCDE). SCDE governs data registration, retention, and erasure through on-chain policies and off- chain encrypted storage. It combines AES-256 encryption, a Key Management System (KMS) for cryptographic erasure, and Zero-Knowledge Proofs (ZKPs) for verifiable deletion without revealing data. Decentralized Identifiers (DIDs) enable pseudonymization and user accountability.\nComparative results show that traditional and off-chain approaches lack automated, verifiable erasure. SCDE achieves full GDPR compliance with moderate overhead, demonstrating that privacy, transparency, and immutability can coexist in decentralized environments",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Advances in Cyber-Physical Systems",
"language": "en"
},
{
"id": "s2:3549e1a4b72aa1ae7d59366b1af367af2217616f",
"title": "Intelligent De-Identification of Medical Discharge Summaries Using Hybrid NLP Techniques",
"authors": [
"Ahmad Mortadi",
"Waleed Nazih",
"Mohamed I. Eldesouki",
"Yasser Hifny"
],
"date": "2025-03-16",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/3549e1a4b72aa1ae7d59366b1af367af2217616f",
"pdfUrl": "",
"doi": "10.1145/3724118",
"abstract": "Medical discharge summaries are vital documents in healthcare, often containing Personally Identifiable Information (PII), raising concerns regarding privacy and regulatory compliance. This article proposes a cutting-edge approach that utilizes intelligent data de-identification to address this challenge. This article employs Natural Language Processing (NLP) techniques such as Named Entity Recognition (NER), a hybrid approach that integrates Machine Learning (ML) models, Regular Expressions (REGEX)-based recognizers, and extensive lists of names and addresses. The proposed method focuses on achieving a delicate balance between extracting valuable insights from data and safeguarding sensitive information. The evaluation against benchmarks demonstrates significant improvements in de-identification performance, particularly in discharge summaries. We present findings from our system’s evaluation of synthesized discharge summaries, the OntoNotes dataset, and the CoNLL-2003 dataset, demonstrating its effectiveness in anonymizing diverse medical text sources.",
"topics": [
"data_anonymization",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.637,
"venue": "ACM Trans. Asian Low Resour. Lang. Inf. Process.",
"language": "en"
},
{
"id": "s2:5b7948fac096fe9ff7be4e2d6c334f109cb907aa",
"title": "Flexible data anonymization using ARX—Current status and challenges ahead",
"authors": [
"Fabian Prasser",
"J. Eicher",
"Helmut Spengler",
"Raffael Bild",
"K. Kuhn"
],
"date": "2020-02-25",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/5b7948fac096fe9ff7be4e2d6c334f109cb907aa",
"pdfUrl": "https://onlinelibrary.wiley.com/doi/pdfdirect/10.1002/spe.2812",
"doi": "10.1002/spe.2812",
"abstract": "The race for innovation has turned into a race for data. Rapid developments of new technologies, especially in the field of artificial intelligence, are accompanied by new ways of accessing, integrating, and analyzing sensitive personal data. Examples include financial transactions, social network activities, location traces, and medical records. As a consequence, adequate and careful privacy management has become a significant challenge. New data protection regulations, for example in the EU and China, are direct responses to these developments. Data anonymization is an important building block of data protection concepts, as it allows to reduce privacy risks by altering data. The development of anonymization tools involves significant challenges, however. For instance, the effectiveness of different anonymization techniques depends on context, and thus tools need to support a large set of methods to ensure that the usefulness of data is not overly affected by risk‐reducing transformations. In spite of these requirements, existing solutions typically only support a small set of methods. In this work, we describe how we have extended an open source data anonymization tool to support almost arbitrary combinations of a wide range of techniques in a scalable manner. We then review the spectrum of methods supported and discuss their compatibility within the novel framework. The results of an extensive experimental comparison show that our approach outperforms related solutions in terms of scalability and output data quality—while supporting a much broader range of techniques. Finally, we discuss practical experiences with ARX and present remaining issues and challenges ahead.",
"topics": [
"data_anonymization",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "Software, Practice & Experience",
"language": "en"
},
{
"id": "s2:11df82d2a2ef96d645bab20a3872f849758596b4",
"title": "A Lightweight SVM-Based Facial Recognition Framework for Secure Online Examination Monitoring",
"authors": [
"Vulavala Swarnalatha",
"Mohebbanaaz",
"K. M. Babu"
],
"date": "2025-10-29",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/11df82d2a2ef96d645bab20a3872f849758596b4",
"pdfUrl": "",
"doi": "10.1109/ICE2CPT66440.2025.11340529",
"abstract": "This article introduces a real-time face recognition system used to improve security in taking online exams that utilize the support vector Machines (SVM). It has integrated 3 stages detection, feature extraction, verification, which are all running on a lightweight SVM classifier which was trained on a set of salient facial parts. Assessment indicates good performance, where a training accuracy of 86.25% and a validation accuracy of 84% are obtained. Its accuracy, recall, and F1-scores are very high, which confirms its reliability, especially when it is implemented in remote environments where there are resource constraints on devices. The typical challenges, such as changes in lighting, spoofing efforts and latency problems, are discussed, with viable countermeasures. Along with ethical discussions and data privacy aspects, such as compliance with GDPR, there is a discussion as well. Overall, the suggested system is a time- and cost-effective, simple solution to deep learning models, which consume resources, and is, therefore, suitable to educational establishments having middle-range facilities",
"topics": [
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "2025 International Conference on Electrical, Electronics, and Computer Science with Advance Power Technologies - A Future Trends (ICE2CPT)",
"language": "en"
},
{
"id": "s2:87ada0383f4b0140c18334a6d662819ed34558b9",
"title": "Smarter., Faster, Better: Evaluating a Next-Gen Face Recognition System Attendance Tracking System using AI",
"authors": [
"Mohana Cm",
"Vishnu Priya Arivanantham",
"G. Ananthakrishnan"
],
"date": "2025-04-23",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/87ada0383f4b0140c18334a6d662819ed34558b9",
"pdfUrl": "",
"doi": "10.1109/ICICT64420.2025.11004747",
"abstract": "Management systems operate in various industries. This paper presents the development and implementation of a facial recognition system specifically designed for real-time attendance monitoring. By integrating widely used libraries such as OpenCV and Dlib with machine learning techniques, this system aims to address the inefficiencies found in traditional attendance systems, providing a faster, more reliable, and secure alternative. The challenges faced in the deployment of such systems, including varying lighting conditions, face angles, and privacy concerns, are explored. The system prioritizes accuracy in real-time settings and scalability for large datasets while complying with stringent data privacy laws such as GDPR. Our findings demonstrate that with optimization, the system can achieve over 95%.",
"topics": [
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "International Congress on Information and Communication Technology",
"language": "en"
},
{
"id": "s2:aaf3a400b239ec806c58a0554478055c4e39e468",
"title": "Effects and Projections of the Brazilian General Data Protection Law (LGPD) Application and the Role of the DPO",
"authors": [
"Claudio Roberto Pessoa",
"Bruna Cardoso Nunes",
"Camila Barboza De Oliveira",
"Marco Elísio Marques"
],
"date": "2021",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/aaf3a400b239ec806c58a0554478055c4e39e468",
"pdfUrl": "",
"doi": "10.4018/978-1-7998-4201-9.CH011",
"abstract": "The world scenario is changing when we talk about personal data protection. Not that long ago, it was common to find companies that sell databases, and other companies that work with the information contained into these databases, aimed to create profiles and generate solutions, using technologies such as big data and artificial intelligence, among others, looking to be attractive and get more customers. In order to protect the privacy of citizens across the world, laws have been created and/or expanded to reinforce this protection. In Brazil, specifically, the Lei de Proteção de Dados Pessoais – LGPD [General Data Protection Law] was created. This research aims to analyze this law, as well as other laws that orbit around it. The goal is to know the impact of law enforcement on business routine and, as a specific objective, what the role of DPO (Data Protection Officer) in organizations will be.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "s2:97242a3f702695e01bbe6a96d9218927598e5026",
"title": "DIRI: Adversarial Patient Reidentification with Large Language Models for Evaluating Clinical Text Anonymization",
"authors": [
"John X. Morris",
"Thomas R. Campion",
"Sri Laasya Nutheti",
"Yifan Peng",
"A. Raj",
"Ramin Zabih",
"Curtis L. Cole"
],
"date": "2024-10-22",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/97242a3f702695e01bbe6a96d9218927598e5026",
"pdfUrl": "",
"doi": "10.48550/arXiv.2410.17035",
"abstract": "Sharing protected health information (PHI) is critical for furthering biomedical research. Before data can be distributed, practitioners often perform deidentification to remove any PHI contained in the text. Contemporary deidentification methods are evaluated on highly saturated datasets (tools achieve near-perfect accuracy) which may not reflect the full variability or complexity of real-world clinical text and annotating them is resource intensive, which is a barrier to real-world applications. To address this gap, we developed an adversarial approach using a large language model (LLM) to re-identify the patient corresponding to a redacted clinical note and evaluated the performance with a novel De-Identification/Re-Identification (DIRI) method. Our method uses a large language model to reidentify the patient corresponding to a redacted clinical note. We demonstrate our method on medical data from Weill Cornell Medicine anonymized with three deidentification tools: rule-based Philter and two deep-learning-based models, BiLSTM-CRF and ClinicalBERT. Although ClinicalBERT was the most effective, masking all identified PII, our tool still reidentified 9% of clinical notes Our study highlights significant weaknesses in current deidentification technologies while providing a tool for iterative development and improvement.",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.637,
"venue": "AMIA Joint Summits on Translational Science proceedings. AMIA Joint Summits on Translational Science",
"language": "en"
},
{
"id": "https://openalex.org/W3135655103",
"title": "La Sentencia del Tribunal de Justicia de la Unión Europea en el asunto Schrems II o cómo los datos personales pueden terminar viajando sin equipaje",
"authors": [
"Susana Ruiz Tarrías"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.37417/rede/num76_2020_532",
"pdfUrl": "http://www.revistasmarcialpons.es/revistaespanoladerechoeuropeo/article/download/532/542",
"doi": "https://doi.org/10.37417/rede/num76_2020_532",
"abstract": "El grado de interconexión de las sociedades actuales conlleva la necesidad de realizar transferencias internacionales de datos personales que, en todo caso, deben garantizar la protección de los derechos a la vida privada y a la protección de datos personales de los ciudadanos europeos (arts. 7 y 8 CDFUE). La Unión Europea ha articulado desde 1999 dos marcos normativos para las transferencias de datos personales UE-EE.UU, el sistema de Puerto Seguro (Safe Harbor) y el Escudo de Privacidad (Privacy Shield). En ambos casos, el Tribunal de Justicia de la Unión Europea ha declarado la invalidez de la decisión de adecuación que proporcionaba soporte jurídico en el ordenamiento de la Unión a las transferencias de datos personales a uno y otro lado del Atlántico. Sin embargo, tras la aplicación efectiva del RGPD en todos los Estados miembros, la Sentencia del Tribunal de Justicia de 16 de julio 2020 en el asunto Schrems II, parece extender en abstracto el nivel de garantía sustancialmente equivalente con el proporcionado por el ordenamiento de la Unión Europea, tanto a las transferencias internacionales basadas en decisiones de adecuación como a aquellas fundadas en cláusulas contractuales tipo. Una equiparación de las garantías a las que se une la prohibición de otorgar primacía con carácter general a las exigencias de seguridad pública, defensa o seguridad del Estado por las autoridades públicas del tercer país respecto de los datos de los ciudadanos europeos que son objeto de transferencia internacional. Sin embargo, tras la aplicación efectiva del RGPD en todos los Estados miembros, la Sentencia del Tribunal de Justicia de 16 de julio 2020, en el asunto Schrems II, ha extendido el nivel de garantía sustancialmente equivalente con el ordenamiento de la Unión Europea, tanto a las transferencias internacionales basadas en “decisiones de adecuación” como a aquellas fundadas en “cláusulas tipo”. Una equiparación de las garantías a las que se une la prohibición de otorgar “primacía” con carácter “general”, a las exigencias de seguridad pública, defensa o seguridad del Estado por las autoridades públicas del tercer país que supongan una injerencia ilegítima en los derechos fundamentales de los ciudadanos europeos cuyos datos son objeto de transferencia internacional.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "Revista Española de Derecho Europeo",
"language": "es"
},
{
"id": "https://openalex.org/W4410167439",
"title": "Deep Generative Models for Survival Analysis and Synthetic Data Generation in Healthcare",
"authors": [
"Patricia A. Apellániz",
"Patricia Alonso de Apellániz"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.20868/upm.thesis.88681",
"pdfUrl": "https://doi.org/10.20868/upm.thesis.88681",
"doi": "https://doi.org/10.20868/upm.thesis.88681",
"abstract": "Healthcare systems worldwide face persistent inequities, with disparities in access, representation, and quality disproportionately affecting marginalized populations. Addressing these challenges requires innovative solutions to overcome data scarcity, enhance collaboration, and improve predictive modeling in medical research. This doctoral thesis advances generative AI methodologies, focusing on tabular data--an essential yet underexplored type of healthcare information. Tabular data encompass patient demographics, clinical histories, and treatment outcomes, making them crucial for equitable healthcare delivery. The research leverages Variational Autoencoders (VAEs) as a foundational framework due to their ability to model complex, high-dimensional relationships and handle missing information. This thesis contributes across three interconnected domains: Survival Analysis (SA), Synthetic Data Generation (SDG), and Federated Learning (FL), demonstrating how these approaches collectively address key gaps in healthcare research. In SA, VAE-based models such as SAVAE and CR-SAVAE address traditional limitations, including proportional hazard assumptions and censored data. These models improve time-to-event predictions and incorporate competing risks, enabling more precise analyses of patient outcomes and enhancing personalized care. In SDG, this thesis integrates VAEs with Bayesian Gaussian Mixtures, transfer learning, and meta-learning to generate high-quality synthetic tabular data. These methods tackle challenges such as mixed data types, small sample sizes, and class imbalances. Validation frameworks combining statistical and task-specific metrics ensure the reliability of synthetic data, empowering resource-limited institutions to contribute to medical research while preserving privacy. In FL, the Federated Synthetic Data Sharing (FedSDS) framework enables privacy-preserving collaboration across decentralized institutions. By generating synthetic data locally with VAE-based models, FedSDS mitigates data heterogeneity and imbalances, ensuring robust model training in IID and non-IID settings. This approach bridges the gap between data-rich and data-scarce institutions while safeguarding patient confidentiality. The contributions across SA, SDG, and FL are deeply interconnected, forming a cohesive framework to tackle systemic challenges in healthcare. By integrating these methodologies, the thesis demonstrates improved predictive accuracy, scalability, and equity in AI-driven healthcare applications. The research outcomes highlight the potential of generative AI to drive equity and innovation in medical research and practice. Looking ahead, this thesis outlines key directions for future work, including integrating frailty models into SA to capture unobserved patient heterogeneity, extending methodologies to multi-modal datasets like imaging and genomics, and enhancing privacy in SDG through differential privacy or homomorphic encryption. It also highlights the importance of adaptive FL strategies and public repositories for high-quality synthetic datasets to drive equitable healthcare solutions globally. This thesis lays a robust foundation for leveraging generative AI to reduce healthcare inequities by addressing key challenges in data scarcity, heterogeneity, and collaboration. Its contributions pave the way for meaningful applications, fostering inclusive, scalable, and globally accessible healthcare systems. RESUMEN La atención sanitaria enfrenta desafíos globales, especialmente en contextos con recursos limitados, donde las herramientas médicas y tecnológicas no siempre cubren las necesidades. Estas dificultades afectan de manera desproporcionada a poblaciones vulnerables, con datos que reflejan sesgos o carecen de representación adecuada. Superar estas barreras requiere soluciones innovadoras que aborden la escasez, heterogeneidad y necesidad de colaboración entre instituciones. Esta tesis desarrolla metodologías avanzadas de Inteligencia Artificial (AI) generativa, enfocándose en datos tabulares, esenciales en salud por su información sobre demografía, historiales médicos y tratamientos. Se emplean Autoencoders Variacionales (VAEs) por su capacidad para modelar relaciones complejas en datos de alta dimensionalidad y manejar información faltante. La tesis aporta avances en Análisis de Supervivencia (SA), Generación de Datos Sintéticos (SDG) y Aprendizaje Federado (FL), demostrando cómo estas metodologías abordan desafíos clave en la investigación en salud. En SA, modelos basados en VAE como SAVAE y CR-SAVAE superan limitaciones tradicionales, mejorando la predicción del tiempo hasta el evento e incorporando riesgos en competencia para análisis más precisos y atención personalizada. En SDG, esta tesis combina VAEs con Mezclas Gaussianas Bayesianas, aprendizaje por transferencia y meta-learning para generar datos sintéticos de alta calidad, abordando la heterogeneidad de datos, el tamaño reducido de muestras y el desequilibrio de clases. Marcos de validación que integran métricas estadísticas y específicas de la tarea garantizan la fiabilidad de los datos sintéticos, permitiendo que instituciones con recursos limitados contribuyan a la investigación sin comprometer la privacidad. En FL, Federated Synthetic Data Sharing (FedSDS) facilita la colaboración descentralizada preservando la privacidad. Al generar datos sintéticos localmente con modelos VAE, FedSDS mitiga la heterogeneidad y los desequilibrios en los datos, garantizando un entrenamiento robusto en entornos IID y no-IID. Esta estrategia reduce la brecha entre instituciones con diferentes niveles de acceso a datos, promoviendo una colaboración equitativa sin comprometer la confidencialidad de los pacientes. Las contribuciones en SA, SDG y FL están interconectadas, formando un marco integral para abordar desafíos en salud. Al integrar estas metodologías, se mejora la precisión predictiva, la escalabilidad y la equidad en aplicaciones de AI para la atención médica, demostrando el potencial transformador de la AI generativa en la innovación y equidad en salud. Esta tesis identifica varias líneas futuras de investigación, como la integración de modelos de fragilidad en SA para capturar heterogeneidad no observada y la extensión de las metodologías a datos multimodales, como imágenes médicas. También plantea el avance en garantías formales de privacidad en SDG mediante privacidad diferencial o cifrado homomórfico. Además, destaca la importancia de estrategias adaptativas en FL y la creación de repositorios públicos de datos sintéticos de alta calidad, impulsando soluciones sanitarias más equitativas a nivel global. Al abordar la escasez de datos, la heterogeneidad y la necesidad de colaboración, esta tesis sienta las bases para aplicar la AI generativa en la reducción de desigualdades en salud, abriendo nuevas posibilidades para desarrollar aplicaciones transformadoras y fomentando una atención sanitaria más inclusiva, escalable y accesible.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W4386767494",
"title": "The impact of GDPR on the access to archives and the creation of finding aids",
"authors": [
"Stefano Allegrezza"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "http://dx.doi.org/10.36253/jlis.it-554",
"pdfUrl": "http://dx.doi.org/10.36253/jlis.it-554",
"doi": "https://doi.org/10.36253/jlis.it-554",
"abstract": "The General Data Protection Regulation (GDPR) and the Personal Data Protection Code, which has been updated to comply with the principles of the Regulation, have produced significant consequences with regard to the access to archives and the creation of finding aids, which must be subject to certain rules in order to comply with the principles laid down and avoid sanctions. Without claiming to be exhaustive, given the complexity and vastness of the topic, the proposed contribution aims to provide an overview of the situation on this issue, which is still in many ways little known, by offering some thoughts on the key principles of the GDPR and their application to the archival context of access and description.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "JLIS it",
"language": "en"
},
{
"id": "gdprhub:82",
"title": "Article 70 GDPR",
"authors": [],
"date": "2023-10-11",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=Article_70_GDPR",
"pdfUrl": "",
"doi": "",
"abstract": "framework for personal data protection, referenced by Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR) Update of Selected Articles",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2105.04381",
"title": "Did I delete my cookies? Cookies respawning with browser fingerprinting",
"authors": [
"Imane Fouad",
"Cristiana Santos",
"Arnaud Legout",
"Nataliia Bielova"
],
"date": "2021-05-07",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2105.04381v1",
"pdfUrl": "https://arxiv.org/pdf/2105.04381v1",
"doi": "",
"abstract": "Stateful and stateless web tracking gathered much attention in the last decade, however they were always measured separately. To the best of our knowledge, our study is the first to detect and measure cookie respawning with browser and machine fingerprinting. We develop a detection methodology that allows us to detect cookies dependency on browser and machine features. Our results show that 1,150 out of the top 30, 000 Alexa websites deploy this tracking mechanism. We further uncover how domains collaborate to respawn cookies through fingerprinting. We find out that this technique can be used to track users across websites even when third-party cookies are deprecated. Together with a legal scholar, we conclude that cookie respawning with browser fingerprinting lacks legal interpretation under the GDPR and the ePrivacy directive, but its use in practice may breach them, thus subjecting it to fines up to 20 million euro.",
"topics": [
"linkability_tracking",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.637,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "arxiv:2405.04528",
"title": "Implementing ISO/IEC TS 27560:2023 Consent Records and Receipts for GDPR and DGA",
"authors": [
"Harshvardhan J. Pandit",
"Jan Lindquist",
"Georg P. Krog"
],
"date": "2024-05-01",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2405.04528v1",
"pdfUrl": "https://arxiv.org/pdf/2405.04528v1",
"doi": "",
"abstract": "The ISO/IEC TS 27560:2023 Privacy technologies - Consent record information structure provides guidance for the creation and maintenance of records regarding consent as machine-readable information. It also provides guidance on the use of this information to exchange such records between entities in the form of 'receipts'. In this article, we compare requirements regarding consent between ISO/IEC TS 27560:2023, ISO/IEC 29184:2020 Privacy Notices, and the EU's General Data Protection Regulation (GDPR) to show how these standards can be used to support GDPR compliance. We then use the Data Privacy Vocabulary (DPV) to implement ISO/IEC TS 27560:2023 and create interoperable consent records and receipts. We also discuss how this work benefits the the implementation of EU Data Governance Act (DGA), specifically for machine-readable consent forms.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2511.06064",
"title": "A Privacy-Preserving Federated Learning Method with Homomorphic Encryption in Omics Data",
"authors": [
"Yusaku Negoya",
"Feifei Cui",
"Zilong Zhang",
"Miao Pan",
"Tomoaki Ohtsuki",
"Aohan Li"
],
"date": "2025-11-08",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2511.06064v1",
"pdfUrl": "https://arxiv.org/pdf/2511.06064v1",
"doi": "",
"abstract": "Omics data is widely employed in medical research to identify disease mechanisms and contains highly sensitive personal information. Federated Learning (FL) with Differential Privacy (DP) can ensure the protection of omics data privacy against malicious user attacks. However, FL with the DP method faces an inherent trade-off: stronger privacy protection degrades predictive accuracy due to injected noise. On the other hand, Homomorphic Encryption (HE) allows computations on encrypted data and enables aggregation of encrypted gradients without DP-induced noise can increase the predictive accuracy. However, it may increase the computation cost. To improve the predictive accuracy while considering the computational ability of heterogeneous clients, we propose a Privacy-Preserving Machine Learning (PPML)-Hybrid method by introducing HE. In the proposed PPML-Hybrid method, clients distributed select either HE or DP based on their computational resources, so that HE clients contribute noise-free updates while DP clients reduce computational overhead. Meanwhile, clients with high computational resources clients can flexibly adopt HE or DP according to their privacy needs. Performance evaluation on omics datasets show that our proposed method achieves comparable predictive accuracy while significantly reducing computation time relative to HE-only. Additionally, it outperforms DP-only methods under equivalent or stricter privacy budgets.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2403.14428",
"title": "Enabling Privacy-preserving Model Evaluation in Federated Learning via Fully Homomorphic Encryption",
"authors": [
"Cem Ata Baykara",
"Ali Burak Ünal",
"Mete Akgün"
],
"date": "2024-03-21",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2403.14428v2",
"pdfUrl": "https://arxiv.org/pdf/2403.14428v2",
"doi": "",
"abstract": "Federated learning has become increasingly widespread due to its ability to train models collaboratively without centralizing sensitive data. While most research on FL emphasizes privacy-preserving techniques during training, the evaluation phase also presents significant privacy risks that have not been adequately addressed in the literature. In particular, the state-of-the-art solution for computing the area under the curve (AUC) in FL systems employs differential privacy, which not only fails to protect against a malicious aggregator but also suffers from severe performance degradation on smaller datasets. To overcome these limitations, we propose a novel evaluation method that leverages fully homomorphic encryption. To the best of our knowledge, this is the first work to apply FHE to privacy-preserving model evaluation in federated learning while providing verifiable security guarantees. In our approach, clients encrypt their true-positive and false-positive counts based on predefined thresholds and submit them to an aggregator, which then performs homomorphic operations to compute the global AUC without ever seeing intermediate or final results in plaintext. We offer two variants of our protocol: one secure against a semi-honest aggregator and one that additionally detects and prevents manipulations by a malicious aggregator. Besides providing verifiable security guarantees, our solution achieves superior accuracy across datasets of any size and distribution, eliminating the performance issues faced by the existing state-of-the-art method on small datasets and its runtime is negligibly small and independent of the test-set size. Experimental results confirm that our method can compute the AUC among 100 parties in under two seconds with near-perfect (99.93%) accuracy while preserving complete data privacy.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2412.12649",
"title": "ClustEm4Ano: Clustering Text Embeddings of Nominal Textual Attributes for Microdata Anonymization",
"authors": [
"Robert Aufschläger",
"Sebastian Wilhelm",
"Michael Heigl",
"Martin Schramm"
],
"date": "2024-12-17",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2412.12649v1",
"pdfUrl": "https://arxiv.org/pdf/2412.12649v1",
"doi": "",
"abstract": "This work introduces ClustEm4Ano, an anonymization pipeline that can be used for generalization and suppression-based anonymization of nominal textual tabular data. It automatically generates value generalization hierarchies (VGHs) that, in turn, can be used to generalize attributes in quasi-identifiers. The pipeline leverages embeddings to generate semantically close value generalizations through iterative clustering. We applied KMeans and Hierarchical Agglomerative Clustering on $13$ different predefined text embeddings (both open and closed-source (via APIs)). Our approach is experimentally tested on a well-known benchmark dataset for anonymization: The UCI Machine Learning Repository's Adult dataset. ClustEm4Ano supports anonymization procedures by offering more possibilities compared to using arbitrarily chosen VGHs. Experiments demonstrate that these VGHs can outperform manually constructed ones in terms of downstream efficacy (especially for small $k$-anonymity ($2 \\leq k \\leq 30$)) and therefore can foster the quality of anonymized datasets. Our implementation is made public.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:1906.05000",
"title": "Adversarial Learning of Privacy-Preserving Text Representations for De-Identification of Medical Records",
"authors": [
"Max Friedrich",
"Arne Köhn",
"Gregor Wiedemann",
"Chris Biemann"
],
"date": "2019-06-12",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/1906.05000v1",
"pdfUrl": "https://arxiv.org/pdf/1906.05000v1",
"doi": "",
"abstract": "De-identification is the task of detecting protected health information (PHI) in medical text. It is a critical step in sanitizing electronic health records (EHRs) to be shared for research. Automatic de-identification classifierscan significantly speed up the sanitization process. However, obtaining a large and diverse dataset to train such a classifier that works wellacross many types of medical text poses a challenge as privacy laws prohibit the sharing of raw medical records. We introduce a method to create privacy-preserving shareable representations of medical text (i.e. they contain no PHI) that does not require expensive manual pseudonymization. These representations can be shared between organizations to create unified datasets for training de-identification models. Our representation allows training a simple LSTM-CRF de-identification model to an F1 score of 97.4%, which is comparable to a strong baseline that exposes private information in its representation. A robust, widely available de-identification classifier based on our representation could potentially enable studies for which de-identification would otherwise be too costly.",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:1211.3836",
"title": "An experimental evaluation of de-identification tools for electronic health records",
"authors": [
"Jie Qian",
"Nafees Qamar"
],
"date": "2012-11-16",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/1211.3836v1",
"pdfUrl": "https://arxiv.org/pdf/1211.3836v1",
"doi": "",
"abstract": "The robust development of Electronic Health Records (EHRs) causes a significant growth in sharing EHRs for clinical research. However, such a sharing makes it difficult to protect patient's privacy. A number of automated de-identification tools have been developed to reduce the re-identification risk of published data, while preserving its statistical meaning. In this paper, we focus on the experimental evaluation of existing automated de-identification tools, as applied to our EHR database, to assess which tool performs better with each quasi-identifiers defined in our paper. Performance of each tool is analyzed wrt. two aspects: individual disclosure risk and information loss. Through this experiment, the generalization method has better performance on reducing risk and lower degree of information loss than suppression, which validates it as more appropriate de-identification technique for EHR databases.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2303.11032",
"title": "DeID-GPT: Zero-shot Medical Text De-Identification by GPT-4",
"authors": [
"Zhengliang Liu",
"Yue Huang",
"Xiaowei Yu",
"Lu Zhang",
"Zihao Wu",
"Chao Cao",
"Haixing Dai",
"Lin Zhao",
"Yiwei Li",
"Peng Shu",
"Fang Zeng",
"Lichao Sun",
"Wei Liu",
"Dinggang Shen",
"Quanzheng Li",
"Tianming Liu",
"Dajiang Zhu",
"Xiang Li"
],
"date": "2023-03-20",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2303.11032v3",
"pdfUrl": "https://arxiv.org/pdf/2303.11032v3",
"doi": "",
"abstract": "The digitization of healthcare has facilitated the sharing and re-using of medical data but has also raised concerns about confidentiality and privacy. HIPAA (Health Insurance Portability and Accountability Act) mandates removing re-identifying information before the dissemination of medical records. Thus, effective and efficient solutions for de-identifying medical data, especially those in free-text forms, are highly needed. While various computer-assisted de-identification methods, including both rule-based and learning-based, have been developed and used in prior practice, such solutions still lack generalizability or need to be fine-tuned according to different scenarios, significantly imposing restrictions in wider use. The advancement of large language models (LLM), such as ChatGPT and GPT-4, have shown great potential in processing text data in the medical domain with zero-shot in-context learning, especially in the task of privacy protection, as these models can identify confidential information by their powerful named entity recognition (NER) capability. In this work, we developed a novel GPT4-enabled de-identification framework (``DeID-GPT\") to automatically identify and remove the identifying information. Compared to existing commonly used medical text data de-identification methods, our developed DeID-GPT showed the highest accuracy and remarkable reliability in masking private information from the unstructured medical text while preserving the original structure and meaning of the text. This study is one of the earliest to utilize ChatGPT and GPT-4 for medical text data processing and de-identification, which provides insights for further research and solution development on the use of LLMs such as ChatGPT/GPT-4 in healthcare. Codes and benchmarking data information are available at https://github.com/yhydhx/ChatGPT-API.",
"topics": [
"data_anonymization",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2204.07056",
"title": "A Comparative Evaluation Of Transformer Models For De-Identification Of Clinical Text Data",
"authors": [
"Christopher Meaney",
"Wali Hakimpour",
"Sumeet Kalia",
"Rahim Moineddin"
],
"date": "2022-03-25",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2204.07056v1",
"pdfUrl": "https://arxiv.org/pdf/2204.07056v1",
"doi": "",
"abstract": "Objective: To comparatively evaluate several transformer model architectures at identifying protected health information (PHI) in the i2b2/UTHealth 2014 clinical text de-identification challenge corpus. Methods: The i2b2/UTHealth 2014 corpus contains N=1304 clinical notes obtained from N=296 patients. Using a transfer learning framework, we fine-tune several transformer model architectures on the corpus, including: BERT-base, BERT-large, ROBERTA-base, ROBERTA-large, ALBERT-base and ALBERT-xxlarge. During fine-tuning we vary the following model hyper-parameters: batch size, number training epochs, learning rate and weight decay. We fine tune models on a training data set, we evaluate and select optimally performing models on an independent validation dataset, and lastly assess generalization performance on a held-out test dataset. We assess model performance in terms of accuracy, precision (positive predictive value), recall (sensitivity) and F1 score (harmonic mean of precision and recall). We are interested in overall model performance (PHI identified vs. PHI not identified), as well as PHI-specific model performance. Results: We observe that the ROBERTA-large models perform best at identifying PHI in the i2b2/UTHealth 2014 corpus, achieving >99% overall accuracy and 96.7% recall/precision on the heldout test corpus. Performance was good across many PHI classes; however, accuracy/precision/recall decreased for identification of the following entity classes: professions, organizations, ages, and certain locations. Conclusions: Transformers are a promising model class/architecture for clinical text de-identification. With minimal hyper-parameter tuning transformers afford researchers/clinicians the opportunity to obtain (near) state-of-the-art performance.",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2502.07516",
"title": "The Devil is in the Prompts: De-Identification Traces Enhance Memorization Risks in Synthetic Chest X-Ray Generation",
"authors": [
"Raman Dutt"
],
"date": "2025-02-11",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2502.07516v2",
"pdfUrl": "https://arxiv.org/pdf/2502.07516v2",
"doi": "",
"abstract": "Generative models, particularly text-to-image (T2I) diffusion models, play a crucial role in medical image analysis. However, these models are prone to training data memorization, posing significant risks to patient privacy. Synthetic chest X-ray generation is one of the most common applications in medical image analysis with the MIMIC-CXR dataset serving as the primary data repository for this task. This study presents the first systematic attempt to identify prompts and text tokens in MIMIC-CXR that contribute the most to training data memorization. Our analysis reveals two unexpected findings: (1) prompts containing traces of de-identification procedures (markers introduced to hide Protected Health Information) are the most memorized, and (2) among all tokens, de-identification markers contribute the most towards memorization. This highlights a broader issue with the standard anonymization practices and T2I synthesis with MIMIC-CXR. To exacerbate, existing inference-time memorization mitigation strategies are ineffective and fail to sufficiently reduce the model's reliance on memorized text tokens. On this front, we propose actionable strategies for different stakeholders to enhance privacy and improve the reliability of generative models in medical imaging. Finally, our results provide a foundation for future work on developing and benchmarking memorization mitigation techniques for synthetic chest X-ray generation using the MIMIC-CXR dataset. The anonymized code is available at https://anonymous.4open.science/r/diffusion_memorization-8011/",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2007.01030",
"title": "NLNDE: The Neither-Language-Nor-Domain-Experts' Way of Spanish Medical Document De-Identification",
"authors": [
"Lukas Lange",
"Heike Adel",
"Jannik Strötgen"
],
"date": "2020-07-02",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2007.01030v1",
"pdfUrl": "https://arxiv.org/pdf/2007.01030v1",
"doi": "",
"abstract": "Natural language processing has huge potential in the medical domain which recently led to a lot of research in this field. However, a prerequisite of secure processing of medical documents, e.g., patient notes and clinical trials, is the proper de-identification of privacy-sensitive information. In this paper, we describe our NLNDE system, with which we participated in the MEDDOCAN competition, the medical document anonymization task of IberLEF 2019. We address the task of detecting and classifying protected health information from Spanish data as a sequence-labeling problem and investigate different embedding methods for our neural network. Despite dealing in a non-standard language and domain setting, the NLNDE system achieves promising results in the competition.",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.637,
"venue": "IberLEF@SEPLN",
"language": "en"
},
{
"id": "openaire:31769634",
"title": "[Rigid interpretation of the GDPR hampers privacy protection: a closer look at GDPR].",
"authors": [
"Jaap A, van der Wel"
],
"date": "2020-05-20",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=31769634",
"pdfUrl": "",
"doi": "",
"abstract": "With the introduction of the General Data Protection Regulation (GDPR), privacy legislation appears to be interpreted in an increasingly rigid manner in Dutch healthcare. This is unnecessary and may even be detrimental if it leads to caregivers taking the privacy regulations less seriously. Using a number of examples, I will show that in practice the GDPR has more to offer to healthcare professionals than they might think. The GDPR even provides healthcare institutions with the opportunity to request assistance from suppliers of information systems. In the light of recent checks and disciplinary measures implemented by the Dutch Data Protection Authority, additional focus on this opportunity could be the impulse required to bring privacy protection more closely in line with developments in information technology.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "Nederlands tijdschrift voor geneeskunde",
"language": "en"
},
{
"id": "openaire:oai:unige.ch:unige:158897",
"title": "Be Aware of the Data Breach Notification",
"authors": [
"Hirsch, Célian"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:unige.ch:unige:158897",
"pdfUrl": "",
"doi": "",
"abstract": "Article 33 par. 1 GDPR provides that \"in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.\" This legal duty to notify almost every personal data breach raises several issues and questions. I will focus on the main one: when does the 72-hour notice requirement start? The text says that the time period starts when the controller becomes \"aware\" of the data breach. According to the WP29, the controller is \"aware\" when he \"has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.\" In its decision against Marriott, the Information Commissioner's Office had a different view and held that the controller becomes \"aware\" when he is \"able reasonably to conclude that it is likely a personal data breach has occurred.\" Furthermore, in its decision against Twitter, the Irish Data Protection Commission that the time period starts when Twitter should have known that a data breach occurred, and not when it effectively became aware of it. The starting point of the 72-hour notice requirement has a very practical importance. For example, the Dutch Data Protection Authority recently imposed a fine of €475,000 on Booking.com for reporting a data breach 22 days too late. The main issue, in this case, was when Booking did become aware of the breach. My presentation will focus on what it means to become \"aware\" of a personal data breach, by analysing several examples and discussing the main issues therein. I will also discuss from a practical perspective how a controller may meet the burden of proof that it has timely satisfied the 72-hour notice requirement.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od______3570::f7ef37c924599e388b00144d4ef7bd9f",
"title": "Data Breach and Its Consequences in Aspect of Kvkk and Gdpr",
"authors": [
"Yıldız, Ayşenur",
"Kapancı, Kadir Berk"
],
"date": "2025-02-05",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______3570::f7ef37c924599e388b00144d4ef7bd9f",
"pdfUrl": "",
"doi": "",
"abstract": "Personal data protection law is an important topic that is constantly on the agenda as the use of technology has become an inseparable part of daily life. This has led to the introduction of regulations regarding the personal data to be processed: The Personal Data Protection Law No. 6698 entered into force on 24.03.2016. On 25.05.2018, the General Data Protection Regulation entered into force to be implemented within the borders of the European Union. In this study, the obligation to ensure data security, which is one of the main obligations of the data controller pursuant to the Personal Data Protection Regulation and the General Data Protection Regulation, will be examined and the obligation to notify the relevant Data Protection Board and the relevant persons in case of data security breach will be emphasized. The study consists of three parts. In the first part, the basic concepts of personal data protection law are examined in a limited manner in terms of their relevance to the subject of the thesis. In the second part, the concept of data security and the obligation of the data controller to ensure data security are examined in the light of the Personal Data Protection Law, all other relevant legislation and GDPR. In the third part, the concept of data security breach is examined, the obligation of notification as a result of data security is emphasized and a comparative evaluation is made. Keywords: Personal Data Protection Law, General Data Protection Regulation (GDPR), data security, data security breach, notification to the Personal Data Protection Board in case of data security breach, notification to data subjects. Numeric Code of the Field: 54001",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:DiVA.org:su-162706",
"title": "Learner Corpus Anonymization in the Age of GDPR : Insights from the Creation of a Learner Corpus of Swedish",
"authors": [
"Megyesi, Beáta",
"Granstedt, Lena",
"Johansson, Sofia",
"Prentice, Julia",
"Rosén, Dan",
"Schenström, Carl-Johan",
"Sundberg, Gunlög",
"Wirén, Mats",
"Volodina, Elena"
],
"date": "2018-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:DiVA.org:su-162706",
"pdfUrl": "",
"doi": "",
"abstract": "This paper reports on the status of learner corpus anonymization for the ongoing research infrastructure project SweLL. The main project aim is to deliver and make available for research a well-annotated corpus of essays written by second language (L2) learners of Swedish. As the practice shows, annotation of learner texts is a sensitive process demanding a lot of compromises between ethical and legal demands on the one hand, and research and technical demands, on the other. Below, is a concise description of the current status of pseudonymization of language learner data to ensure anonymity of the learners, with numerous examples of the above-mentioned compromises.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:2939437",
"title": "Anonymization for the GDPR in the Context of Citizen and Customer Relationship Management and NLP",
"authors": [
"Gil Francopoulo",
"Léon-Paul Schaub"
],
"date": "2020-05-11",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02939437v1",
"pdfUrl": "https://hal.science/hal-02939437/document",
"doi": "",
"abstract": "The General Data Protection Regulation (GDPR) is the regulation in the European Economic Area (EEA) law on data protection and privacy for all citizens. There is a dilemma between sharing data and their subjects' confidentiality to respect GDPR in the commercial, legal and administrative sectors of activity. Moreover, the case of text data poses an additional difficulty: suppressing the personal information without deteriorating the semantic argumentation expressed in the text in order to apply a subsequent process like a thematic detection, an opinion mining or a chatbot. We listed five functional requirements for an anonymization process but we faced some difficulties to implement a solution that fully meets these requirements. Finally, and following an engineering approach, we propose a practical compromise which currently satisfies our users and could also be applied to other sectors like the medical or financial ones.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "doaj:183d8b3a96104064917776ecbfcfc371",
"title": "A practical tool for assessment the GDPR requirements implementation in hospitals at the level of nurses’ desk",
"authors": [
"Radu ILINCA",
"Ion-Octavian DOAGĂ",
"Corina VERNIC"
],
"date": "2019",
"platform": "doaj",
"sourceUrl": "https://ami.info.umfcluj.ro/index.php/AMI/article/view/716",
"pdfUrl": "",
"doi": "",
"abstract": "Nowadays, most healthcare providers have deployed large information systems in order to\nautomate as much as possible the medical workflow. Besides this, more and more centers share\nmedical information such as images, test results and so forth in an ongoing attempt to minimize\nthe time required to make a therapeutic intervention. While the benefits of all these are well\nknown, a new challenge has to deal with, namely assurance of patient data protection. This is\ncrucial, especially since we sensitive medical information is shared. The new EU Regulation 679\n/ 2016 has specific requirements for personal data protection. Regulators but also accreditation\nbodies have to assess if there is an adequate level of privacy for personal medical data. The\npaper outlines a novel tool in order to assess the fact just previously mentioned at the most\ncritical step of data processing: nurses and medical operator. Fulfillment the requirements of\nthe new General Data Protection Regulation (GDPR) are also important in Romania since the\nHospitals’ Accreditation Body has to assess when performing general hospital quality assurance\nassessment. The main focus is at the level of nurses who, in Romania, are also in charge with\npatient data input, data dissemination, output, and communication. Therefore, at this level\n(nurses) most data leakage might occur. This is especially true since these tasks are side-part of\ntheir main activity: medical assistance and their limited training with data protection concepts\nand practice in an electronic in most of the time online environment.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Applied Medical Informatics",
"language": "en"
},
{
"id": "hal:2554422",
"title": "First the GDPR, Now the Proposed ePrivacy Regulation",
"authors": [
"W. Gregory Voss"
],
"date": "2017-07-01",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02554422v1",
"pdfUrl": "",
"doi": "",
"abstract": "On January 10, 2017, less than nine months after the General Data Protection Regulation (GDPR) was adopted by the European Union, the European Commission issued its proposal for a new ePrivacy Regulation. In analyzing this new proposal, this article first places European Union ePrivacy legislation in context before detailing the main points of the proposed ePrivacy Regulation, including its broad territorial scope, its material scope, its interface with the GDPR, as well as provisions on cookies, confidentiality of communications, application of the concept of consent and unsolicited direct marketing communications and enforcement measures (including sanctions). Next, this article discusses advisory and industry reactions to the proposed Regulation, and outlines the legislative process, prior to making certain conclusory remarks.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "Journal of Internet Law",
"language": "en"
},
{
"id": "hal:3521416",
"title": "National adaptations of the GDPR",
"authors": [
"Karen Mc Cullagh",
"Olivia Tambou",
"Sam Bourton"
],
"date": "2019",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-03521416v1",
"pdfUrl": "https://hal.science/hal-03521416/document",
"doi": "",
"abstract": "This book explores the impact of the General Data Protection Regulation (GDPR), in ten Member States and the United Kingdom (including comments on Brexit situation) and its international influence in Switzerland and Japan. Eight months after the entry into force of the GDPR, this book analyses the tension between the visibility of the European Model and the readability of this model. This book provides insights and commentary on derogation and option differences between Member States. It outlines the issues most contested when national legislatures were drafting and implementing Bills to give effect to permitted derogations in the GDPR. Furthermore, this book questions to what extent the diversity of approach of national adaptations raises concerns regarding their conformity to the GDPR. This book is the result of an international cooperation launched through an e-conference organised by blogdroiteuropeen in June 2018. It brings together papers from seventeen legal academics or practitioners (lawyers, Data protection officers, and Data Protection authority representatives).",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:4890277",
"title": "Data exfiltration and anonymization of medical images based on generative models",
"authors": [
"Huiyu Li"
],
"date": "2024-11-28",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-04890277v3",
"pdfUrl": "https://theses.hal.science/tel-04890277/document",
"doi": "",
"abstract": "This thesis aims to address some specific safety and privacy issues when dealing with sensitive medical images within data lakes. This is done by first exploring potential data leakage when exporting machine learning models and then by developing an anonymization approach that protects data privacy.Chapter 2 presents a novel data exfiltration attack, termed Data Exfiltration by Compression (DEC), which leverages image compression techniques to exploit vulnerabilities in the model exporting process. This attack is performed when exporting a trained network from a remote data lake, and is applicable independently of the considered image processing task. By exploring both lossless and lossy compression methods, this chapter demonstrates how DEC can effectively be used to steal medical images and reconstruct them with high fidelity, using two public CT and MR datasets. This chapter also explores mitigation measures that a data owner can implement to prevent the attack. It first investigates the application of differential privacy measures, such as Gaussian noise addition, to mitigate this attack, and explores how attackers can create attacks resilient to differential privacy. Finally, an alternative model export strategy is proposed which involves model fine-tuning and code verification.Chapter 3 introduces the Generative Medical Image Anonymization framework, a novel approach to balance the trade-off between preserving patient privacy while maintaining the utility of the generated images to solve downstream tasks. The framework separates the anonymization process into two key stages: first, it extracts identity and utility-related features from medical images using specially trained encoders; then, it optimizes the latent code to achieve the desired trade-off between anonymity and utility. We employ identity and utility encoders to verify patient identities and detect pathologies, and use a generative adversarial network-based auto-encoder to create realistic synthetic images from the latent space. During optimization, we incorporate these encoders into novel loss functions to produce images that remove identity-related features while maintaining their utility to solve a classification problem. The effectiveness of this approach is demonstrated through extensive experiments on the MIMIC-CXR chest X-ray dataset, where the generated images successfully support lung pathology detection.Chapter 4 builds upon the work from Chapter 4 by utilizing generative adversarial networks (GANs) to create a more robust and scalable anonymization solution. The framework is structured into two distinct stages: first, we develop a streamlined encoder and a novel training scheme to map images into a latent space. In the second stage, we minimize the dual-loss functions proposed in Chapter 3 to optimize the latent representation of each image. This method ensures that the generated images effectively remove some identifiable features while retaining crucial diagnostic information. Extensive qualitative and quantitative experiments on the MIMIC-CXR dataset demonstrate that our approach produces high-quality anonymized images that maintain essential diagnostic details, making them well-suited for training machine learning models in lung pathology classification.The conclusion chapter summarizes the scientific contributions of this work, and addresses remaining issues and challenges for producing secured and privacy preserving sensitive medical data.",
"topics": [
"data_anonymization",
"document_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:4587371",
"title": "Exploring the Scope of Machine Learning using Homomorphic Encryption in IoT/Cloud",
"authors": [
"Yulliwas Ameur"
],
"date": "2023-12-18",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-04587371v1",
"pdfUrl": "https://theses.hal.science/tel-04587371/document",
"doi": "",
"abstract": "Machine Learning as a Service (MLaaS) has accelerated the adoption of machine learning techniques in various domains. However, this trend has also raised serious concerns over the security and privacy of the sensitive data used in machine learning models. To address this challenge, our approach is to use homomorphic encryption.The aim of this thesis is to examine the implementation of homomorphic encryption in different applications of machine learning.. The first part of the work focuses on the use of homomorphic encryption in a multi-cloud environment, where the encryption is applied to simple operations such as addition and multiplication.This thesis explores the application of homomorphic encryption to the k-nearest neighbors (k-NN) algorithm. The study presents a practical implementation of the k-NN algorithm using homomorphic encryption and demonstrates the feasibility of this approach on a variety of datasets. The results show that the performance of the k-NN algorithm using homomorphic encryption is comparable to that of the unencrypted algorithm.Third, the work investigates the application of homomorphic encryption to the k-means clustering algorithm. Similar to the k-NN study, the thesis presents a practical implementation of the k-means algorithm using homomorphic encryption and evaluates its performance on various datasets.Finally, the thesis explores the combination of homomorphic encryption with differential privacy (DP) techniques to further enhance the privacy of machine learning models. The study proposes a novel approach that combines homomorphic encryption with DP to achieve better privacy guarantees for machine learning models. The research presented in this thesis contributes to the growing body of research on the intersection of homomorphic encryption and machine learning, providing practical implementations and evaluations of homomorphic encryption in various machine learning contexts.iffalseAccording to Gartner, 5.8 Billion Enterprise and Automotive IoT endpoints will be in use at the end of 2020 while Statistica shows that IoT enablers solutions (such as Cloud, analytics, security) will reach 15 Billion of euros in the European Union market by 2025. However, these IoT devices have not enough resource capacity to process the data collected by their sensors making these devices vulnerable and prone to attack. To avoid processing data within the IoT devices, the trend is to outsource the sensed data to the Cloud that has both resourceful data storage and data processing. Nevertheless, the externalized data may be sensitive, and the users may lose privacy on the data content while allowing the cloud providers to access and possibly use these data to their own business. To avoid this situation and preserve data privacy in the Cloud datacenter, one possible solution is to use the fully homomorphic encryption (FHE) that assures both confidentiality and efficiency of the processing. In many smart environments such as smart cities, smart health, smart farming, industry 4.0, etc. where massive data are generated, there is a need to apply machine learning (ML) techniques, hence contributing to the decision making to act on the smart environment. Indeed, the challenging issue in this context is to adapt the ML approaches to apply them on encrypted data so that the decision taken on encrypted data can be reported on the cleartext data. This PhD thesis is a cooperative research work between two teams ROC and MSDMA of CEDRIC Lab. It aims at exploring the use of ML and FHE in smart applications where IoT devices collect sensitive data to outsource them on untrusted Cloud datacenter for computing thanks to ML models.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:4349536",
"title": "Designing and evaluating anonymization techniques for images and relational data streams via Machine Learning approaches at BMW Group",
"authors": [
"Jimmy Tekli"
],
"date": "2021-12-17",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-04349536v1",
"pdfUrl": "https://theses.hal.science/tel-04349536/document",
"doi": "",
"abstract": "Individual’s privacy and anonymity is becoming highly critical in our data-driven world due to the vast amount of data being generated and processed daily (e.g., Industry 4.0). Data anonymization is the process of creating anonymous information, namely information which does not relate to an identified or identifiable natural person in such a manner that the data subject is not or no longer identifiable. Privacy regulations compel data-driven companies to guarantee a level of anonymization that requires “irreversibility preventing identification of the data subject”, taking into account all the means “reasonably likely to be used” for identification. Therefore, we (i) propose and implement several anonymization techniques and tools in the context of images and relational data streams and (ii) assess the robustness of these techniques by simulating adversaries with different knowledge and several attacking capabilities. In the first contribution, we design and implement an anonymization tool that localizes identifying/sensitive features in images/videos via Deep Learning DL-based localization techniques (i.e., semantic segmentation) and obfuscates it accordingly via pixelating, blurring, or masking. In the second contribution, we propose a recommendation framework that evaluates the robustness of image obfuscation techniques and recommends the most resilient obfuscation against adversaries executing DL-assisted attacks (e.g., restoration or recognition-based attacks). In addition, three threat levels are studied thoroughly based on the adversary’s knowledge (e.g., background knowledge). In the third contribution, we empirically demonstrate how adversaries can remedy their lack of knowledge and leverage their attacking capabilities, against obfuscated facial images, by collaborating via Federated Learning. Seven collective threat levels are defined and studied based on the background knowledge of the adversaries and the sharing of their knowledge. Finally, we address in the fourth contribution the correlation problem in the anonymization of a transactional relational data stream. A bucketization-based technique, entitled (k,l)-clustering, is proposed to prevent such privacy breaches by ensuring that the same k individuals remain grouped together over the entire anonymized stream.",
"topics": [
"data_anonymization",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:3674540",
"title": "Speaker anonymization : representation, evaluation and formal guarantees",
"authors": [
"Brij Mohan Lal Srivastava"
],
"date": "2021-12-02",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-03674540v2",
"pdfUrl": "https://theses.hal.science/tel-03674540/document",
"doi": "",
"abstract": "Large-scale centralized storage of speech data poses severe privacy threats to the speakers. Indeed, the emergence and widespread usage of voice interfaces starting from telephone to mobile applications, and now digital assistants have enabled easier communication between the customers and the service providers. Massive speech data collection allows its users, for instance researchers, to develop tools for human convenience, like voice passwords for banking, personalized smart speakers, etc. However, centralized storage is vulnerable to cybersecurity threats which, when combined with advanced speech technologies like voice cloning, speaker recognition, and spoofing, may endow a malicious entity with the capability to re-identify speakers and breach their privacy by gaining access to their sensitive biometric characteristics, emotional states, personality attributes, pathological conditions, etc.Individuals and the members of civil society worldwide, and especially in Europe, are getting aware of this threat. With firm backing by the GDPR, several initiatives are being launched, including the publication of white papers and guidelines, to spread mass awareness and to regulate voice data so that the citizens' privacy is protected.This thesis is a timely effort to bolster such initiatives and propose solutions to remove the biometric identity of speakers from speech signals, thereby rendering them useless for re-identifying the speakers who spoke them.Besides the goal of protecting the speaker's identity from malicious access, this thesis aims to explore the solutions which do so without degrading the usefulness of speech.We present several anonymization schemes based on voice conversion methods to achieve this two-fold objective. The output of such schemes is a high-quality speech signal that is usable for publication and a variety of downstream tasks.All the schemes are subjected to a rigorous evaluation protocol which is one of the major contributions of this thesis.This protocol led to the finding that the previous approaches do not effectively protect the privacy and thereby directly inspired the VoicePrivacy initiative which is an effort to gather individuals, industry, and the scientific community to participate in building a robust anonymization scheme.We introduce a range of anonymization schemes under the purview of the VoicePrivacy initiative and empirically prove their superiority in terms of privacy protection and utility.Finally, we endeavor to remove the residual speaker identity from the anonymized speech signal using the techniques inspired by differential privacy. Such techniques provide provable analytical guarantees to the proposed anonymization schemes and open up promising perspectives for future research.In practice, the tools developed in this thesis are an essential component to build trust in any software ecosystem where voice data is stored, transmitted, processed, or published. They aim to help the organizations to comply with the rules mandated by civil governments and give a choice to individuals who wish to exercise their right to privacy.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "hal:3225121",
"title": "Gendarmerie Nationale Officers College Research Center Published in the Official Journal of the European Union on May 4, 2016, the General Data Protection Regulation (EU) 2016/679 of the European Parliament and Council dated",
"authors": [
"Jérôme Lagasse"
],
"date": "2017-03",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-03225121v1",
"pdfUrl": "https://hal.science/hal-03225121/document",
"doi": "",
"abstract": "on the protection of natural persons with regard to the processing of personal data and on the free movement of such data\" has come into force as of May 25, 2016. A parallel can be drawn between this new Regulation and the eighth centenary of Magna Carta 1 ,which already consecrated as an essential principle the safeguard of personal rights and freedoms. As of May 25, 2018, the Regulation will create such enforceable rights as it becomes fully opposable in its entirety before all jurisdictions of the 28 Member States of the European Union. During the transitory period, no Member State will be allowed to legislate in contradiction to its provisions. Ultimately, this legal text completes the unification of the 28 different legislations on personal data protection, absorbing in particular France's law no. 78-17 dated January 6, 1978 2. Henceforward, the protection of personal data will belong to a single legal corpus, directly transferable into the national legislations of EU Member States. Our commentaries in this research note will highlight one of the major effects of this Regulation, namely the creation of a common definition of what constitutes personal data. This definition-a frequent source of controversy in both doctrine and case law-has long been fluctuating. Regarding the general philosophy guiding its authors, the EU Regulation is intended-as stated by the European Commission-as an appropriate political and judicial stance designed to provide better answers to the \"new challenges\" arising from \"rapid technological developments and globalization\" 3. The application and interpretation of some of its provisions are bound to affect the bases of democratic societies in Europe over the next decade. Two related EU Directives published at the same time as this Regulation will also have an indirect impact on the concrete implementation of law and order policies within Member States. The present note will limit its scrutiny to the essential points of the Regulation, which-in themselves and in this perspective-lay the foundations for an EU-wide charter or \"digital bill of rights\" protecting citizens and their freedoms from current or potential excesses in this new and open field. The General Data Protection Regulation (GDPR) sets forth a common definition for both personal and sensitive data which de facto creates a protective shell for all citizens (see section I below). Within this shell, citizens enjoy stronger rights (section II) allowing them better means of remedy in the event of any act likely to infringe on their fundamental rights in the field of digital identification. Finally, the introduction of administrative sanctions and the appointment of data protection delegates within organizations as part of an overall framework of data governance based on the principles of accountability 4 and compliance 5 should make the new Regulation truly efficient (section III). \"The Magna Carta Libertarum or Great Charter of Liberties (1215) is the document imposed by English barons on their king, John Lackland, to force him to acknowledge and protect the freedoms and privileges of the nobility\". cf. Dictionnaire de la science politique et des institutions politiques, Armand Colin, 8 th edition, 2015, p.176.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "Les Notes du CREOGN",
"language": "en"
},
{
"id": "https://openalex.org/W2967203918",
"title": "Understanding Data Protection Regulations from a Data Management Perspective: A Capability-Based Approach to EU-GDPR",
"authors": [
"Clément Labadie",
"Christine Legner"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://serval.unil.ch/notice/serval:BIB_65AAB323C49C",
"pdfUrl": "https://serval.unil.ch/notice/serval:BIB_65AAB323C49C",
"doi": "",
"abstract": "The European General Data Protection Regulation (EU-GDPR) has entered into force in May 2018. Its emphasis on individual control and organizational accountability constitutes a new paradigm that requires changes in the way organizations manage personal data. However, organizations face difficulties when implementing EU-GDPR due to a lack of common ground between legal and data management domains. Anchored in the resource-based view theory (RBV), this paper argues that the regulation requires companies to build a dedicated data management capability. It presents a capability model that was developed in an iterative design science process, integrating both interpretation of legal texts and practical insights from focus groups with more than 30 experts and from 3 EU-GDPR projects. The paper advances the regulatory compliance management literature by translating legal data protection concepts for the IS community. It also contributes to practice by enabling organization to set-up systematic approaches towards EU-GDPR compliance.",
"topics": [
"gdpr_compliance",
"sector_legal"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "SERVAL (Université de Lausanne)",
"language": "en"
},
{
"id": "hal:4953974",
"title": "First ever decision of a French court applying GDPR to facial recognition",
"authors": [
"Theodore Christakis"
],
"date": "2020-02-27",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04953974v1",
"pdfUrl": "",
"doi": "",
"abstract": "A French court canceled today a decision by the South-Est Region of France (Provence-Alpes-Côte d’Azur – PACA) to undertake a series of tests using facial recognition at the entrance of two High schools considering that this would be illegal. This is the first decision ever by a French Court applying the General Data Protection Regulation (GDPR) on Facial Recognition Technologies (FRTs).",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2503.03428",
"title": "Privacy is All You Need: Revolutionizing Wearable Health Data with Advanced PETs",
"authors": [
"Karthik Barma"
],
"date": "2025-03-05",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2503.03428v2",
"pdfUrl": "https://arxiv.org/pdf/2503.03428v2",
"doi": "",
"abstract": "In a world where data is the new currency, wearable health devices offer unprecedented insights into daily life, continuously monitoring vital signs and metrics. However, this convenience raises privacy concerns, as these devices collect sensitive data that can be misused or breached. Traditional measures often fail due to real-time data processing needs and limited device power. Users also lack awareness and control over data sharing and usage. We propose a Privacy-Enhancing Technology (PET) framework for wearable devices, integrating federated learning, lightweight cryptographic methods, and selectively deployed blockchain technology. The blockchain acts as a secure ledger triggered only upon data transfer requests, granting users real-time notifications and control. By dismantling data monopolies, this approach returns data sovereignty to individuals. Through real-world applications like secure medical data sharing, privacy-preserving fitness tracking, and continuous health monitoring, our framework reduces privacy risks by up to 70 percent while preserving data utility and performance. This innovation sets a new benchmark for wearable privacy and can scale to broader IoT ecosystems, including smart homes and industry. As data continues to shape our digital landscape, our research underscores the critical need to maintain privacy and user control at the forefront of technological progress.",
"topics": [
"privacy_engineering",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Solutions Market",
"User Behavior / PII Communities"
],
"relevanceScore": 0.637,
"venue": "",
"language": "en"
},
{
"id": "ETid-2",
"title": "GDPR Fine: Kebab restaurant — Austrian Data Protection Authority (dsb) (Austria)",
"authors": [
"Austrian Data Protection Authority (dsb)"
],
"date": "2018",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-2",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €1,800 | Articles: Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | CCTV was unlawfully used. Sufficient information about the video surveillance was missing. In addition, the storage period of 14 days was too long and therefore against the principle of data minimization. Addendum: Fine has been reduced to EUR 1500 by court, see link",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Austrian Data Protection Authority (dsb)",
"language": "en"
},
{
"id": "ETid-6",
"title": "GDPR Fine: Bank — Bulgarian Commission for Personal Data Protection (KZLD) (Bulgaria)",
"authors": [
"Bulgarian Commission for Personal Data Protection (KZLD)"
],
"date": "2018-12-04",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-6",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €500 | Articles: Art. 5 (1) b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD.\r\n\r\nThe infringement for which the bank was fined was for the processing of the client’s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Bulgarian Commission for Personal Data Protection (KZLD)",
"language": "en"
},
{
"id": "ETid-26",
"title": "GDPR Fine: Kolibri Image\nRegina und Dirk Maass GbR — Data Protection Authority of Hamburg (Germany)",
"authors": [
"Data Protection Authority of Hamburg"
],
"date": "2018-12-17",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-26",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €5,000 | Articles: Art. 28 (3) GDPR | Insufficient data processing agreement | Please note: According to our information this fine has been withdrawn in the meantime. \n\nKolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Authority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Hamburg",
"language": "en"
},
{
"id": "ETid-29",
"title": "GDPR Fine: Unknown — Data Protection Authority of Hamburg (Germany)",
"authors": [
"Data Protection Authority of Hamburg"
],
"date": "2018",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-29",
"pdfUrl": "https://datenschutz-hamburg.de/assets/pdf/27._Taetigkeitsbericht_Datenschutz_2018_HmbBfDI.pdf",
"doi": "",
"abstract": "Fine: €20,000 | Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | Late notification of a data breach and failure to notify the data subjects.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Hamburg",
"language": "en"
},
{
"id": "ETid-40",
"title": "GDPR Fine: Payment service provider UAB MisterTango — Lithuanian Data Protection Authority (VDAI) (Lithuania)",
"authors": [
"Lithuanian Data Protection Authority (VDAI)"
],
"date": "2019-05-16",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-40",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €61,500 | Articles: Art. 5 GDPR, Art. 32 GDPR, Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursuant to Art. 33 GDPR would have been necessary. The controller did not report the Data Breach.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Lithuanian Data Protection Authority (VDAI)",
"language": "en"
},
{
"id": "ETid-68",
"title": "GDPR Fine: Company in the medical sector — Austrian Data Protection Authority (dsb) (Austria)",
"authors": [
"Austrian Data Protection Authority (dsb)"
],
"date": "2019-08",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-68",
"pdfUrl": "https://www.dsb.gv.at/dam/jcr:784483fa-dafb-49bd-8a09-412bb15eb9f9/Newsletter_DSB_4_2019.pdf",
"doi": "",
"abstract": "Fine: €25,000 | Articles: Art. 13 GDPR, Art. 35 GDPR, Art. 37 GDPR | Insufficient fulfilment of information obligations | The (none-final) fine was imposed on a company in the medical sector for non-compliance with information obligations and for not appointing a data protection officer. \n\nUpdate: The original fine of EUR 50,000 was reduced to EUR 25,000 by the Austrian Federal Administrative Court.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Austrian Data Protection Authority (dsb)",
"language": "en"
},
{
"id": "ETid-78",
"title": "GDPR Fine: Delivery Hero — Data Protection Authority of Berlin (Germany)",
"authors": [
"Data Protection Authority of Berlin"
],
"date": "2019-09-19",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-78",
"pdfUrl": "https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20190919-PM-Bussgelder.pdf",
"doi": "",
"abstract": "Fine: €195,407 | Articles: Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR | Insufficient fulfilment of data subjects rights | According to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company's delivery service platform for years - in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received further 15 advertising e-mails from the delivery service. In further five cases, the company did not provide the data subjects with the required information or only after the Berlin data protection officer had intervened.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Berlin",
"language": "en"
},
{
"id": "ETid-97",
"title": "GDPR Fine: Major of Aleksandrów Kujawski — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2019-10-18",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-97",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €9,380 | Articles: Art. 28 GDPR | Insufficient data processing agreement | No data processing agreement has been concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrów Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed on the mayor of the city.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-191",
"title": "GDPR Fine: Zhang Bordeta 2006, S.L. (Store and Restaurant) — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2020-01-14",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-191",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00397-2019.pdf",
"doi": "",
"abstract": "Fine: €3,600 | Articles: Art. 5 GDPR | Non-compliance with general data processing principles | The store and restaurant owner installed a video surveillance system which, among others, also took pictures of the sidewalk and thus of the public space, which violates the fundamental principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-203",
"title": "GDPR Fine: Facebook Germany GmbH — Data Protection Authority of Hamburg (Germany)",
"authors": [
"Data Protection Authority of Hamburg"
],
"date": "2019",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-203",
"pdfUrl": "https://datenschutz-hamburg.de/assets/pdf/28._Taetigkeitsbericht_Datenschutz_2019_HmbBfDI.pdf",
"doi": "",
"abstract": "Fine: €51,000 | Articles: Art. 37 GDPR | Insufficient involvement of data protection officer | Whereas Facebook Ireland had appointed a data proteciton officer for all group companies located in the EU, this appontment was not notfied to the DPA Hamburg, competent for Facebook Germany GmbH. The fine was calculated on the basis of the turnover of the German branch (EUR 35 million). Relevant factors for the calculation were i.a. that the omitted notification was immediately made up for, Facebook acted negligently and did not violate the duty to appoint a data protection officer but only the notification obligation.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Hamburg",
"language": "en"
},
{
"id": "ETid-204",
"title": "GDPR Fine: Hamburger Verkehrsverbund GmbH (HVV GmbH) — Data Protection Authority of Hamburg (Germany)",
"authors": [
"Data Protection Authority of Hamburg"
],
"date": "2019",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-204",
"pdfUrl": "https://datenschutz-hamburg.de/assets/pdf/28._Taetigkeitsbericht_Datenschutz_2019_HmbBfDI.pdf",
"doi": "",
"abstract": "Fine: €20,000 | Articles: Art. 33 GDPR, Art. 34 GDPR | Insufficient fulfilment of data breach notification obligations | On July 6, 2018, HVV GmbH was informed by a customer about a security gap on the website www.hvv.de, which was caused by an update on February 5, 2018 and concerned the so-called Customer E-Service (CES). The security gap consisted in the fact that customers logged in to the CES who had an HVV Card and linked their CES customer account to at least one active contractual relationship in background systems could, by changing the URL, display data of other customers who had an HVV Card. This data breach was not reported to the data protection authority in a timely manner.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Hamburg",
"language": "en"
},
{
"id": "ETid-218",
"title": "GDPR Fine: Royal Dutch Tennis Association ('KNLTB') — Dutch Supervisory Authority for Data Protection (AP) (The Netherlands)",
"authors": [
"Dutch Supervisory Authority for Data Protection (AP)"
],
"date": "2020-03-03",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-218",
"pdfUrl": "https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boetebesluit_knltb.pdf",
"doi": "",
"abstract": "Fine: €525,000 | Articles: Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association ('KNLTB') with EUR 525,000 for selling the personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes. It was found that the KNLTB sold personal data such as name, gender and address to third parties without obtaining the consent of the data subjects. The data protection authority also rejected the existence of a legitimate interest for the sale of the data and therefore decided that there was no legal basis for the transfer of the personal data to the sponsors.\n---UPDATE---\nFollowing the CJEU's court ruling, the controller and the DPA agreed to settle the case and reduce the fine from EUR 525,000 to EUR 250,000. The controller also admitted their wrongdoing.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Dutch Supervisory Authority for Data Protection (AP)",
"language": "en"
},
{
"id": "ETid-226",
"title": "GDPR Fine: Liceo Artistico Statale di Napoli — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2020-03-06",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-226",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €4,000 | Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The AEPD's decision reveals that the high school unlawfully published health data and other information in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-227",
"title": "GDPR Fine: Liceo Scientifico Nobel di Torre del Greco — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2020-03-06",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-227",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €4,000 | Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The AEPD's decision reveals that the high school unlawfully published health data and other information of more than 2000 teachers in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-635",
"title": "GDPR Fine: Private Individual — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2021-04-15",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-635",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00151-2020.pdf",
"doi": "",
"abstract": "Fine: €3,000 | Articles: Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a private individual. The controller resides on the 1st floor of an apartment building, where he is the owner of apartments on the 2nd and 3rd floors. He regularly rents out these apartments to tourists. The controller had installed four video cameras on the three floors and in the entrance area of the building. He justified their operation with security concerns related to the rental to tourists. The owners' association had not granted permission for the operation of the cameras. Also, the controller did not put up a sign in the building informing about the operation of the camera. The DPA found this to be a violation of the principle of data minimization, as the cameras covered areas of the building used by the community, whose monitoring was not necessary for the protection of the controller's property. Furthermore, the controller violated its obligation to provide information, as he failed to inform the other residents of the building about the processing of their data.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1166",
"title": "GDPR Fine: Homeowners Association — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2022-05-11",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1166",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00523-2021.pdf",
"doi": "",
"abstract": "Fine: €6,000 | Articles: Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on a homeowners' association. \nAn apartment owner who had been a resident for 15 years had filed a complaint with the DPA due to the fact of having to show ID before using the communal pool. This request for personal data was based on measures to combat the covid-19 pandemic. \nDuring its investigation, the DPA found that the collection of the pesonal data through the ID check was unnecessary given the fact that the data subject had been a resident for 15 years, and thus violated the principle of data minimization set forth in Art. 5 (1) c) GDPR. Furthermore, the DPA found that the data subject had not been sufficiently informed about the processing of their personal data.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-247",
"title": "GDPR Fine: Amalfi Servicios de Restauracion S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2020-03-16",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-247",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00317-2019.pdf",
"doi": "",
"abstract": "Fine: €6,000 | Articles: Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR | Non-compliance with general data processing principles | Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-272",
"title": "GDPR Fine: Proximus SA — Belgian Data Protection Authority (APD) (Belgium)",
"authors": [
"Belgian Data Protection Authority (APD)"
],
"date": "2020-04-28",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-272",
"pdfUrl": "https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-18-2020.pdf",
"doi": "",
"abstract": "Fine: €50,000 | Articles: Art. 31 GDPR, Art. 58 GDPR, Art. 37 GDPR | Insufficient involvement of data protection officer | According to the data protection authority, the company's data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company's DPO was not able to work independently.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Belgian Data Protection Authority (APD)",
"language": "en"
},
{
"id": "ETid-273",
"title": "GDPR Fine: National Government Service Centre (NGSC) — Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) (Sweden)",
"authors": [
"Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)"
],
"date": "2020-04-29",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-273",
"pdfUrl": "https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-ssc-20200428.pdf",
"doi": "",
"abstract": "Fine: €18,700 | Articles: Art. 33 GDPR, Art. 34 GDPR | Insufficient fulfilment of data breach notification obligations | The DPA's decision shows that it took almost five months for the company to notify the data subjects of a data breach and almost three months for the DPA to receive a notification of a data breach concerning an security lack of IT systems of the company.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)",
"language": "en"
},
{
"id": "ETid-282",
"title": "GDPR Fine: Non-profit organisation — Belgian Data Protection Authority (APD) (Belgium)",
"authors": [
"Belgian Data Protection Authority (APD)"
],
"date": "2020-05-29",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-282",
"pdfUrl": "https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/Beslissing_GK_28-2020_NL.pdf",
"doi": "",
"abstract": "Fine: €1,000 | Articles: Art. 6 GDPR, Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The Belgian data protection authority has imposed a fine of EUR 1000 on a non-profit organisation for sending out direct marketing messages, despite the fact that data subjects had exercised their right to erasure and objection. The organisation claimed that it was relying on legitimate interests as a legal basis and not on the explicit consent of the data subjects. The data protection authority, however, denied the existence of any outweighing of legitimate interests.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Belgian Data Protection Authority (APD)",
"language": "en"
},
{
"id": "ETid-307",
"title": "GDPR Fine: Miraclia (telecommunications company) — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2020-06-23",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-307",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €7,500 | Articles: Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The recording of telephone jokes via an app constitutes processing of personal data in accordance with the applicable data protection law, as the voices of individuals may constitute personal data if they are associated with other information, such as the telephone number. The consent of the users at the end of the conversation was not sufficient in this case.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-320",
"title": "GDPR Fine: Tusla Child and Family Agency — Data Protection Authority of Ireland (Ireland)",
"authors": [
"Data Protection Authority of Ireland"
],
"date": "2020-06-30",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-320",
"pdfUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2021-02/12.08.2020_Decision_Tusla_IN-18-11-04.pdf",
"doi": "",
"abstract": "Fine: €40,000 | Articles: Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The organization sent a letter with abuse allegations to a third party who then uploaded it to social networks.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Ireland",
"language": "en"
},
{
"id": "ETid-329",
"title": "GDPR Fine: Saunier-Tec Mantenimientos de Calor y Frio, SL. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2020-07-02",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-329",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00122-2020.pdf",
"doi": "",
"abstract": "Fine: €3,600 | Articles: Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | Although the company had taken steps to remedy a data breach, it had not informed the AEPD sufficiently. As a result, the AEPD imposed a fine of EUR 4,800, which was reduced to EUR 3,600 due to voluntary payment.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-338",
"title": "GDPR Fine: Auto Desguaces Iglesias S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2020-07-10",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-338",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00004-2020.pdf",
"doi": "",
"abstract": "Fine: €1,500 | Articles: Art. 5 GDPR | Non-compliance with general data processing principles | The company had installed surveillance cameras that recorded the public road and therefore violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-506",
"title": "GDPR Fine: Vodafone España, S.A.U. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2021-01-04",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-506",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00415-2020.pdf",
"doi": "",
"abstract": "Fine: €54,000 | Articles: Art. 5 (1) d), f) GDPR | Non-compliance with general data processing principles | The data subject had concluded a contract with the controller (Vodafone España, S.A.U.). However, the products provided under this contract were not delivered in the name of the data subject, but in the name of a third party. Subsequently, the data subject contacted the company's data protection officer by e-mail in order to restore the accuracy of his/her data stored at Vodafone. However, no response was received to this request. When the data subject finally contacted the telecommunications company by telephone, he/she was addressed by the name of the third party. His/her inquiry was answered with a response that did not refer to his/her inquiry, but to the inquiry of the third party. According to the telecommunications company, the incident was caused by a defect in their system due to a system migration. The Spanish DPA (AEPD) initially fined Vodafone España, S.A.U. EUR 90,000, but the original fine was reduced to EUR 54,000 due to the timely payment and admission of guilt.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-383",
"title": "GDPR Fine: Party of the Socialists of Catalonia — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2020-08-17",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-383",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00449-2019.pdf",
"doi": "",
"abstract": "Fine: €5,000 | Articles: Art. 5 (1) b) GDPR | Non-compliance with general data processing principles | The Socialist Party of Catalonia has used the personal data provided by a professional doctor to send a letter to the complainant's relative asking for political support. This constitutes a different purpose from the original purpose of the collection and therefore violates the principle of purpose limitation.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-397",
"title": "GDPR Fine: Grupo Carolizan — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2020-09-17",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-397",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00311-2019.pdf",
"doi": "",
"abstract": "Fine: €3,000 | Articles: Art. 5 GDPR | Non-compliance with general data processing principles | Operation of CCTV camera systems in an arcade area in front of a building, i.e. also covering public space. This violated the principles of data minimization, as the surveillance cameras could have been operated in a way that would not have affected the public space.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-405",
"title": "GDPR Fine: H&M Hennes & Mauritz Online Shop A.B. & Co. KG — Data Protection Authority of Hamburg (Germany)",
"authors": [
"Data Protection Authority of Hamburg"
],
"date": "2020-10-01",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-405",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €35,258,708 | Articles: Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The fashion company with seat in Hamburg operates a service center in Nuremberg. Here, according to the findings of the Hamburg data protection officer, since at least 2014 private life circumstances of some of the employees have been comprehensively recorded and this information stored on a network drive. For example, the company conducted a 'Welcome Back Talk' after employees returned to work after vacation or illness. The information that became known in this context - including information on the symptoms of illness and diagnoses of the employees - was recorded and stored. In addition, according to the Hamburg data protection authority, some supervisors also used the 'Flurfunk' [meaning to hear something through the grapevine] to acquire a broad knowledge of individual employees, for example about family problems and religious beliefs. The information stored on the network drive was accessible to up to 50 managers of the company and was used, among other things, to evaluate the work performance of the employees and to make employment decisions.The data collection became known due to a technical configuration error in October 2019, according to which the data stored on the network drive was accessible company-wide for several hours. After the violation became known, the management apologized to the employees and offered monetary compensation. In addition, also further protective measures were introduced together with the data protection authority. [Note: Concrete legal basis of the fine not yet published - we assume this will mainly be Art. 5 and 6 GDPR]",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Hamburg",
"language": "en"
},
{
"id": "ETid-406",
"title": "GDPR Fine: Azienda Ospedaliera di Rilievo Nazionale 'Antonio Cardarelli' (Private Hospital) — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2020-09-30",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-406",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €80,000 | Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 28 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | According to the data protection authority, personal information about participants in a public competition had been unlawfully disclosed online. The reason for this was that, due to a configuration error, a list of the codes assigned to the candidates was temporarily accessible on the platform, which allowed access to the documents submitted by the candidates with their personal data. This was a violation of the principle of protection of information security. In addition, the data protection authority found that the information obligations were also not complied with and that the hospital had also not provided a sufficient data processing agreement with the data processor [which was also fined, see fine for 'Scanshare'] in accordance with Art. 28 GDPR.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-433",
"title": "GDPR Fine: Università Campus Bio-medico di Roma (Polyclinic) — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2020-10-26",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-433",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €20,000 | Articles: Art. 5 (2) a), f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | In a data breach notification pursuant to Art. 33 GDPR, the data protection authority found that patients accessing their online medical reports via their smartphones could also access personal health data of 74 other patients. According to the polyclinic, the reason for this was a human error in the integration of two IT systems.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-438",
"title": "GDPR Fine: Vodafone Italia S.p.A. — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2020-11-12",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-438",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €12,251,601 | Articles: Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 GDPR, Art. 15 (1) GDPR, Art. 16 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 (1) GDPR, Art. 32 GDPR, Art. 33 GDPR | Non-compliance with general data processing principles | The company was fined EUR 12,251,601 for unlawfully processing personal data of millions of customers for telemarketing purposes. The proceedings were preceded by hundreds of complaints from data subjects about unsolicited telephone calls, which led to an investigation by the data protection authority. This investigation revealed several violations of the data protection law, including the violation of consent requirements and the violation of general data protection obligations such as accountability. One of the main criticisms made by the Data Protection Agency was the use of fake numbers to make promotional calls by the contracted call centers (i.e. phone numbers not registered with the National Consolidated Registry of Communication Operators). Furthermore, further violations could be found in the handling of contact lists purchased from external providers. Finally, security measures for the management of customer data were also considered inadequate.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-452",
"title": "GDPR Fine: Anmavas 61, S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2020-11-18",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-452",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00189-2020.pdf",
"doi": "",
"abstract": "Fine: €2,000 | Articles: Art. 58 GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA (AEPD) imposed a fine on Anmavas 61, S.L. for neither granting nor justifiably denying the right to erasure to the data subject, even after receiving a warning issued by the AEPD.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-484",
"title": "GDPR Fine: American College of Greece — Hellenic Data Protection Authority (HDPA) (Greece)",
"authors": [
"Hellenic Data Protection Authority (HDPA)"
],
"date": "2020-10-29",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-484",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €1,000 | Articles: Art. 12 (3), (4) GDPR | Insufficient fulfilment of information obligations | The Hellenic DPA (HDPA) imposed a fine of EUR 1,000 against the American College of Greece for violations of the right of access and the right to erasure of personal data.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Hellenic Data Protection Authority (HDPA)",
"language": "en"
},
{
"id": "ETid-485",
"title": "GDPR Fine: Twitter International Company — Data Protection Authority of Ireland (Ireland)",
"authors": [
"Data Protection Authority of Ireland"
],
"date": "2020-12-15",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-485",
"pdfUrl": "https://edpb.europa.eu/sites/edpb/files/decisions/final_decision_-_in-19-1-1_9.12.2020.pdf",
"doi": "",
"abstract": "Fine: €450,000 | Articles: Art. 33 (1), (5) GDPR | Insufficient fulfilment of data breach notification obligations | The Irish DPA (DPC) fined Twitter International Company EUR 450,000 for violating Art. 33 (1) GDPR and Art. 33 (5) GDPR for failing to notify the DPA in a timely manner of a data breach and not adequately documenting that breach. \nThe data breach concerned the privacy settings of user posts on the social media platform Twitter. There, users have the option to set the visibility of their posts to private or public. Private posts can only be seen by subscribers of the respective user profile, while public posts are visible to the public. A programming bug in Twitter's Android app resulted in some private posts being visible to the public. The DPA found that Twitter had not properly fulfilled its reporting and documentation obligations. Twitter's legal team became aware of the error on January 2nd, 2019, and it was not until January 8th that the company informed the DPC. Consequently, the company failed to inform the DPC within the 72-hour period required by Art. 33 (1) GDPR. Furthermore, it had failed to adequately document the incident in accordance with Art. 33 (5) GDPR.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Ireland",
"language": "en"
},
{
"id": "ETid-486",
"title": "GDPR Fine: Uppsalahem AB — Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) (Sweden)",
"authors": [
"Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)"
],
"date": "2020-12-15",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-486",
"pdfUrl": "https://www.datainspektionen.se/globalassets/dokument/beslut/2020-12-14-beslut-tillsyn-uppsalahem.pdf",
"doi": "",
"abstract": "Fine: €29,500 | Articles: Art. 5 GDPR, \nArt. 6 (1) f) GDPR | Insufficient legal basis for data processing | The Swedish DPA (Integritetsskyddsmyndigheten) fined the housing company Uppsalahem AB SEK 300,000 (EUR 29,500). The housing company had installed surveillance cameras in an apartment building to monitor one floor after disturbances and security incidents occurred. The cameras not only monitored the staircase, but also the front door of a resident. Therefore, when the door was opened, the inside of the apartment was also captured by the video surveillance. While the company may have had a legitimate interest in the video surveillance, this is outweighed by the residents' right to privacy.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)",
"language": "en"
},
{
"id": "ETid-501",
"title": "GDPR Fine: Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2020-12-28",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-501",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €18,930 | Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA (UODO) fined Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. EUR 18,930 for a breach of Art. 33 (1) GDPR and Art. 34 (1) GDPR. \nIn May 2020, the DPA received a notification from a third party about a personal data breach involving an insurance agent acting as a processing agent for Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. who sent an insurance policy to an unauthorized addressee by email. The document contained personal data concerning, among others, surnames, first names, residential addresses and information on the subject of the insurance policy. \nAs a result, the supervisory authority asked the controller to clarify whether, regarding the sending of the electronic correspondence to an unauthorized addressee, a risk analysis on the data security of natural persons had been carried out, which is necessary to evaluate whether a data breach had occurred. Such a breach requires notification to the DPA and the individuals affected by the breach. In the letter, the supervisory authority advised the controller how to notify the breach and asked for explanations.\nDespite the letter requesting explanations, the controller did not report the data breach nor did it inform the data subjects about the incident. The DPA therefore initiated administrative proceedings. Only as a result of the initiation of the procedure did the controller report the personal data breach and inform two individuals affected by the breach.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-510",
"title": "GDPR Fine: TUiR Warta S.A. — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2020-12-09",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-510",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €18,850 | Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | An insurance agent hired by the controller had sent an email to unauthorized third parties in regard to insurance policies that contained personal data of two of the company's customers after they had mistakenly provided false email addresses. The leaked data included data such as the names, email adresses and postal addresses of the data subjects. The controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours. The controller believed that there was no breach requiring notification because the data subjects themselves had mistakenly provided incorrect e-mail addresses. The Polish DPA states that this circumstance does not release the controller from its obligation to report this data breach in a timely manner.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-527",
"title": "GDPR Fine: Śląski Uniwersytet Medyczny (Medical University of Silesia) — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2021-01-05",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-527",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €5,500 | Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA (UODO) imposed a fine of PLN 25,000 (EUR 5,500) on the Medical University of Silesia. In the course of exams held in the form of videoconferences at the end of May 2020, identification of students took place. Once the exam was completed, the recordings of the exams were available not only to the examinees, but also to other people with access to the system. In addition, any outsider could access the records of the examinations and the data of the examined students presented during identification via a direct link. The University failed to report the data breach to the DPA and notify the data subjects.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-539",
"title": "GDPR Fine: Azienda Unità Sanitaria Locale Toscana Sud Est — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2020-12-17",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-539",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €100,000 | Articles: Art. 5 (1) f) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 28 GDPR, Art. 30 GDPR, Art. 32 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) imposed a fine of EUR 100,000 on Azienda USL Toscana Sud Est. The controller is a company in the healthcare sector that, among other things, launched the so-called 'Sanità di iniziativa' (Health Initiative) program. Within the framework of this program, participating healthcare companies transmit data on chronically ill patients to the controller. On the basis of this data, the controller then develops health plans for the patients.\nThe Italian DPA notes several violations of data protection provisions related to this program. \nFor example, when giving consent to the processing of their data, the data subjects were not adequately informed about how long their data would be stored, what rights they had (in particular their rights of complaint and access), and how exactly their data would be processed and for what purpose. In addition, the controller had not kept a register of processing activities. Finally, the controller had neither implemented adequate technical and organizational measures to protect the processing nor conducted a data protection impact assessment, although this would have been necessary due to the nature of the data processed (health data).",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-571",
"title": "GDPR Fine: Nacionaliniam visuomenės sveikatos centrui (NVSC) — Lithuanian Data Protection Authority (VDAI) (Lithuania)",
"authors": [
"Lithuanian Data Protection Authority (VDAI)"
],
"date": "2021-02-26",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-571",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €12,000 | Articles: Art. 5 (1), (2) GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 58 (2) f) GDPR | Non-compliance with general data processing principles | The Lithuanian DPA (VDAI) imposed a fine of EUR 12,000 on the Lithuanian National Health Service (NVSC). The DPA had opened an investigation regarding a quarantine app introduced in Lithuania during the COVID-19 pandemic in spring 2020. The IT company 'IT sprendimai sėkmei' had developed the app, which was then used by the NVSC. \nIn the course of the investigation, the DPA found that during the app's period of use, the data of a total of 677 individuals had been processed in varying degrees. The app was able to collect data such as the name, address and phone number of the data subjects. The DPA concluded that the controller had not taken sufficient technical and organizational measures to protect the data processing. Furthermore, a data protection impact assessment was not carried out, although this would have been necessary in particular because the app also processed special categories of personal data including health data. The DPA further stated that the controller had provided non-transparent and incorrect information in the app's privacy policy.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Lithuanian Data Protection Authority (VDAI)",
"language": "en"
},
{
"id": "ETid-572",
"title": "GDPR Fine: IT sprendimai sėkmei — Lithuanian Data Protection Authority (VDAI) (Lithuania)",
"authors": [
"Lithuanian Data Protection Authority (VDAI)"
],
"date": "2021-02-26",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-572",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €3,000 | Articles: Art. 5 (1), (2) GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 58 (2) f) GDPR | Non-compliance with general data processing principles | The Lithuanian DPA (VDAI) imposed a fine of EUR 3,000 on the company 'IT sprendimai sėkmei'. The DPA had opened an investigation regarding a quarantine app introduced in Lithuania during the COVID-19 pandemic in spring 2020. The controller had developed the app, which was then used by the Lithuanian National Health Service. \nIn the course of the investigation, the DPA found that during the app's period of use, the data of a total of 677 individuals had been processed in varying degrees. The app was able to collect data such as the name, address and phone number of the data subjects. The DPA concluded that the controller had not taken sufficient technical and organizational measures to protect the data processing. Furthermore, a data protection impact assessment was not carried out, although this would have been necessary in particular because the app also processed special categories of personal data including health data. The DPA further stated that the controller had provided non-transparent and incorrect information in the app's privacy policy.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Lithuanian Data Protection Authority (VDAI)",
"language": "en"
},
{
"id": "ETid-591",
"title": "GDPR Fine: Istituto Nazionale Previdenza Sociale (INPS) — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2021-02-25",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-591",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €300,000 | Articles: Art. 5 (1) a), c), d) GDPR, Art. 25 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | Original fine summary: The Italian DPA (Garante) imposed a fine of EUR 300,000 on the Istituto Nazionale Previdenza Sociale (INPS). The Italian National Institute for Social Security had been tasked with anti-fraud investigations related to COVID-19 relief funds. After press reports raised problems with the institute's data processing practices around the application review of politicians, the Italian DPA opened an investigation against INPS in August 2020. During that investigation, the DPA identified several violations. \n\nThe controller had collected data on tens of thousands of politicians from public sources and cross-checked it with data from applicants. In doing so, however, the controller had failed to ensure that data was collected only from those politicians who were eligible to receive the assistance funds. In doing so, the controller violated the principles of lawfulness, fairness, and transparency as set out in the GDPR.\n\nFurthermore, the controller had violated the principle of data minimization by initiating checks on reimbursements even for individuals whose applications had been rejected and who had therefore never received payments.\n\nFurthermore, the controller had not adequately assessed the risks associated with a data processing operation as sensitive as that on applications for social benefits, since it had not carried out an impact assessment on the rights and freedoms of the data subjects. Update: Following an appeal presented by INPS the judge of the XVIII civil section of the Court of Rome annulled the fine of EUR 300,000.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-599",
"title": "GDPR Fine: Ministero dello Sviluppo Economico — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2021-02-11",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-599",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €75,000 | Articles: Art. 5 (1) a), b), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR, Art. 37 (1), (7) GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined the Ministry of Economic Development (Ministero dello Sviluppo Economico) EUR 75,000 for failing to appoint a data protection officer by May 28, 2018, and for publishing personal data of more than five thousand managers on its website. \nIn Italy, small and medium-sized companies that had previously received a relevant voucher could book advice on technological and digital processes from experienced business professionals, through the controller. The Italian DPA launched an investigation against the controller after it became known that personal data of more than five thousand managers who had made themselves available for corresponding consultations were freely accessible on its website. The personal data, such as name, tax number, e-mail, full CV and in some cases a copy of the identity card and health card of the data subjects, was publicly visible and could be freely downloaded. On the website, it was also possible to download the directorate resolution that had approved the list, which included the data and information of all the directors. The DPA found that the processing was unlawful and that the directorate resolution referred to by the controller did not constitute an adequate legal basis for the disclosure of online data.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-634",
"title": "GDPR Fine: Ιγνατιάδης Νικόλαος και ΣΙΑ Ε.Ε. — Hellenic Data Protection Authority (HDPA) (Greece)",
"authors": [
"Hellenic Data Protection Authority (HDPA)"
],
"date": "2020-04-07",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-634",
"pdfUrl": "https://www.dpa.gr/sites/default/files/2021-04/12_2021anonym.pdf",
"doi": "",
"abstract": "Fine: €2,000 | Articles: Art. 5 (1) c) GDPR, Art. 6 (1) f) GDPR | Non-compliance with general data processing principles | The Hellenic DPA (HDPA) has imposed a fine of EUR 2,000 on Ιγνατιάδης Νικόλαος και ΣΙΑ Ε.Ε. The controller had installed surveillance cameras covering areas where its employees were present. The controller claims that the cameras were installed for security purposes, as there had been incidents of theft in the past. Considering this, the surveillance system was intended to detect people entering the facilities. However, during the DPA's investigation, it was found that the camera installation was not limited to areas necessary for the protection of property. The DPA recognized this as a violation of the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Hellenic Data Protection Authority (HDPA)",
"language": "en"
},
{
"id": "ETid-710",
"title": "GDPR Fine: Radiotelevisión del principado de Asturias — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2021-06-07",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-710",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00261-2020.pdf",
"doi": "",
"abstract": "Fine: €19,600 | Articles: Art. 5 (1) c) GDPR, Art. 12 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 26,000 on Radiotelevisión del principado de Asturias. The fine consists of EUR 20,000 due to a violation of Art. 5 (1) c) GDPR and EUR 6,000 due to a violation of Art. 12 GDPR. The fine was based on the fact that the controller installed a video surveillance system totaling 14 video cameras and monitoring the business premises. The controller states that the cameras were installed for the purpose of security of the premises. However, the cameras captured the employees' offices in a way that was not necessary for this purpose. For example, one camera also captured a considerable part of the employees' recreation room. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine was reduced to EUR 19,600 due to timely payment and admission of guilt.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-731",
"title": "GDPR Fine: PURPLE SEA MΟΝΟΠΡΟΣΩΠΗ ΙΚΕ — Hellenic Data Protection Authority (HDPA) (Greece)",
"authors": [
"Hellenic Data Protection Authority (HDPA)"
],
"date": "2021-06-03",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-731",
"pdfUrl": "https://www.dpa.gr/sites/default/files/2021-06/23_2021anonym.pdf",
"doi": "",
"abstract": "Fine: €15,000 | Articles: Art. 5 (1) a), b) GDPR, Art. 5 (2) GDPR | Non-compliance with general data processing principles | The Hellenic DPA has fined PURPLE SEA MΟΝΟΠΡΟΣΩΠΗ ΙΚΕ EUR 15,000 due to the illegal installation and operation of a video surveillance system. The controller had installed a video surveillance system in the office premises without informing the employees about it, thus violating the principles of legality, fairness, transparency, purpose limitation and accountability.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Hellenic Data Protection Authority (HDPA)",
"language": "en"
},
{
"id": "ETid-732",
"title": "GDPR Fine: UAB VS FITNESS — Lithuanian Data Protection Authority (VDAI) (Lithuania)",
"authors": [
"Lithuanian Data Protection Authority (VDAI)"
],
"date": "2021-06-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-732",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €20,000 | Articles: Art. 5 (1) a), c) GDPR, Art. 9 (1) GDPR, Art. 13 (1), (2) GDPR, Art. 30 GDPR, Art. 35 (1) GDPR | Non-compliance with general data processing principles | The Lithuanian DPA (VDAI) has imposed a fine of EUR 20,000 on UAB VS FITNESS. After receiving a notification from an individual stating that scanning a fingerprint was necessary to use the services of a sports club owned by the controller, the DPA started an investigation against the controller. The DPA's review found that the consent given by customers to have their fingerprint patterns processed was not voluntary as there were no other identification measures. In addition, the DPA found that the controller also unlawfully processed employees' fingerprints. The controller also failed to set out for what purpose and on what legal basis it processed the employees' biometric data. It also did not conduct a data protection impact assessment and did not demonstrate the necessity and proportionality of the processing of the employees' fingerprints. Furthermore, the DPA finds that the controller did not comply with its information obligations pursuant to Art. 13 GDPR.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Lithuanian Data Protection Authority (VDAI)",
"language": "en"
},
{
"id": "ETid-733",
"title": "GDPR Fine: Storstockholms Lokaltrafik — Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) (Sweden)",
"authors": [
"Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)"
],
"date": "2021-06-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-733",
"pdfUrl": "https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-21-beslut-sl.pdf",
"doi": "",
"abstract": "Fine: €1,600,000 | Articles: Art. 5 (1) a), c) GDPR, Art. 6 (1) f) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Swedish DPA has fined Storstockholms Lokaltrafik (Stockholm Local Transport Company) EUR 1,600,000. \nThe controller had equipped ticket inspectors with body-worn cameras, which were designed to prevent threatening situations, document incidents, and ensure that the right person was fined for traveling on Stockholm's public transportation without a valid ticket.\nTicket inspectors were required to keep the camera on for their entire shift and were therefore able to film all passengers who passed the inspector. Since several hundred thousand people use public transportation in Stockholm every day, a large number of people were thus at risk of being monitored by video and audio recordings.\n\nThe DPA believes that body-worn camera technology could be used to prevent and document threatening situations, but that the pre-recording time should be reduced to a maximum of 15 seconds, as a longer pre-recording time is not necessary to achieve the above-mentioned purposes. Furthermore the DPA found that audio recordings did not contribute to the identification of persons without a valid ticket. The DPA therefore considered the audio recordings to be a violation of the principles of legality and transparency as well as data minimization. The DPA also criticized the controller for not providing sufficient information about the camera surveillance, including the fact that not only images but also sounds were recorded.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)",
"language": "en"
},
{
"id": "ETid-740",
"title": "GDPR Fine: Huppuís ehf — Icelandic data protection authority ('Persónuvernd') (Iceland)",
"authors": [
"Icelandic data protection authority ('Persónuvernd')"
],
"date": "2021-06-15",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-740",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €34,000 | Articles: Art. 5 (1) a), c) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 13 (1), (2) GDPR | Non-compliance with general data processing principles | The Icelandic DPA (Persónuvernd) has imposed a fine of EUR 34,000 on Huppuís ehf. A former employee filed a complaint against the controller with the DPA. The reason for this was the camera surveillance installed by the controller. During their shifts, the controller's employees wore clothing provided by the controller.However, the designated changing room of the store was a storage room in which large quantities of cleaning materials were stored. Due to a lack of sufficient space in this room, the employees (mostly minors) had to change in the general employee area, which was covered by a video camera. The controller stated that they had installed the video camera for security purposes. The DPA concluded that the controller had a legitimate interest in the video surveillance, but that the interests of the mostly underage employees must also be taken in account. The controller should have tried to implement less restrictive measures. In addition, the DPA underlined that the information on video surveillance was inadequate in both the employee and customer service areas. In determining the amount of the fine, the fact that a large number of the data subjects were minors was taken into account as an aggravating factor.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Icelandic data protection authority ('Persónuvernd')",
"language": "en"
},
{
"id": "ETid-741",
"title": "GDPR Fine: Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A. — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2021-06-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-741",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €35,300 | Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The controller had sent an email to that contained personal data of a customer to the wrong recipient. The leaked data included data such as the name, postal address of the data subject and insurance details. In this context the controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-746",
"title": "GDPR Fine: Nordbornholms Byggeforretning Aps — Danish Data Protection Authority (Datatilsynet) (Denmark)",
"authors": [
"Danish Data Protection Authority (Datatilsynet)"
],
"date": "2021-07-07",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-746",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €53,800 | Articles: Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Danish DPA ( Datatilsynet) has imposed a fine of EUR 53,800 on Nordbornholms Byggeforretning Aps. \n\nIn 2018, the DPA was contacted by a data subject who complained that his former employer Nordbornholms Byggeforretning ApS, had disclosed information about him to the company's customers.\n\nThe controller had emailed two of the company's customers informing them that the former employee had committed crimes in the course of employment and had admitted to committing them, as well as describing in detail the alleged course of events. \n\nAccording to the DPA, the controller in such a case had a \nlegitimate interest in disclosing information about the former employee's dismissal to its customers and in informing the customers that, as a result, the employee could not enter into any contracts on behalf of the company. However, such a detailed description of the allegations was not necessary and thus unlawful.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Danish Data Protection Authority (Datatilsynet)",
"language": "en"
},
{
"id": "ETid-769",
"title": "GDPR Fine: Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2021-06-30",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-769",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €3,000 | Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA (UODO) has imposed a fine of EUR 3,000 on the Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra Foundation for the promotion of mediation and legal education. The controller had not immediately informed the DPA and the data subjects about a personal data breach. Several folders containing personal data had been stolen from the controller in early 2020. These included the names, addresses and telephone numbers, and in 3 to 4 cases also the PESEL numbers (Polish identification number) of 96 data subjects.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-776",
"title": "GDPR Fine: Monsanto Company — French Data Protection Authority (CNIL) (France)",
"authors": [
"French Data Protection Authority (CNIL)"
],
"date": "2021-07-26",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-776",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €400,000 | Articles: Art. 14 GDPR, Art. 28 GDPR | Insufficient fulfilment of information obligations | The French DPA (CNIL) has fined MONSANTO EUR 400,000.\n\nIn May 2019, several media revealed that MONSANTO was in possession of a file containing the personal data of more than 200 political figures or members of civil society (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe. At the same time, the CNIL received seven complaints from data subjects affected by this file.\n\nFor each of these individuals, the file contained information such as the organization they belonged to, the position they held, their business address, their business phone number, their cell phone number, their business email address, and in some cases their Twitter account. In addition, CNIL noted that each person was assigned a score from 1 to 5 to evaluate their influence, credibility, and support for Monsanto on various issues.\n\nThe DPA believes that the company violated the provisions of the GDPR by not informing the data subjects that their data was stored in this file. In addition, the CNIL complained that the company had not given the contractual guarantees that should normally regulate the relationship with a subcontractor. \n\nThe creation of contact files by stakeholders for lobbying purposes is not illegal in itself. However, CNIL stressed that data subjects nevertheless have the right to be informed of the existence of the file in order to exercise additional rights, in particular the right to object. \n\nIn addition, the CNIL found that the data collection was carried out by a provider contracted by Monsanto and that Monsanto violated Article 28 of the General Data Protection Regulation by not including in its contracts with the data processor the provisions foreseen in the GDPR, in particular regarding data security.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: French Data Protection Authority (CNIL)",
"language": "en"
},
{
"id": "ETid-783",
"title": "GDPR Fine: PODEMOS PARTIDO POLÍTICO — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2021-07-27",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-783",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00277-2021.pdf",
"doi": "",
"abstract": "Fine: €2,400 | Articles: Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on the political party PODEMOS PARTIDO POLÍTICO. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. Due to voluntary payment and acknowledgement of guilt, the original fine in the amount of EUR 4,000 was reduced to EUR 2,400.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-846",
"title": "GDPR Fine: Vattenfall Europe Sales GmbH — Data Protection Authority of Hamburg (Germany)",
"authors": [
"Data Protection Authority of Hamburg"
],
"date": "2021-09-24",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-846",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €900,000 | Articles: Art. 12 GDPR, Art. 13 GDPR | Insufficient data processing agreement | The DPA from Hamburg has imposed a fine of EUR 900,000 on Vattenfall Europe Sales GmbH. The fine is related to data matching, which the controller had carried out in the period from August 2018 to December 2019 in the course of contract inquiries for special contracts. The special contracts served to attract new customers and were accompanied by bonus payments for the customers. The controller compared personal data of prospective customers who had submitted an inquiry for a special contract with contracts concluded by existing customers. If this revealed that an applicant had already signed a contract with the controller, then switched to another supplier and now wanted to sign a contract again, the controller could reject the application for the special contract if necessary. This was intended to prevent 'bonus shopping', which is not lucrative for the companies. However, the controller had not properly informed the customers that such comparisons would be made. The DPA considered this to be a violation of the company's transparency and information obligations. Around 500,000 people were affected.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Hamburg",
"language": "en"
},
{
"id": "ETid-874",
"title": "GDPR Fine: Ciechi Ardizzone Gioeni di Catania — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2021-09-16",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-874",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €5,000 | Articles: Art. 5 (1) a), c) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the Ciechi Ardizzone Gioeni di Catania residential home for blind people. A visitor to the residence filed a complaint with the DPA. He based this on an installed video surveillance system in the accommodation. The video surveillance system recorded, among other things, the corridor connecting the accommodation with the communal showers. Moreover, the footage was not only recorded but also displayed in real time on the monitors of the concierge staff, creating the risk that the images could also be inadvertently seen by visitors or suppliers. During the course of the investigation, the institution's administration justified the installation of the video surveillance system by citing the need to prevent theft and ensure the health of residents by preventing unauthorized access during the pandemic period. \n\nThe DPA found that the institute thereby violated the principles of lawfulness, transparency and data minimization. The fact that, as claimed by the institute, the passage of the guests to the shower rooms was filmed only occasionally and for a short duration, and that the quality of the recordings was not 'perfectly clear,' does not resolve the unlawfulness of the recordings. Also, the DPA noted that some procedural precautions - such as scheduling time windows to turn off the cameras to allow guests to visit the shower rooms without being filmed, or temporarily ensuring the security of the locations through alternative measures, such as the use of security personnel - may allow the institute to pursue the purpose of the video surveillance in an equally effective manner and avoid unjustifiably restricting the freedoms of the data subjects.\n\nFurthermore, the DPA found that the institute had not properly fulfilled its duty to inform. The institute had only provided the data subjects with detailed information about the video surveillance system on the bulletin board after the investigation had begun. However, this type of information is not suitable for visually impaired people. The institute should have provided the residents with a pre-recorded audio message that could be played back if necessary.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-887",
"title": "GDPR Fine: SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2021-10-26",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-887",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00050-2021.pdf",
"doi": "",
"abstract": "Fine: €16,000 | Articles: Art. 35 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L.. The company had installed five terminals with a fingerprint control system to record its employees' working hours. In doing so, the company had failed to conduct a data protection impact assessment. The AEPD found a violation of Art. 35 GDPR for this reason. The original fine of EUR 20,000 was reduced to EUR 16,000 due to voluntary payment.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-910",
"title": "GDPR Fine: Régie autonome des transports parisiens — French Data Protection Authority (CNIL) (France)",
"authors": [
"French Data Protection Authority (CNIL)"
],
"date": "2021-11-04",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-910",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €400,000 | Articles: Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR, Art. 5 (2) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The French DPA (CNIL) imposed a fine of EUR 400,000 on RATP (the operator of the public transport system in Paris). In May 2020, a trade union filed a complaint with the CNIL alleging that the number of strike days exercised by staff were included in files used to prepare promotion decisions. The CNIL then conducted investigations in several RATP bus centers. These led to confirmation of this practice in three RATP bus centers. The CNIL indicated that files for evaluating performance and promotion prospects should only contain data necessary for evaluating employees.In particular, it was sufficient to indicate the total number of days of absence without the need to go into detail and distinguish the days associated with the exercise of the right to strike. It found that the use of data on the number of days staff members were on strike was not necessary for these purposes, and that the RATP thus violated the principle of data minimization set forth in Article 5 (1) (c) GDPR. In addition, the DPA found that the RATP had excessively retained many of its employees' data. Indeed, the RATP kept files on the evaluation of staff members for more than three years after the promotion commission, although their retention was only required for 18 months after the holding of these commissions. Further, CNIL found that RATP did not adequately differentiate between staff authorization levels, allowing more staff than necessary to access certain data. For this reason, CNIL concluded that RATP failed in its duty to implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: French Data Protection Authority (CNIL)",
"language": "en"
},
{
"id": "ETid-916",
"title": "GDPR Fine: Icelandic Ministry of Industry and Innovation — Icelandic data protection authority ('Persónuvernd') (Iceland)",
"authors": [
"Icelandic data protection authority ('Persónuvernd')"
],
"date": "2021-11-23",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-916",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €51,000 | Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf. \n\nThe fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf. \nThe DPA received a number of complaints regarding the fact that the use of the travel gift required extensive personal information and access to users' phones. As a result, the DPA launched investigations against the ministry and the company. \nThe DPA found that the ministry had violated the principle of legality and transparency.\nParticipating individuals were only required to agree to the General Terms of Use of the YAY app in order to participate in the voucher promotion. However, the DPA found that by doing so, the data subjects had not expressly consented to the processing of their personal data carried out as part of the promotion. \nThe DPA also found that the information provided about the actual processing of personal data was insufficient. \nMoreover, neither the ministry nor YAY ehf. had implemented appropriate technical and organizational measures to ensure the security of the processing of personal data. \nAlso, due to a configuration error on the part of YAY, more data than necessary was processed, which is why the DPA found a violation of the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Icelandic data protection authority ('Persónuvernd')",
"language": "en"
},
{
"id": "ETid-990",
"title": "GDPR Fine: Greek Ministry of Tourism — Hellenic Data Protection Authority (HDPA) (Greece)",
"authors": [
"Hellenic Data Protection Authority (HDPA)"
],
"date": "2021-12-29",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-990",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €75,000 | Articles: Art. 13 GDPR, Art. 32 GDPR, Art. 33 GDPR, Art. 37 GDPR | Insufficient technical and organisational measures to ensure information security | The Hellenic DPA has imposed a fine of EUR 75,000 on the Greek Ministry of Tourism. A data breach had occurred at the authority. According to the DPA, an attempt by a citizen to enter his or her credentials on the authority's online platform resulted in the display of someone else's credentials, including full name, tax number, social security number, postal address, phone number, email address, and fields indicating a disability. The DPA found that the ministry failed to implement adequate technical and organizational measures to secure personal data. \nThe ministry failed to report the incident to the DPA. The DPA considered this to be a violation of Article 33 of the GDPR. \nThe DPA's investigation also found that the Ministry of Tourism had not appointed a data protection officer, even though an email address of the authority's data protection officer was provided on the above-mentioned platform for communication with users of the platform. This email address, as it turned out, was not active.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Hellenic Data Protection Authority (HDPA)",
"language": "en"
},
{
"id": "ETid-995",
"title": "GDPR Fine: Lisbon City Council — Portuguese Data Protection Authority (CNPD) (Portugal)",
"authors": [
"Portuguese Data Protection Authority (CNPD)"
],
"date": "2021-12-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-995",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €1,250,000 | Articles: Art. 5 (1) a), c), e) GDPR, Art. 6 GDPR, Art. 9 (1) a) GDPR, Art. 13 (1), (2) GDPR, Art. 35 (3) GDPR | Insufficient legal basis for data processing | The Portuguese DPA has imposed a fine of EUR 1.25 million on the Lisbon City Council. The fine is the sum of 225 fines from various violations committed by the municipality since 2018. \nThe municipality had sent 111 notifications about demonstrations to various departments and offices within the municipality, as well as to third parties, to ensure that they could properly perform their public duties. The notices contained, among other things, sensitive data of the demonstrators and organizers of the demonstrations. The data revealed, among other things, the political opinion , religious or philosophical beliefs or sexual orientation of the data subjects. The DPA found that the transfer of the data would not have been necessary for the entities to properly perform their public tasks. Thus, the processing took place without a sufficient legal basis. In addition, the DPA found that the municipality had carried out the processing without informing the data subjects, without establishing a policy for the retention of their personal data, and without conducting a data protection impact assessment.\n\n---Update---\nThe Portuguese Constitutional Court rejected the controller's appeal, ruling that the fine was unconstitutional and thus confirming the decision by the DPA.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Portuguese Data Protection Authority (CNPD)",
"language": "en"
},
{
"id": "ETid-1008",
"title": "GDPR Fine: Property Owner Community — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2022-01-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1008",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00518-2021.pdf",
"doi": "",
"abstract": "Fine: €1,200 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has fined a property owners' community EUR 1,200. A property manager had sent a copy of the general meeting minutes to the director of the security company 'CMM Seguridad'. The document the said document contains the names and addresses of residents, a list of defaulters and the accounts with all income and expenses of the community. \n\nAccording to the controller, the purpose of sending the minutes in question to the security company was to inform them about the members of the Board of Directors appointed at the respective ordinary general meeting. Therefore, the controller should have limited to only providing this information or to transmitting the minutes document after it had been duly anonymized.\n\nFor this reason, the DPA notes that the transmission of the full minutes would not have been necessary. \nAs a result, the controller violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1009",
"title": "GDPR Fine: Limerick City and County Council — Data Protection Authority of Ireland (Ireland)",
"authors": [
"Data Protection Authority of Ireland"
],
"date": "2021-12-09",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1009",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €110,000 | Articles: Art. 13 GDPR, Art. 12 GPDR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Irish DPA has fined Limerick City and County Council EUR 110,000. As part of an investigation, the DPA conducted an audit of the processing of personal data by the council or on its behalf using video surveillance systems, automatic license plate recognition, body-worn cameras and other technologies that can be used to monitor individuals. In doing so, it found that the Council had violated a number of data protection laws in its use of the technologies. However, the fine was issued due to GDPR violations. \n\nThe DPA found that the Council violated Art. 13 GDPR in relation to the processing of data by traffic cameras. The Council had failed to provide information on the identity of the data controller, the contact details of the data protection officer, the purposes of the processing and the bodies from which further information required under Art. 13 GDPR may be obtained. In addition, the Council failed to provide this information in an easily accessible manner such as on signs near the cameras.\n\nFurther, the DPA concluded that the Council failed to post a video surveillance policy in an clear and plain language as well as in an easily accessible area of the Council's website. The DPA thus found an infringement of Art. 12 GDPR. \n\nLastly, the Council has denied requests for access to personal data processed by surveillance cameras used in traffic management. For this reason, the DPA found that the Council violated Art. 15 GDPR.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Ireland",
"language": "en"
},
{
"id": "ETid-1209",
"title": "GDPR Fine: Restaurant — Data Protection Authority of Hessen (Germany)",
"authors": [
"Data Protection Authority of Hessen"
],
"date": "2021",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1209",
"pdfUrl": "https://www.datenschutz.saarland.de/fileadmin/user_upload/uds/tberichte/tb29_DS_2020.pdf",
"doi": "",
"abstract": "Fine: €170 | Articles: Art. 5 (1) b) GDPR | Non-compliance with general data processing principles | In order to identify a guest who had not paid, several visitors were contacted by employees of a restaurant. For this purpose, the telephone numbers provided by the guests as part of the Covid contact tracing tracing were used. Since the guests had provided their data solely for infection control purposes, the DPA considered the contacting for the purpose of identifying the guest to be a violation of the principle of purpose limitation (Art. 5 (1) b) GDPR).",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Hessen",
"language": "en"
},
{
"id": "ETid-1031",
"title": "GDPR Fine: Restaurant — Data Protection Authority of Baden-Wuerttemberg (Germany)",
"authors": [
"Data Protection Authority of Baden-Wuerttemberg"
],
"date": "2019-11",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1031",
"pdfUrl": "https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2021/02/LfDI-BW_36_Ta%CC%88tigkeitsbericht_2020_WEB.pdf",
"doi": "",
"abstract": "Fine: €5,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Excessive use of video surveillance in violation of the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Baden-Wuerttemberg",
"language": "en"
},
{
"id": "ETid-1066",
"title": "GDPR Fine: Università Telematica Internazionale Uninettuno — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2021-12-16",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1066",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €1,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 1,000 on Università Telematica Internazionale Uninettuno. A professor had filed a complaint with the DPA against the educational institution. The professor had applied for a position at the university and submitted his CV for this purpose. The university then published it without blacking out certain personal data that concerned his personal sphere. The DPA considered this to be a violation of the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1076",
"title": "GDPR Fine: Private club 'Ruian' — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-01-27",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1076",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €2,000 | Articles: Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 2,000 on the private club 'Ruian'. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed about the processing of the data by the video surveillance and thus violated its duty to inform.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1085",
"title": "GDPR Fine: Santander Bank Polska S. A. — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2022-01-19",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1085",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €117,000 | Articles: Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined Santander Bank Polska S.A. EUR 118,000 for failing to notify data subjects of a data breach. \nA former employee of the bank managed to gain unauthorized access to a database for electronic services. Among other things, this allowed numerous Santander customers' data to be accessed. \n\nDue to the high risk for the data of the data subjects, the bank would have been obliged to inform them of the data breach. However, the bank deliberately refrained from doing so and continued to state that it would not comply with this obligation in the future.\n\nThe DPA noted that this constituted a major intrusion for the data subjects, as they did not have the opportunity to take appropriate steps to protect their rights.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-1090",
"title": "GDPR Fine: WORLDWIDE CLASSIC CARS NETWORK S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2022-02-23",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1090",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00545-2021.pdf",
"doi": "",
"abstract": "Fine: €1,500 | Articles: Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on WORLDWIDE CLASSIC CARS NETWORK S.L.. The controller had installed video surveillance cameras which, among other things, also covered parts of the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller did not comply with its duty to properly inform about the CCTV.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1097",
"title": "GDPR Fine: Hörpu tónlistar- og ráðstefnuhúss ohf. — Icelandic data protection authority ('Persónuvernd') (Iceland)",
"authors": [
"Icelandic data protection authority ('Persónuvernd')"
],
"date": "2022-03-08",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1097",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €7,000 | Articles: Art. 5 (1) c) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The Icelandic DPA has fined Hörpu tónlistar- og ráðstefnuhúss ohf. EUR 7,000. \n\nThe DPA had received a complaint regarding the concert hall's collection of ID number and date of birth information as part of an electronic ticket purchase.\n\nThe incident occurred prior to the start of the Covid-19 pandemic, when the registration of personal data for contact tracking in the context of event visits was not yet required. \nThe DPA concluded that it would not have been necessary to collect the data for issuing a ticket, as it would have been possible to conclude a purchase contract even without this collection. For this reason, the DPA found that the concert hall had violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Icelandic data protection authority ('Persónuvernd')",
"language": "en"
},
{
"id": "ETid-1106",
"title": "GDPR Fine: Danish National Genome Center — Danish Data Protection Authority (Datatilsynet) (Denmark)",
"authors": [
"Danish Data Protection Authority (Datatilsynet)"
],
"date": "2022-03-25",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1106",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €6,700 | Articles: Art. 36 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine of EUR 6,700 on the Danish National Genome Center. \nThe center had conducted a data protection impact assessment that revealed circumstances that could pose a high risk to the rights of data subjects. \n\nThe DPA imposed the fine because the center had processed personal data without first consulting the DPA, even though the impact assessment had revealed a high risk to data subjects. The center has complied with all the DPA's requests and has shown good cooperation with the authority.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Danish Data Protection Authority (Datatilsynet)",
"language": "en"
},
{
"id": "ETid-1117",
"title": "GDPR Fine: Brussels Airport Charleroi — Belgian Data Protection Authority (APD) (Belgium)",
"authors": [
"Belgian Data Protection Authority (APD)"
],
"date": "2022-04-04",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1117",
"pdfUrl": "https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-47-2022.pdf",
"doi": "",
"abstract": "Fine: €100,000 | Articles: Art. 5 (1) a), b) GDPR, Art. 6 (1) c) GDPR, Art. 6 (3) GDPR, Art. 9 (2) i) GDPR, Art. 12 (1) GDPR, Art. 13 (1) c) GDPR, Art. 13 (2) e) GDPR, Art. 35 (1), (7) GDPR | Insufficient legal basis for data processing | The Belgian DPA has fined Brussels Airport Charleroi EUR 100,000. \n\nThe DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. \n\nDue to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. \n\nThe DPA particularly noted that the airport did not have a valid legal basis for processing this health data.\n\nHealth data constitute sensitive data according to Art. 9 GDPR. These may only be processed in exceptional cases pursuant to Art. 9 (2) GDPR. \n\nOne such exceptional case is processing on the grounds of public interest in the area of public health. For this, however, the processing must be based on a clear legal norm. In the present case, the processing was based on a protocol which did not meet these requirements. \n\nIn addition, the DPA found deficiencies in the data protection impact assessment. Moreover, the airport failed to properly inform the data subjects about the processing of the data.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Belgian Data Protection Authority (APD)",
"language": "en"
},
{
"id": "ETid-1131",
"title": "GDPR Fine: Azienda sanitaria provinciale di Caltanissetta — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-03-10",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1131",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €6,000 | Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 37 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has fined Azienda sanitaria provinciale di Caltanissetta EUR 6,000. The data subject had asked the controller, in the context of legal proceedings, to send any communication regarding this matter only to their personal email inbox. Nevertheless, the controller had sent communications to the data subject's business email address. \n\nIn addition, the data subject had requested access to their data. However, the controller did not properly comply with this request. \n\nIn the course of its investigation, the DPA also found that the health care facility had failed to notify the DPA of the name and contact details of a new data protection officer and to update them on its website.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1154",
"title": "GDPR Fine: City of Reykjavík — Icelandic data protection authority ('Persónuvernd') (Iceland)",
"authors": [
"Icelandic data protection authority ('Persónuvernd')"
],
"date": "2022-05-03",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1154",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €36,000 | Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR | Insufficient legal basis for data processing | The Icelandic DPA has imposed a fine of EUR 36,000 on the City of Reykjavík. The city had used the digital education system 'Seesaw' at several schools. The student system processed, among other things, personal data of minor students such as teacher feedback and information about students' private affairs. \nDuring its investigation, the DPA found that the purpose of the processing of the children's data had not been sufficiently clearly defined. In this context, the DPA also found a breach of the principle of proportionality and data minimization. In addition, the DPA concluded that the city had not implemented adequate technical and organizational measures regarding the protection of personal data. This would have been necessary given the high risk that the data might be transferred to and processed in the United States. \nIn determining the fine, mitigating consideration was given to the fact that no damage was caused by the data breaches.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Icelandic data protection authority ('Persónuvernd')",
"language": "en"
},
{
"id": "ETid-1159",
"title": "GDPR Fine: Azienda ospedaliera di Perugia — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-04-07",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1159",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €40,000 | Articles: Art. 5 (1) a), f) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 25 GDPR, Art. 30 GDPR, Art. 32 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined Azienda ospedaliera di Perugia EUR 40,000. \n\nDuring an investigation at the healthcare facility, the DPA found multiple GDPR violations.\n\nThe DPA's investigation took place as part of a series of inspections dealing with the processing of data in the context of whistleblower systems at employers.\n\nThe healthcare facility used an open source-based whistleblowing web application. However, the application was accessed through systems that were not properly configured. This made it possible to record and store users' browsing data, thus identifying those users and, as such, potential whistleblowers. \n\nWith respect to the processing of personal data, the health facility had failed to inform the employees in advance. \n\nIn addition, the DPA found that the healthcare facility had not conducted a data protection impact assessment and had not registered the processing in the register of processing activities. Thus, no sufficient assessment of the risks to the rights and freedoms of the data subjects had been carried out. '",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1203",
"title": "GDPR Fine: Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2022-06-06",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1203",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €3,500 | Articles: Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. EUR 3,500. The controller had suffered a data breach during which a certificate of employment containing personal data of an employee got lost. The controller failed to report this data breach to the DPA and thus violated Art. 33 GDPR.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-1242",
"title": "GDPR Fine: Zito Auto di Gianfranco Zito — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-05-22",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1242",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €3,000 | Articles: Art. 5 (1) a), c) GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 3,000 on the company Zito Auto di Gianfranco Zito. The company had installed video surveillance cameras which monitored, among other things, public spaces and employees. The DPA considered this to be a violation of the principle of data minimization (Art. 5 (1) c) GDPR).",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1246",
"title": "GDPR Fine: CORPORACIÓN DE RADIO Y TELEVISIÓN ESPAÑOLA S.A. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2022-06-23",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1246",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00192-2022.pdf",
"doi": "",
"abstract": "Fine: €30,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CORPORACIÓN DE RADIO Y TELEVISIÓN ESPAÑOLA S.A. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of guilt.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1247",
"title": "GDPR Fine: RADIO TELEVISION MADRID, S.A. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2022-06-23",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1247",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00198-2022.pdf",
"doi": "",
"abstract": "Fine: €30,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on RADIO TELEVISION MADRID, S.A.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of guilt.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1290",
"title": "GDPR Fine: Villabate municipality — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-05-12",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1290",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €6,000 | Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 37 (1) a) GDPR, Art. 37 (7) GDPR, Art. 38 (6) GDPR | Non-compliance with general data processing principles | The Italian DPA has fined Villabate municipality EUR 6,000. The municipality had disclosed personal data of a former employee to unauthorized third parties without a valid legal basis. The DPA also found that the municipality had not appointed a data protection officer.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1317",
"title": "GDPR Fine: University Hospital of the Medical University of Warsaw — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2022-07-06",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1317",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €2,120 | Articles: Art. 33 GDPR, Art. 34 GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has imposed a fine of EUR 2,120 on the University Hospital of the Medical University of Warsaw. The university hospital had suffered a data breach in which a patient had received a referral from a doctor that contained, among other things, personal data (name, address, etc.) of another patient. The DPA found that neither the doctor nor the hospital informed the patient or the DPA about the data breach.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-1318",
"title": "GDPR Fine: UBEEQO INTERNATIONAL — French Data Protection Authority (CNIL) (France)",
"authors": [
"French Data Protection Authority (CNIL)"
],
"date": "2022-07-07",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1318",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €175,000 | Articles: Art. 5 (1) c), e) GDPR, Art. 12 GDPR | Non-compliance with general data processing principles | The French DPA (CNIL) has fined the company UBEEQO INTERNATIONAL EUR 175,000. \n\nThe vehicle rental company had collected geolocation data on rented vehicles at every 500 meters. The company stated that they had collected the data to monitor the condition of the fleet, to locate the vehicle in case of theft, and to assist customers in case of an accident, among other reasons. However, the DPA found that none of these purposes justified the collection of geolocation data in such detail. For this reason, the DPA found a violation of the principle of data minimization pursuant to Art. 5 (1) c) GDPR. \n\nThe DPA also found that the company had stored the vehicle data for an excessively long period of time. The data was kept for the duration of the business relationship with a customer and then for another three years after the termination of the vehicle rental. In addition, personal data of users who had been inactive for more than eight years were still stored in the company's databases.\n\nThe CNIL found that this long retention constituted a violation of Art. 5 (1) e) GDPR. \n\nFinally, the DPA found that users were not adequately informed during the registration process on the company portal, and that the company thus violated Art. 12 GDPR.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: French Data Protection Authority (CNIL)",
"language": "en"
},
{
"id": "ETid-1374",
"title": "GDPR Fine: SERVICIOS PROFESIONALES LA PARADA S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2022-08-25",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1374",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00151-2022.pdf",
"doi": "",
"abstract": "Fine: €480 | Articles: Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on SERVICIOS PROFESIONALES LA PARADA S.L.. The company had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 800 was reduced to EUR 480 due to voluntary payment and admission of responsibility.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1386",
"title": "GDPR Fine: EURO DONER KEBAB — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2022-09-09",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1386",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00261-2022.pdf",
"doi": "",
"abstract": "Fine: €180 | Articles: Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on EURO DONER KEBAB. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1405",
"title": "GDPR Fine: Sułkowice Cultural Center — Polish National Personal Data Protection Office (UODO) (Poland)",
"authors": [
"Polish National Personal Data Protection Office (UODO)"
],
"date": "2022-09-07",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1405",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €530 | Articles: Art. 28 (1), (3), (9) GDPR | Insufficient data processing agreement | The Polish DPA has imposed a fine of EUR 530 on the Sułkowice Cultural Center.\n\nDuring its investigation, the DPA found that the controller had transferred the processing of personal data to a processor without concluding a written concession agreement. \nIn addition, the controller did not verify the processor and did not verify whether the processor provides sufficient guarantees to ensure that appropriate technical and organizational measures are taken to protect personal data.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Polish National Personal Data Protection Office (UODO)",
"language": "en"
},
{
"id": "ETid-1411",
"title": "GDPR Fine: CLUB NATACIO LLEIDA — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2022-09-28",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1411",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00093-2022.pdf",
"doi": "",
"abstract": "Fine: €720 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CLUB NATACIO LLEIDA. The controller had installed a video surveillance system that recorded the cashier areas of the facility. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 1,200 was reduced to EUR 720 due to voluntary payment and admission of guilt.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1413",
"title": "GDPR Fine: Auto Hi-Fi System S.n.c — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-07-28",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1413",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €2,000 | Articles: Art. 5 (1) a), c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined Auto Hi-Fi System S.n.c in the amount of EUR 2,000. The controller had installed a video surveillance system that covered not only the public road but also a private property. The DPA considered this a violation of the principle of data minimization. Also, the controller had not posted a sign with information about the video surveillance. The DPA considered this to be a violation of Art. 13 GDPR.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1438",
"title": "GDPR Fine: Medical laboratory — Belgian Data Protection Authority (APD) (Belgium)",
"authors": [
"Belgian Data Protection Authority (APD)"
],
"date": "2022-08-19",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1438",
"pdfUrl": "https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-127-2022.pdf",
"doi": "",
"abstract": "Fine: €20,000 | Articles: Art. 5 (1) f) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 32 GDPR, Art. 35 (1), (3) GDPR | Insufficient technical and organisational measures to ensure information security | The Belgian DPA imposed a fine of EUR 20,000 on a medical laboratory.\r\n\r\nDuring its investigation, the DPA found that the laboratory had failed to conduct a data protection impact assessment and thus violated Art. 35 GDPR. \r\n\r\nIn addition, the laboratory had violated, Art. 5 (1) f) GDPR and Art. 32 GDPR, as it was possible for physicians to view patients' personal data on the website without encryption. \r\n\r\nFinally, the DPA found that the laboratory had not published a privacy statement on its website, in violation of Art. 12 GDPR, Art. 13 GDPR and Art. 14 GDPR.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Belgian Data Protection Authority (APD)",
"language": "en"
},
{
"id": "ETid-1496",
"title": "GDPR Fine: DISCORD INC. — French Data Protection Authority (CNIL) (France)",
"authors": [
"French Data Protection Authority (CNIL)"
],
"date": "2022-11-10",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1496",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €800,000 | Articles: Art. 5 (1) e) GDPR, Art. 13 GDPR, Art. 25 (2) GDPR, Art. 32 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The French DPA has imposed a fine of EUR 800,000 on DISCORD INC.. DISCORD offers an online communication service through which users can chat or make video calls. \n\nDuring its investigation, the DPA found that the company had failed to establish and also comply with a data retention period appropriate to the purpose of the processing. For example, there were over two million accounts within the DISCORD database of French users who had not used their account for more than three years and approximately 50,000 accounts that had not been used for more than five years.\n\nFurther, the DPA noted that the company did not have complete information regarding retention periods. \n\nAlso, the DPA found that the company had failed to ensure data protection by default, contrary to the obligation under Art. 25 (2) GDPR. \nThus, it was possible for user data to be transmitted even after the communication application was closed. \n\nThe DPA also found that the company had failed to sufficiently ensure the security of personal data by accepting insecure passwords from users.\nThe company accepted user passwords that consisted of six characters containing only letters and numbers. \n\n\nFinally, the DPA found that the company had failed to conduct a data protection impact assessment.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: French Data Protection Authority (CNIL)",
"language": "en"
},
{
"id": "ETid-1498",
"title": "GDPR Fine: Setúbal municipality — Portuguese Data Protection Authority (CNPD) (Portugal)",
"authors": [
"Portuguese Data Protection Authority (CNPD)"
],
"date": "2022-11-02",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1498",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €180,000 | Articles: Art. 5 (1) e), f) GDPR, Art. 13 (1), (2) GDPR, Art. 37 (1), (7) GDPR | Non-compliance with general data processing principles | The Portuguese DPA has imposed a fine of EUR 170,000 on Setúbal municipality. The DPA found data protection violations regarding the collection of personal data from Ukrainian refugees. The municipality had asked refugees to fill out a form at the time of their arrival and provide various details on personal data, such as name, date of birth, marital status, etc. \nThe DPA noted, that the municipality had not sufficiently informed the data subjects about the data processing. In addition, the DPA found that the municipality had failed to implement sufficient technical and organizational to protect personal data, as well as to define a retention period for the data. The municipality had also failed to appoint a data protection officer.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Portuguese Data Protection Authority (CNPD)",
"language": "en"
},
{
"id": "ETid-1511",
"title": "GDPR Fine: Alpha Exploration — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-10-06",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1511",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €2,000,000 | Articles: Art. 5 (1) a), e), f) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 27 (4) GDPR, Art. 28 GDPR, Art. 32 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 2 million on Alpha Exploration. Alpha Exploration operates the social network Clubhouse. \n\nIn the course of its investigation, the DPA found numerous violations of the GDPR. For example, the DPA found that there was a lack of transpanency regarding the use of users' data and their chat contacts. In addition, users of the network were able to store and share audio messages from other users without their consent. Moreover, account information was shared with unauthorized third parties without a valid legal basis. In addition, the company failed to define retention periods for personal data.\n\nAlso, the company failed to provide users with sufficient information about numerous aspects of the processing of their personal data and had not implemented sufficient technical and organizational measures to protect personal data.\n\nFinally, the DPA found that the company failed to conduct a data protection impact assessment. At the end of the investigation, the DPA not only imposed a fine but also ordered a number of measures to be taken by the company. For example, the company must define retention periods and introduce a function that informs users that their chats are being recorded.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1615",
"title": "GDPR Fine: Cisterna di Latina municipality — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-11-10",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1615",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €5,000 | Articles: Art. 5 GDPR, Art. 12 GDPR, Art. 37 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 5,000 on Cisterna di Latina municipality. An individual had filed a complaint with the DPA because the municipality had not responded to their request for access to their personal data in a timely manner. During its investigation, the DPA found that the municipality had mistakenly sent the data requested by the data subject to a third party rather than to the data subject. In addition, the DPA found that the municipality failed to appoint a new data protection officer several months after the initially appointed data protection officer resigned.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1581",
"title": "GDPR Fine: TECNO MOTOR LA MUELA, S.L.L — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-01-20",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1581",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00425-2022.pdf",
"doi": "",
"abstract": "Fine: €360 | Articles: Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on TECNO MOTOR LA MUELA, S.L.L.. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed about the video surveillance and thus violated its duty to inform under Art. 13 GDPR. The original fine of EUR 600 was reduced to EUR 360 due to voluntary payment and admission of responsibility.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1606",
"title": "GDPR Fine: Azienda Universitaria Friuli Occidentale — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-12-15",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1606",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €55,000 | Articles: Art. 5 (1) a) GDPR, Art. 9 GDPR, Art. 14 GDPR, Art. 35 GDPR, Art. 2-sexies Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Friuli Occidentale. The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients' personal data for profiling. In addition, the DPA found that the health authority had failed to conduct a data protection impact assessment. In calculating the fine, the DPA took into account the aggravating factor that a large number of individuals were affected.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1616",
"title": "GDPR Fine: Conservatorio di Musica S. Cecilia di Roma — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-11-10",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1616",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €6,000 | Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 38 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 6,000 on 'Conservatorio di Musica S. Cecilia di Roma'. A student of the educational institution had filed a complaint with the DPA for having received a disciplinary sanction for a statement made during a student assembly. Although it was not supposed to be, the assembly was recorded and the institution used the recordings to base the disciplinary action on it. During its investigation, the DPA determined that the controller did not have a valid legal basis to use the assembly recordings and, therefore, the processing of the student's personal data was unlawful. Also, the DPA found that the educational institution's data protection officer was also the institution's director. The DPA considered this to be an unlawful conflict of interest.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1617",
"title": "GDPR Fine: Magdeburg University Hospital — Data Protection Authority of Sachsen-Anhalt (Germany)",
"authors": [
"Data Protection Authority of Sachsen-Anhalt"
],
"date": "2023",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1617",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €9,000 | Articles: Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The DPA of Sachsen-Anhalt has imposed a fine of EUR 9,000 on Magdeburg University Hospital. The clinic had failed to report to the DPA a data breach involving a former employee having unlawfully disclosed personal data from the clinic's systems to third parties.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Sachsen-Anhalt",
"language": "en"
},
{
"id": "ETid-1631",
"title": "GDPR Fine: Poliambulatorio Radiologico 'il Sorriso' S.r.l. — Italian Data Protection Authority (Garante) (Italy)",
"authors": [
"Italian Data Protection Authority (Garante)"
],
"date": "2022-11-10",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1631",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €15,000 | Articles: Art. 5 GDPR, Art. 13 GDPR, Art. 37 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 15,000 on Poliambulatorio Radiologico 'il Sorriso' S.r.l.. A patient had filed a complaint with the DPA for not receiving sufficient information regarding the processing of their personal data. Among other things, the controller had not provided information about the data protection officer and the type of data being processed. The DPA also found that the controller had failed to provide the contact details of their data protection officer to the DPA.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Italian Data Protection Authority (Garante)",
"language": "en"
},
{
"id": "ETid-1708",
"title": "GDPR Fine: SOCIEDAD ESPAÑOLA DE RADIODIFUSIÓN, S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-03-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1708",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00199-2022.pdf",
"doi": "",
"abstract": "Fine: €50,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on SOCIEDAD ESPAÑOLA DE RADIODIFUSIÓN, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1709",
"title": "GDPR Fine: LA VANGUARDIA EDICIONES, S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-03-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1709",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00197-2022.pdf",
"doi": "",
"abstract": "Fine: €50,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on LA VANGUARDIA EDICIONES, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1711",
"title": "GDPR Fine: CONECTA5 TELECINCO, S.A.U. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-03-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1711",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00191-2022.pdf",
"doi": "",
"abstract": "Fine: €50,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on CONECTA5 TELECINCO, S.A.U.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1712",
"title": "GDPR Fine: DISPLAY CONNECTORS, S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-03-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1712",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00194-2022.pdf",
"doi": "",
"abstract": "Fine: €50,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on DISPLAY CONNECTORS, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1713",
"title": "GDPR Fine: EL DIARIO DE PRENSA DIGITAL SL. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-03-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1713",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00196-2022.pdf",
"doi": "",
"abstract": "Fine: €50,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on EL DIARIO DE PRENSA DIGITAL SL.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1715",
"title": "GDPR Fine: TITANIA COMPAÑÍA EDITORIAL, S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-03-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1715",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00200-2022.pdf",
"doi": "",
"abstract": "Fine: €40,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on TITANIA COMPAÑÍA EDITORIAL, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1716",
"title": "GDPR Fine: UNIDAD EDITORIAL INFORMACION GENERAL S.L.U. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-03-21",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1716",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00201-2022.pdf",
"doi": "",
"abstract": "Fine: €50,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on UNIDAD EDITORIAL INFORMACION GENERAL S.L.U.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1733",
"title": "GDPR Fine: ATRESMEDIA CORPORACIÓN DE MEDIOS DE COMUNICACIÓN, S.A. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-04-03",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1733",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00190-2022.pdf",
"doi": "",
"abstract": "Fine: €50,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on ATRESMEDIA CORPORACIÓN DE MEDIOS DE COMUNICACIÓN, S.A.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1736",
"title": "GDPR Fine: 20 MINUTOS EDITORA, S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-04-03",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1736",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00158-2022.pdf",
"doi": "",
"abstract": "Fine: €50,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on 20 MINUTOS EDITORA, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1767",
"title": "GDPR Fine: Vodafone — Hellenic Data Protection Authority (HDPA) (Greece)",
"authors": [
"Hellenic Data Protection Authority (HDPA)"
],
"date": "2023-02-20",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1767",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €40,000 | Articles: Art. 15 GDPR, Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The Hellenic DPA has imposed a fine of EUR 40,000 on Vodafone. An individual had filed a complaint with the DPA because, following a request for access to records of conversations with a Vodafone call center, Vodafone had provided them with another customer's conversations. Vodafone in addition failed to report this incident to the DPA in a timely manner.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Hellenic Data Protection Authority (HDPA)",
"language": "en"
},
{
"id": "ETid-1785",
"title": "GDPR Fine: KFC RESTAURANTS SPAIN, S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-04-20",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1785",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00140-2022.pdf",
"doi": "",
"abstract": "Fine: €25,000 | Articles: Art. 13 GDPR, Art. 37 GDPR | Insufficient involvement of data protection officer | The Spanish DPA has fined KFC RESTAURANTS SPAIN, S.L EUR 25,000. During its investigation, the DPA found that the controller had failed to appoint a data protection officer. In addition, the DPA found that the controller did not provide all of the information required under Art. 13 GDPR on its website.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1798",
"title": "GDPR Fine: ALBERO FORTE COMPOSITE, S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-04-28",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1798",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00597-2022.pdf",
"doi": "",
"abstract": "Fine: €12,000 | Articles: Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has imposed a fine on ALBERO FORTE COMPOSITE, S.L.. The company had taken pictures of employees at the entrance for the purpose of recording their working hours. However, the company had failed to conduct a data protection impact assessment. The original fine of EUR 20,000 was reduced to EUR 12,000 due to voluntary payment and admission of responsibility.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1816",
"title": "GDPR Fine: Debt collection agency — Croatian Data Protection Authority (azop) (Croatia)",
"authors": [
"Croatian Data Protection Authority (azop)"
],
"date": "2023-05-04",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1816",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €2,265,000 | Articles: Art. 6 (1) GDPR, Art. 13 (1) GDPR, Art. 28 (3) GDPR, Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Croatian DPA (AZOP) has imposed a fine of EUR 2,265,000 on a debt collection agency. The fine is the highest ever imposed by AZOP. AZOP had received an anonymous complaint in December 2022 stating that a large number of debtors' personal data had been processed by the collection agency without authorization. Attached to the complaint was a USB stick containing personal data (name, date of birth, personal identification number) of 77,317 debtors. \n\nDuring its investigation, AZOP found that controller did not provide sufficient information about the processing of personal data in its privacy policy. Moreover, it failed to provide information about the legal basis for the refund of overpaid funds. The breach affected 132,652 individuals. \n\nFurther, the AZOP found that the controller had not entered into a data processing agreement with a processor that monitored simple consumer bankruptcies. This put the data of 83,896 individuals at risk. The breach persisted for 2 years.\n\nFinally, AZOP found that the controller had failed to implement adequate technical and organizational measures to protect personal data. \nDeficiencies in the controller's security system led to insecure processing of personal data on a large scale, resulting in the unauthorized filtering of data. AZOP noted that the breach has been ongoing since at least 2019 and has not been addressed to date. \n\nAggravating factors considered by AZOP included the controller's failure to adequately cooperate with the DPA during the process. Furthermore, the controller has not yet informed AZOP of additional measures it has taken to prevent future risks of identified violations and has not yet brought its privacy policy into compliance with the GDPR.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Croatian Data Protection Authority (azop)",
"language": "en"
},
{
"id": "ETid-1917",
"title": "GDPR Fine: Corporación de Medios de Extremadura — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-06-22",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1917",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00650-2022.pdf",
"doi": "",
"abstract": "Fine: €90,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on Corporación de Medios de Extremadura. The controller had published a video on its news site that included an Excel spreadsheet with personal data (first and last names) of 56 women who were identified as victims of gender-based violence. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 150,000 was reduced to EUR 90,000 due to voluntary payment and admission of responsibility.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1918",
"title": "GDPR Fine: Sociedad Vascongada de Publicaciones, S.A. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-06-22",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1918",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00650-2022.pdf",
"doi": "",
"abstract": "Fine: €90,000 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on Sociedad Vascongada de Publicaciones, S.A.. The controller had published a video on its news site that included an Excel spreadsheet with personal data (first and last names) of 56 women who were identified as victims of gender-based violence. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 150,000 was reduced to EUR 90,000 due to voluntary payment and admission of responsibility.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1939",
"title": "GDPR Fine: EXPLOTACIONES HOSTELERAS Y DE OCIO ALBACETEÑAS, S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-07-04",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1939",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00536-2022.pdf",
"doi": "",
"abstract": "Fine: €500 | Articles: Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined EXPLOTACIONES HOSTELERAS Y DE OCIO ALBACETEÑAS, S.L. EUR 500. The controller had installed video surveillance cameras which, among other things, also covered the public street. The DPA considered this a violation of the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1943",
"title": "GDPR Fine: KUGELCHEN PROPIERTIES, S.L. — Spanish Data Protection Authority (aepd) (Spain)",
"authors": [
"Spanish Data Protection Authority (aepd)"
],
"date": "2023-07-07",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1943",
"pdfUrl": "https://www.aepd.es/es/documento/ps-00073-2023.pdf",
"doi": "",
"abstract": "Fine: €2,000 | Articles: Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 2,000 on KUGELCHEN PROPIERTIES, S.L.. The controller had continued to process data of the data subject, despite exercising their right to erasure.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Spanish Data Protection Authority (aepd)",
"language": "en"
},
{
"id": "ETid-1965",
"title": "GDPR Fine: Irish Departement of Health — Data Protection Authority of Ireland (Ireland)",
"authors": [
"Data Protection Authority of Ireland"
],
"date": "2023-06-16",
"platform": "GDPR Enforcement Tracker",
"sourceUrl": "https://www.enforcementtracker.com/ETid-1965",
"pdfUrl": "",
"doi": "",
"abstract": "Fine: €22,500 | Articles: Art. 5 (1) c) GDPR, Art. 6 (1), (4) GDPR, Art. 9 (1) GDPR | Non-compliance with general data processing principles | The Irish DPA (DPC) has fined the Irish Department of Health EUR 22,500. \n\nThe DPA launched an investigation into the department following public allegations that the department unlawfully processed personal data from claimants and their families in the context of litigation over special educational needs.\n\nThe DPC found that the departement had obtained information from the Health Service Executive (HSE) about services that the plaintiffs and their families had received. They had also been asked broad questions that led to the disclosure of sensitive private information. The data was collected to determine whether a settlement could be pursued with the plaintiff.\n\nThe DPC concluded that the collection of information about the social services provided was lawful. However, the questions that led to the disclosure of the sensitive information were excessive and, according to the DPC, not necessary for the purposes of the litigation. According to the DPC, this violated the principle of data minimization.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "GDPR DPA: Data Protection Authority of Ireland",
"language": "en"
},
{
"id": "https://openalex.org/W2996876109",
"title": "Protección de datos y garantía de los derechos digitales laborales en el nuevo marco normativo europeo e interno (RGPD 2016 y LOPDP-GDD 2018)",
"authors": [
"Jesús Baz Rodríguez"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://revistas.usal.es/index.php/ais/article/download/21900/21378",
"pdfUrl": "",
"doi": "",
"abstract": "The Spanish Data Protection Act (lo 3/2018) has recently formulated an embryonic regulation about digital rights for workers, implementing the mandatory previsions contained in the European gdpr in order to adapt that holistic legal frame of data protection to the particular context of labour relations. Even though its limitations, the new regulation points out to the whole legal system on Data Protection as an inescapable reference in order to build a complex set of limitations that should be respected by employers in the exercise of their labour managing and monitoring powers; particularly related to situations like the workers’ use of digital devices at the workplace, videosurveillance, sound recording or locational surveillance.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.637,
"venue": "Ars Iuris Salmanticensis: AIS : revista europea e iberoamericana de pensamiento y análisis de derecho, ciencia política y criminología",
"language": "es"
},
{
"id": "https://openalex.org/W3165816414",
"title": "Las Directrices 2/2020 del Comité Europeo de Protección de Datos sobre la aplicación de los artículos 46.2.a) y 46.3.b) del RGPD",
"authors": [
"Alfonso Ortega Giménez"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://dialnet.unirioja.es/servlet/articulo?codigo=7851400",
"pdfUrl": "",
"doi": "",
"abstract": "espanolLos dias 18 y 19 de febrero de 2020, las autoridades de control del Espacio Economico Europeo y el Supervisor Europeo de Proteccion de Datos, reunidos en el Consejo Europeo de Proteccion de Datos, celebraron su 18.a sesion plenaria. El Consejo Europeo de Proteccion de Datos adopto un proyecto de Directrices para aclarar la aplicacion de los articulos 46.2.a) y 46.3.b), del Reglamento General de Proteccion de Datos. Estos articulos se refieren a las transferencias de datos personales desde autoridades u organismos publicos del Espacio Economico Europeo a organismos publicos de terceros paises o a organizaciones internacionales, cuando estas transferencias no esten cubiertas por una decision de adecuacion. Las Directrices recomiendan las salvaguardas que deben aplicarse en instrumentos juridicamente vinculantes (articulo 46.2.a)) o en acuerdos administrativos (articulo 46.3.b) para garantizar que el nivel de proteccion de las personas fisicas conforme al Reglamento General de Proteccion de Datos se cumpla y no se vea menoscabado. EnglishOn 18 and 19 February 2020, the EEA supervisory authorities and the European Data Protection Supervisor, meeting at the European Data Protection Council, held their 18th plenary session. European Data Protection Council adopted draft guidelines to clarify the application of articles 46.2.a) and 46.3.b) of the GDPR. These articles refer to transfers of personal data from EEA authorities or public bodies to public bodies in third countries or to international organizations, when these transfers are not covered by an adequacy decision. The guidelines recommend the safeguards to be applied in legal instruments binding (article 46.2.a)) or administrative agreements (article 46.3.b) to ensure that the level of protection of natural persons under the GDPR is met and is not impaired.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "La Ley privacidad",
"language": "es"
},
{
"id": "https://openalex.org/W7120801568",
"title": "Do RGPD à LGPD: difusão internacional de normas e o caso das regulamentações de proteção de dados pessoais",
"authors": [
"Marília Machado Muchiuti"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://repositorio.pucsp.br/jspui/handle/handle/29644",
"pdfUrl": "https://repositorio.pucsp.br/jspui/handle/handle/29644",
"doi": "",
"abstract": "This work seeks to address the phenomenon of diffusion, analyzing the processes and forces through which norms initially restricted to a certain location end up penetrating other locations, spreading globally. The analysis is based in the case study of diffusion of norms that regulate the protection of personal data, more particularly the diffusion of European Union’s General Data Protection Regulation of 2016 (RGPD), to Brazil, which adopted a General Personal Data Protection Act in 2018 (LGPD). For this purpose, the analysis is mainly based on the “Brussels Effect” theory by author Anu Bradford – which seeks to explain European Union’s ability is exporting norms facilitated by markets, private companies, and dynamics of influence – and mainly uses the legislative process of the LGPD, as well as the content of the LGPD in comparison to the normative content of the RGPD, as its investigative resources. With the results of this analysis, the work finally debates how the process of diffusion of norms in the international system has the potential to disrupt traditional views of this system, bringing together perspectives and literatures of International Relations and Law for a holistic and integrated approach",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.637,
"venue": "LA Referencia (Red Federada de Repositorios Institucionales de Publicaciones Científicas)",
"language": "pt"
},
{
"id": "https://openalex.org/W3088109818",
"title": "Kritiska framgångsfaktorer vid införande av GDPR inom bank och finans",
"authors": [
"Sebastian Stålnacke",
"Robert Juhlin"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "http://urn.kb.se/resolve?urn=urn:nbn:se:miun:diva-35734",
"pdfUrl": "http://urn.kb.se/resolve?urn=urn:nbn:se:miun:diva-35734",
"doi": "",
"abstract": "On May 25, 2018, the Directive, 95/46/EC, is superseded by the General Data Protection Regulation (GDPR), (EU) 2016/679. Companies and organizations will have to revise routines, restructure organizations' processes and rebuild IT systems. The purpose of this study is to identify the critical success factors for implementing GDPR in the Swedish banking and finance sector. The study carried out a literature study as a foundation for the qualitative interviews with which empirical was gathered. Subjects for interviews was data protection officers (DPO) at four banks, as well as the Swedish Data Protection Authority and Forum för dataskydd, a national forum for DPO:s. The study's results showed a number of significant success factors for implementation processes. Based on these success factors, three were identified as critical to the implementation of GDPR from a computer science perspective: data governance, privacy-by-design, and documentation.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.637,
"venue": "KTH Publication Database DiVA (KTH Royal Institute of Technology)",
"language": "sv"
},
{
"id": "openaire:104",
"title": "Improving MapReduce privacy by implementing multi-dimensional sensitivity-based anonymization",
"authors": [
"Mohammed Al-Zobbi",
"Seyed Shahrestani",
"Chun Ruan"
],
"date": "2017-12-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1186/s40537-017-0104-5",
"pdfUrl": "https://doi.org/10.1186/s40537-017-0104-5",
"doi": "10.1186/s40537-017-0104-5",
"abstract": "Abstract Big data is predominantly associated with data retrieval, storage, and analytics. Data analytics is prone to privacy violations and data disclosures, which can be partly attributed to the multi-user characteristics of big data environments. Adversaries may link data to external resources, try to access confidential data, or deduce private information from the large number of data pieces that they can obtain. Data anonymization can address some of these concerns by providing tools to mask and can help with concealing the vulnerable data. Currently available anonymization methods, however, are not capable of accommodating the big data scalability, granularity, and performance in efficient manners. In this paper, we introduce a novel framework that implements SQL-like Hadoop ecosystems, incorporating Pig Latin with the additional splitting of data. The splitting reduces data masking and increases the information gained from the anonymized data. Our solution provides a fine-grained masking and concealment, which is based on access level privileges of the user. We also introduce a simple classification technique that can accurately measure the anonymization extent in any anonymized data. The results of testing this classification technique and the proposed sensitivity-based anonymization method using different samples will also be discussed. These results show the significant benefits of the proposed approach, particularly regarding reduced information loss associated with the anonymization processes.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "Journal of Big Data",
"language": "en"
},
{
"id": "doaj:04f840b8747c47c397f959dc75ebb261",
"title": "Privacy-preserving data compression scheme for k-anonymity model based on Huffman coding",
"authors": [
"Yue YU, Xianzheng LIN, Weihai LI, Nenghai YU"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "https://www.infocomm-journal.com/cjnis/CN/10.11959/j.issn.2096-109x.2023054",
"pdfUrl": "",
"doi": "10.11959/j.issn.2096-109x.2023054",
"abstract": "The k-anonymity model is widely used as a data anonymization technique for privacy protection during the data release phase.However, with the advent of the big data era, the generation of vast amounts of data poses challenges to data storage.However, it is not feasible to expand the storage space infinitely by hardware upgrade, since the cost of memory is high and the storage space is limited.For this reason, data compression techniques can reduce storage costs and communication overhead.In order to reduce the storage space of the data generated by using anonymization techniques in the data publishing phase, a compression scheme was proposed for the original data and anonymized data of the k-anonymity model.For the original data of the k-anonymity model, the difference between the original data and the anonymized data was calculated according to the set rules and the pre-defined generalization level.Huffman coding compression was applied to the difference data according to frequency characteristics.By storing the difference data, the original data can be obtained indirectly, thus reducing the storage space of the original data.For anonymized data of the k-anonymity model, the anonymized data usually have high repeatability according to the generalization rules of the model or the pre-defined generalization hierarchy relations.The larger the value of k, the more generalized and repeatable the anonymized data becomes.The design of Huffman coding compression was implemented for anonymous data to reduce storage space.The experimental results show that the proposed scheme can significantly reduce the original data and the anonymous data compression rate of the k-anonymity model.Across five models and variousk-value settings,the proposed scheme reduces the compression rate of raw and anonymized data by 72.2% and 64.2% on average compared to the Windows 11 zip tool.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "网络与信息安全学报",
"language": "en"
},
{
"id": "openaire:10.1109/access.2024.3381034",
"title": "Anonymization and Pseudonymization of FHIR Resources for Secondary Use of Healthcare Data",
"authors": [
"Emanuele Raso",
"Pierpaolo Loreti",
"Michele Ravaziol",
"Lorenzo Bracciale"
],
"date": "2024-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/access.2024.3381034",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/6287639/10380310/10479174.pdf?arnumber=10479174",
"doi": "10.1109/access.2024.3381034",
"abstract": "Along with the creation of medical profiles of patients, Electronic Health Records have several secondary missions, such as health economy and research. The recent, increasing adoption of a common standard, i.e., the Fast Healthcare Interoperability Resources (FHIR), makes it easier to exchange medical data among the several parties involved, for example, in an epidemiological research activity. However, this exchange process is hindered by regulatory frameworks due to privacy issues related to the presence of personal information, which allows patients to be identified directly (or indirectly) from their medical data. When properly used, de-identification techniques can provide crucial support in overcoming these problems. FHIR-DIET aims to bring flexibility and concreteness to the implementation of de-identification of health data, supporting many customised data-processing behaviours that can be easily configured and tailored to match specific use case requirements. Our solution enables faster and easier cooperation between legal and IT professionals to establish and implement de-identification rules. The performance evaluation demonstrates the viability of processing hundreds of FHIR patient information data per second using standard hardware. We believe FHIR-DIET can be a valuable tool to satisfy the current regulation requirements and help to create added-value for the secondary use of healthcare data.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "doaj:0a8db2927d4c41a6ad353ba3b16a82ee",
"title": "SUBJECT-OBJECT MODEL FOR THE UNIFIED ANALYSIS OF PERSONAL DATA PROTECTION METHODS",
"authors": [
"Andrey V. Ladikov"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://bit.spels.ru/index.php/bit/article/view/1903",
"pdfUrl": "",
"doi": "10.26583/bit.2026.1.05",
"abstract": "This article addresses the security of personal data in information systems and a method for protecting such data from leaks: storing it in a depersonalized form. A subject-object model is proposed that formalizes the processes of data generation, transfer, and processing with regard to the interaction between subjects and objects of the information system. Within this model, the main depersonalization methods are analyzed, including identifier substitution, modification of data structure and semantics, decomposition, and shuffling. For each method, sequences of operations are constructed to demonstrate their application in the context of data flows and access control. It is shown that most approaches are implemented with the involvement of a trusted intermediary, which enables the concept of “one-sided pseudonymization.” Special attention is given to the classification of methods according to the existence and accessibility of de-anonymization mechanisms, which makes it possible to distinguish three levels of depersonalization – from pseudonymization to full anonymization. The proposed approach provides a higher level of abstraction in the analysis of data protection methods and contributes to the development of unified solutions in the field of information security.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "Безопасность информационных технологий",
"language": "en"
},
{
"id": "doaj:217abecce01b47e2b99dd78c5b752a34",
"title": "Semi-local Time sensitive Anonymization of Clinical Data",
"authors": [
"Freimut Gebhard Herbert Hammer",
"Mateusz Buglowski",
"André Stollenwerk"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1038/s41597-024-04192-1",
"pdfUrl": "https://europepmc.org/articles/PMC11661997?pdf=render",
"doi": "10.1038/s41597-024-04192-1",
"abstract": "Abstract A method for the anonymization of time-continuous data, which preserves the relation between the time- and value dimension is proposed in this work. The approach protects against linking- and distribution attacks by providing k-anonymity and t-closeness. Distributions can be generated from given sets using Distribution Clustering, according to the similarity of the curves, which serve as a replacement for the population distribution. Before the data is anonymized, it is split along the time-axis using Windowed Fréchet Splitting, to reduce the duration and information loss. The proposed approach employs bucketization using the Fréchet distance with an implicit maximum cost and implied t for closeness and multiple redistribution phases. The information loss, median relative error and achieved t for the closeness is low, and the runtime was reduced with the introduction of semi-local decisions.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "Scientific Data",
"language": "en"
},
{
"id": "doaj:21f9088badfd40c9bdff196633a56cad",
"title": "Experimenting sensitivity-based anonymization framework in apache spark",
"authors": [
"Mohammed Al-Zobbi",
"Seyed Shahrestani",
"Chun Ruan"
],
"date": "2018",
"platform": "doaj",
"sourceUrl": "http://link.springer.com/article/10.1186/s40537-018-0149-0",
"pdfUrl": "",
"doi": "10.1186/s40537-018-0149-0",
"abstract": "Abstract One of the biggest concerns of big data and analytics is privacy. We believe the forthcoming frameworks and theories will establish several solutions for the privacy protection. One of the known solutions is the k-anonymity that was introduced for traditional data. Recently, two major frameworks leveraged big data processing and applications; these are MapReduce and Spark. Spark data processing has been attracting more attention due to its crucial impacts on a wide range of big data applications. One of the predominant big data applications is data analytics and anonymization. We previously proposed an anonymization method for implementing k-anonymity in MapReduce processing framework. In this paper, we investigate Spark performance in processing data anonymization. Spark is a fast processing framework that was implemented in several applications such as: SQL, multimedia, and data stream. Our focus is the SQL Spark, which is adequate for big data anonymization. Since Spark operates in-memory, we need to observe its limitations, speed, and fault tolerance on data size increase, and to compare MapReduce to Spark in processing anonymity. Spark introduces an abstraction called resilient distributed datasets, which reads and serializes a collection of objects partitioned across a set of machines. Developers claim that Spark can outperform MapReduce by 10 times in iterative machine learning jobs. Our experiments in this paper compare between MapReduce and Spark. The overall results show a better performance for Spark’s processing time in anonymity operations. However, in some limited cases, we prefer to implement the old MapReduce framework, when the cluster resources are limited and the network is non-congested.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "Journal of Big Data",
"language": "en"
},
{
"id": "doaj:0f56dda4b13f40febfedd582e392fa25",
"title": "DPIA in Context: Applying DPIA to Assess Privacy Risks of Cyber Physical Systems",
"authors": [
"Jane Henriksen-Bulmer",
"Shamal Faily",
"Sheridan Jeary"
],
"date": "2020",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/1999-5903/12/5/93",
"pdfUrl": "",
"doi": "10.3390/fi12050093",
"abstract": "Cyber Physical Systems (CPS) seamlessly integrate physical objects with technology, thereby blurring the boundaries between the physical and virtual environments. While this brings many opportunities for progress, it also adds a new layer of complexity to the risk assessment process when attempting to ascertain what privacy risks this might impose on an organisation. In addition, privacy regulations, such as the General Data Protection Regulation (GDPR), mandate assessment of privacy risks, including making Data Protection Impact Assessments (DPIAs) compulsory. We present the DPIA Data Wheel, a holistic privacy risk assessment framework based on Contextual Integrity (CI), that practitioners can use to inform decision making around the privacy risks of CPS. This framework facilitates comprehensive contextual inquiry into privacy risk, that accounts for both the elicitation of privacy risks, and the identification of appropriate mitigation strategies. Further, by using this DPIA framework we also provide organisations with a means of assessing privacy from both the perspective of the organisation and the individual, thereby facilitating GDPR compliance. We empirically evaluate this framework in three different real-world settings. In doing so, we demonstrate how CI can be incorporated into the privacy risk decision-making process in a usable, practical manner that will aid decision makers in making informed privacy decisions.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Future Internet",
"language": "en"
},
{
"id": "doaj:01f34bd4de4446c1a8a88dcb854428e4",
"title": "Efficient Keyset Design for Neural Networks Using Homomorphic Encryption",
"authors": [
"Youyeon Joo",
"Seungjin Ha",
"Hyunyoung Oh",
"Yunheung Paek"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/1424-8220/25/14/4320",
"pdfUrl": "",
"doi": "10.3390/s25144320",
"abstract": "With the advent of the Internet of Things (IoT), large volumes of sensitive data are produced from IoT devices, driving the adoption of Machine Learning as a Service (MLaaS) to overcome their limited computational resources. However, as privacy concerns in MLaaS grow, the demand for Privacy-Preserving Machine Learning (PPML) has increased. Fully Homomorphic Encryption (FHE) offers a promising solution by enabling computations on encrypted data without exposing the raw data. However, FHE-based neural network inference suffers from substantial overhead due to expensive primitive operations, such as ciphertext rotation and bootstrapping. While previous research has primarily focused on optimizing the efficiency of these computations, our work takes a different approach by concentrating on the rotation keyset design, a pre-generated data structure prepared before execution. We systematically explore three key design spaces (KDS) that influence rotation keyset design and propose an optimized keyset that reduces both computational overhead and memory consumption. To demonstrate the effectiveness of our new KDS design, we present two case studies that achieve up to 11.29× memory reduction and 1.67–2.55× speedup, highlighting the benefits of our optimized keyset.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "Sensors",
"language": "en"
},
{
"id": "doaj:18416a28415a48bc9b8cf9726445e2a3",
"title": "A comprehensive survey on secure healthcare data processing with homomorphic encryption: attacks and defenses",
"authors": [
"Chian Hui Lee",
"King Hann Lim",
"Sivaraman Eswaran"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1186/s12982-025-00505-w",
"pdfUrl": "",
"doi": "10.1186/s12982-025-00505-w",
"abstract": "Abstract Healthcare data has risen as a top target for cyberattacks due to the rich amount of sensitive patient information. This negatively affects the potential of advanced analytics and collaborative research in healthcare. Homomorphic encryption (HE) has emerged as a promising technology for securing sensitive healthcare data while enabling computations on encrypted information. This paper conducts a background survey of HE and its various types. It discusses Partially Homomorphic Encryption (PHE), Somewhat Homomorphic Encryption (SHE), Fully Homomorphic Encryption (FHE) and Fully Leveled Homomorphic Encryption (FLHE). A critical analysis of these encryption paradigms’ theoretical foundations, implementation schemes, and practical applications in healthcare contexts is presented. The survey encompasses diverse healthcare domains. It demonstrates HE’s versatility in securing electronic health records (EHRs), enabling privacy-preserving genomic data analysis, protecting medical imaging, facilitating privacy-preserving machine learning (ML), supporting secure federated learning, ensuring confidentiality in clinical trials, and enhancing remote monitoring and telehealth services. A comprehensive examination of potential vulnerabilities in HE systems is conducted. The research systematically investigates various attack vectors, including side-channel attacks, key recovery attacks, chosen plaintext attacks (CPA), chosen ciphertext attacks (CCA), known plaintext attacks (KPA), fault injection attacks (FIA), and lattice attacks. A detailed analysis of potential defense mechanisms and mitigation strategies is provided for each identified threat. The analysis underscores the importance of HE for long-term security and sustainability in healthcare systems.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "Discover Public Health",
"language": "en"
},
{
"id": "europepmc:PPR1137434",
"title": "A False Sense of Privacy: Evaluating the Limitsof Textual Data Sanitization for Privacy Protection",
"authors": [
"Bhuekar A."
],
"date": "2025-12-23",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202512.2058.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202512.2058.v1",
"doi": "10.20944/preprints202512.2058.v1",
"abstract": "The widespread use of textual data sanitization techniques,such as identifier removal and synthetic data generation, has raised ques-tions about their effectiveness in preserving individual privacy. This studyintroduced a comprehensive evaluation framework designed to measureprivacy leakage in sanitized datasets at a semantic level. The frameworkoperated in two stages: linking auxiliary information to sanitized recordsusing sparse retrieval and evaluating semantic similarity between orig-inal and matched records using a language model. Experiments wereconducted on two real-world datasets, MedQA and WildChat, to assessthe privacy-utility trade-off across various sanitization methods. Resultsshowed that traditional PII removal methods retained significant privateinformation, with over 90% of original claims still inferable. Syntheticdata generation demonstrated improved privacy performance, especiallywhen enhanced with differential privacy, though often at the cost ofdownstream task utility. The evaluation also revealed that text coher-ence and the nature of auxiliary knowledge significantly influenced re-identification risks. These findings emphasized the limitations of currentsurface-level sanitization practices and highlighted the need for robust,context-aware privacy mechanisms that balance utility and protection insensitive textual data releases.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "de"
},
{
"id": "europepmc:41060918",
"title": "Subtle biases introduced in equity studies through data anonymization.",
"authors": [
"Fazendeiro P",
"Prata P",
"Ferrão ME."
],
"date": "2025-10-08",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1371/journal.pone.0332441",
"pdfUrl": "https://europepmc.org/articles/PMC12507250?pdf=render",
"doi": "10.1371/journal.pone.0332441",
"abstract": "This work investigates the trade-off between data anonymization and utility, particularly focusing on the implications for equity-related research in education. Using microdata from the 2019 Brazilian National Student Performance Exam (ENADE), the study applies the (ε, δ)-Differential Privacy model to explore the impact of anonymization on the dataset's utility for socio-educational equity analysis. By clustering both the original and anonymized datasets, the research evaluates how group categories related to students' sociodemographic variables, such as gender, race, income, and parental education, are affected by the anonymization process. The results reveal that while anonymization techniques can preserve overall data structure, they can also lead to the suppression or misrepresentation of minority groups, introducing biases that may jeopardise the promotion of educational equity. This finding highlights the importance of involving domain experts in the interpretation of anonymized data, particularly in studies aimed at reducing socio-economic inequalities. The study concludes that careful attention is needed to prevent anonymization efforts from distorting key group categories, which could undermine the validity of data-driven policies aimed at promoting equity.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "PloS one",
"language": "de"
},
{
"id": "europepmc:41530395",
"title": "Scalable privacy-preserving data analytics for IoMT via FHE and zk-SNARK-enabled edge aggregation.",
"authors": [
"Ben Othman S",
"Mihret N."
],
"date": "2026-01-13",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1038/s41598-026-35284-0",
"pdfUrl": "https://europepmc.org/articles/PMC12876899?pdf=render",
"doi": "10.1038/s41598-026-35284-0",
"abstract": "The Internet of Medical Things (IoMT) enables real-time health monitoring and intelligent clinical decision-making by continuously collecting and processing sensitive physiological data from wearable, implantable, and edge-connected devices. However, this data aggregation paradigm introduces critical privacy and security challenges, including data leakage, aggregator misbehavior, and adversarial attacks, while existing frameworks often fail to simultaneously ensure confidentiality, verifiability, and efficiency. To address these limitations, we propose MedGuard, a novel end-to-end secure data aggregation framework for IoMT that synergistically integrates Fully Homomorphic Encryption (FHE) based on the CKKS scheme and Groth16 zero-knowledge Succinct Non-Interactive Arguments of Knowledge (zk-SNARKs). MedGuard enables healthcare providers to perform complex analytical queries, such as statistical analysis, anomaly detection, and trend forecasting, directly on encrypted data without decryption, ensuring compliance with privacy regulations. By allowing edge nodes to generate cryptographic proofs of correct computation and enabling cloud-based verification, MedGuard eliminates reliance on trusted intermediaries and mitigates insider threats. Our comprehensive evaluation, conducted in a high-fidelity OMNeT++ 6.0.1 simulation environment with 1,000 IoMT devices, 100 edge nodes, and an Amazon EC2 c5.4xlarge cloud server, uses a hybrid dataset combining real-world and GMM-augmented synthetic data. Results show that MedGuard achieves an end-to-end latency of 64.8 ms, a 13.3% improvement over state-of-the-art baselines, communication efficiency of 1.465 GB/s, per-query energy consumption of 1.489 mJ, and sustained throughputs of 1,200 packets/s, 120 aggregates/s, and 1,200 queries/s. These performance gains, combined with a robust [Formula: see text] security level, demonstrate that MedGuard delivers scalable, verifiable, and privacy-preserving analytics for next-generation sm",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "Scientific reports",
"language": "de"
},
{
"id": "europepmc:40986522",
"title": "Ten quick tips for protecting health data using de-identification and perturbation of structured datasets.",
"authors": [
"Lulamba TE",
"Mutemaringa T",
"Tiffin N."
],
"date": "2025-09-23",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1371/journal.pcbi.1013507",
"pdfUrl": "https://europepmc.org/articles/PMC12456793?pdf=render",
"doi": "10.1371/journal.pcbi.1013507",
"abstract": "Structured patient data generated within the health data ecosystem are shared both internally for operational use and also externally for research and public health benefit. Protecting individual privacy and health data confidentiality in these contexts relies on data de-identification and anonymisation, although there are no universally accepted standards for these processes and the techniques involved can be technically complex. We present practical recommendations grounded in the principle of data minimisation-avoiding unnecessary granularity and identifying variables that could lead to re-identification when combined with other datasets. We provide practical guidance for anonymising and perturbing structured health data in ways that support compliance with data protection laws, describing technical and operational methods for reducing re-identification risk that include rounding numerical values, replacing precise values with ranges, adding jitter to numeric fields, aggregating data, management of date values and separating sensitive fields from identifying data to prevent linkage leading to re-identification. While some methods require advanced technical knowledge, we focus here on accessible strategies that can be implemented without specialist expertise, recognising the importance of the legal and governance frameworks in which anonymisation occurs. These guidelines support researchers, data managers and institutions in sharing health data responsibly, maintaining data utility while upholding privacy and promoting ethical and legal data stewardship for data-driven health research.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "de"
},
{
"id": "europepmc:41068295",
"title": "A comparative performance analysis of fully homomorphic and attribute-based encryption schemes.",
"authors": [
"More KD",
"Pramod D."
],
"date": "2025-10-09",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1038/s41598-025-19404-w",
"pdfUrl": "https://europepmc.org/articles/PMC12511287?pdf=render",
"doi": "10.1038/s41598-025-19404-w",
"abstract": "To integrate Attribute-Based Encryption (ABE) and Fully Homomorphic Encryption (FHE) within the NS-2 simulation environment, we propose a novel simulation model called FHE and ABE with Fast Exponentiation Optimization (FA-FEO) for smart city environment monitoring. This model evaluates important performance metrics like throughput, latency, memory utilization, power consumption, etc. With networked sensors and devices, the IoT enables efficient data collection and monitoring, but challenges like safe data transfer with energy constraints, and privacy preservation remain crucial. To provide strong data security and privacy while permitting smooth communication across decentralized IoT networks, our approach (FA-FEO) places a strong emphasis on the employment of FHE and ABE. A study of the performance of IoT network communication under basic implementation of FHE, two types of ABE like Ciphertext-policy ABE (CP-ABE) and Key-policy ABE (KP-ABE), and a BASE encryption indicates the significance of both ABE and FHE for practical smart city applications. The proposed model has been evaluated in detail using simulations for smart city environment monitoring scenarios and the results show that it is possible to deal with the overhead caused by FHE and ABE, guaranteeing safe and efficient energy-efficient solutions for scenarios such as environmental monitoring in smart cities.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "",
"language": "de"
},
{
"id": "https://openalex.org/W2922343333",
"title": "Impact of GDPR (DSGVO) on Smart Medication™ Electronic Patient Diary",
"authors": [
"A. Roesch",
"Daniel L. Schmoldt",
"W. Mondorf",
"Ryan G. Fischer"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1055/s-0039-1680234",
"pdfUrl": "",
"doi": "https://doi.org/10.1055/s-0039-1680234",
"abstract": "Background: May, 25th 2018 the GDPR (english: General Data Protection Regulation, german DSGVO: Datenschutz-Grundverordnung) was coming into effect throughout the European Community. It is shown how the new regulation impacts the smart medication™ platform in respect of data processing of personal health information.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Hämostaseologie",
"language": "es"
},
{
"id": "https://openalex.org/W3087805438",
"title": "The Budapest Convention and the General Data Protection Regulation: acting in concert to curb cybercrime?",
"authors": [
"David Wicki-Birchler"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1365/s43439-020-00012-5",
"pdfUrl": "https://link.springer.com/content/pdf/10.1365/s43439-020-00012-5.pdf",
"doi": "https://doi.org/10.1365/s43439-020-00012-5",
"abstract": "Abstract The Budapest Convention and the General Data Protection Regulation (GDPR)—two Legal Frameworks designed to curb cybercrime. While the Convention on Cybercrime of the Council of Europe, the Budapest Convention, is the only binding international instrument on this issue, the GDPR is globally setting standards in data protection Law. How are the two policies working to curb cybercrime? Cybercrime concerns every person, every company, every authority and every public institution. The fact that the origin as well as the target of the criminal act can be located virtually everywhere around the globe sets a new challenge for lawmakers in their efforts to protect society. The increasing use and importance of the Internet of Things will create new conveniences for the public to enjoy and at the same time provide countless new entry points for hackers to gain access to devices, networks and valuable data, all of which might be abused for criminal intents. The Budapest Convention on Cybercrime plays a crucial role in the fight against cybercrime by setting state of the art principle based criminal law standards and important procedural rules with regard to the provisional storage of data to be potentially used as evidence in prosecuting criminal acts. GDPR is blazing the trail for the appropriate handling of data, and is thereby—albeit from a different starting point—significantly contributing to an improved data security framework and thus efficiently curbing cybercrime.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "International Cybersecurity Law Review",
"language": "en"
},
{
"id": "crossref:10.7551/mitpress/15354.001.0001",
"title": "Differential Privacy",
"authors": [
"Simson L. Garfinkel"
],
"date": "2025-03-25",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.7551/mitpress/15354.001.0001",
"pdfUrl": "https://link.springer.com/content/pdf/10.1007/978-3-031-02347-7_8",
"doi": "10.7551/mitpress/15354.001.0001",
"abstract": "A robust yet accessible introduction to the idea, history, and key applications of differential privacy—the gold standard of algorithmic privacy protection.\n Differential privacy (DP) is an increasingly popular, though controversial, approach to protecting personal data. DP protects confidential data by introducing carefully calibrated random numbers, called statistical noise, when the data is used. Google, Apple, and Microsoft have all integrated the technology into their software, and the US Census Bureau used DP to protect data collected in the 2020 census. In this book, Simson Garfinkel presents the underlying ideas of DP, and helps explain why DP is needed in today's information-rich environment, why it was used as the privacy protection mechanism for the 2020 census, and why it is so controversial in some communities.\n When DP is used to protect confidential data, like an advertising profile based on the web pages you have viewed with a web browser, the noise makes it impossible for someone to take that profile and reverse engineer, with absolute certainty, the underlying confidential data on which the profile was computed. The book also chronicles the history of DP and describes the key participants and its limitations. Along the way, it also presents a short history of the US Census and other approaches for data protection such as de-identification and k-anonymity.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "Synthesis Lectures on Information Security, Privacy, and Trust",
"language": "en"
},
{
"id": "s2:d80cd04151ac1e46add6a87db7b86dcdf93450e2",
"title": "The Limits of Word Level Differential Privacy",
"authors": [
"Justus Mattern",
"Benjamin Weggenmann",
"F. Kerschbaum"
],
"date": "2022-05-02",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/d80cd04151ac1e46add6a87db7b86dcdf93450e2",
"pdfUrl": "http://arxiv.org/pdf/2205.02130",
"doi": "10.48550/arXiv.2205.02130",
"abstract": "As the issues of privacy and trust are receiving increasing attention within the research community, various attempts have been made to anonymize textual data. A significant subset of these approaches incorporate differentially private mechanisms to perturb word embeddings, thus replacing individual words in a sentence. While these methods represent very important contributions, have various advantages over other techniques and do show anonymization capabilities, they have several shortcomings. In this paper, we investigate these weaknesses and demonstrate significant mathematical constraints diminishing the theoretical privacy guarantee as well as major practical shortcomings with regard to the protection against deanonymization attacks, the preservation of content of the original sentences as well as the quality of the language output. Finally, we propose a new method for text anonymization based on transformer based language models fine-tuned for paraphrasing that circumvents most of the identified weaknesses and also offers a formal privacy guarantee. We evaluate the performance of our method via thorough experimentation and demonstrate superior performance over the discussed mechanisms.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "NAACL-HLT",
"language": "en"
},
{
"id": "arxiv:2001.02479",
"title": "Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence",
"authors": [
"Midas Nouwens",
"Ilaria Liccardi",
"Michael Veale",
"David Karger",
"Lalana Kagal"
],
"date": "2020-01-08",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2001.02479v1",
"pdfUrl": "https://arxiv.org/pdf/2001.02479v1",
"doi": "10.1145/3313831.3376321",
"abstract": "New consent management platforms (CMPs) have been introduced to the web to conform with the EU's General Data Protection Regulation, particularly its requirements for consent when companies collect and process users' personal data. This work analyses how the most prevalent CMP designs affect people's consent choices. We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK (n=680). We found that dark patterns and implied consent are ubiquitous; only 11.8% meet the minimal requirements that we set based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices. We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22--23 percentage points; and providing more granular controls on the first page decreases consent by 8--20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "CHI",
"language": "en"
},
{
"id": "s2:deac825097d3ea71bc9dcbef8574d3afda3a05ad",
"title": "Art. 20 DSGVO, Leistungsdaten und Profisport",
"authors": [
"H. Overkamp"
],
"date": "2025",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/deac825097d3ea71bc9dcbef8574d3afda3a05ad",
"pdfUrl": "",
"doi": "10.5771/9783748955405",
"abstract": "As the commercialization of professional sports progresses, data-driven analyses and forecasts about the performance of individual athletes are playing an increasingly important role. The result is the increasing sporting and commercial value of performance data for the players in the sports industry. Due to this value, there is an interest in the portability of performance data. Such data portability justifies the right to data portability under Art. 20 GDPR. This legal regulation is the focus of the elaboration and is made valuable in an innovative way for the use of performance data in professional sports, while at the same time gaining practically usable insights for the processing of performance data in professional sports.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "s2:46b1314af623c91a8ee864806f60de976741a8af",
"title": "Das Recht auf Auskunft gemäß Art. 15 DSGVO",
"authors": [
"Manuela Deingruber"
],
"date": "2024",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/46b1314af623c91a8ee864806f60de976741a8af",
"pdfUrl": "",
"doi": "10.5771/9783748949541",
"abstract": "The European Court of Justice has now issued a number of rulings on the right of access under data protection law in accordance with Art. 15 GDPR. Nevertheless, ambiguities remain in dealing with the right of access. This paper examines the content and limits of the right under Art. 15 GDPR. In particular, the author examines whether Art. 15 GDPR – contrary to the wording of the german language version – provides for a right of access to personal data, which can be fulfilled in different ways, for example by providing information or copies.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "s2:023c57ceb00fd94cb588b636f8d99b0a0bfb6d6f",
"title": "Implementierung elektronischer Überwachungseinrichtungen durch Betriebsvereinbarungen vor dem Hintergrund der DSGVO",
"authors": [
"Thomas Köllmann"
],
"date": "2021",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/023c57ceb00fd94cb588b636f8d99b0a0bfb6d6f",
"pdfUrl": "",
"doi": "10.5771/9783748924876",
"abstract": "As digitalization progresses, the possibilities for monitoring and surveillance in the employment relationship also increase. With the entry into force of the GDPR at the latest, the discussions about an \"Employee Data Protection Act\" (Beschäftigtendatenschutzgesetz) reignited. The thesis examines - de lege lata - the interaction of European and national requirements in the introduction of electronic surveillance / monitoring equipment in companies. On this basis, current challenges and the corresponding solutions are shown. At the same time, the special role of the business parties (such as works council and personnel department) in the area of data protection is presented. Finally, the question of whether an employee data protection law - de lege ferenda - can provide more legal certainty is being investigated.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "pubmed:32693417",
"title": "[Non-Interventional Studies in a Large Community Hospital and Implementation of the General Data Protection Regulation (GDPR)].",
"authors": [
"Hach, Isabel",
"Meseli, Filiz"
],
"date": "2020-07-21",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1055/a-1192-5114",
"pdfUrl": "",
"doi": "10.1055/a-1192-5114",
"abstract": "BACKGROUND: The General Data Protection Regulation (GDPR) is applicable as of May 25, 2018 in all member states to harmonize data privacy laws across Europe. GDPR impacts also on medical data research. Non-interventional studies (NIS) in hospital are an important part of health services research and might need to be assessed by the local data protection officer. This study investigates all NIS (in house or sponsored) initiated between April 1, 2017 and July 31, 2018 in Nuremberg Hospital and their methods dealing with the GDPR. MATERIALS AND METHODS: All studies in Nuremberg Hospital have to be reported to the study center of Nuremberg Hospital. We implemented some actions to fullfill GDPR, e. g. checklist for GDPR, quality circle, and all studies were assigned to a data protection officer specialized in scientific and clinical studies. We analyzed in each study the kind of data encryption (e. g., pseudonymous vs. anonymous), the need for approval from the official ethics commitee according to §15BO, and the need for approval from the hospital data protection officer. The data was analyzed using descriptive statistics. RESULTS: After GDPR came into effect, more NIS were started (n=77 vs. n=59), especially investigator-initiated NIS increased significantly (+84%, p<0.01). The majority of inhouse studies were dealing with absolute anonymous data (before GDPR: n=28 anonymous vs. n=4 pseudonymous; after R: 51 vs.7; n.s.). 22 studies, mostly IITs (86%), needed a statement of the local data protection officer and used a patient's information. After GDPR 19% of in-house NIS showed the need for a statement of approval from the ethics committee (accordingly to §15BO) (before GDPR 12.5%; n.s.). One year after GDPR was implemented, the average processing time of the data protection officer for an NIS was 10.5 work days. CONCLUSION: Investigator-initiated NIS are an important part of scientific research at Nuremberg Hospital. After GDPR, there was an increase in the number of s",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Gesundheitswesen (Bundesverband der Arzte des Offentlichen Gesundheitsdienstes (Germany))",
"language": "en"
},
{
"id": "arxiv:1907.10672",
"title": "Does Facebook Use Sensitive Data for Advertising Purposes? Worldwide Analysis and GDPR Impact",
"authors": [
"Ángel Cuevas",
"José González Cabañas",
"Aritz Arrate",
"Rubén Cuevas"
],
"date": "2019-07-23",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/1907.10672v1",
"pdfUrl": "https://arxiv.org/pdf/1907.10672v1",
"doi": "10.1145/3426361",
"abstract": "The recent European General Data Protection Regulation (GDPR) and other data protection regulations restrict the processing of some categories of personal data (health, political orientation, sexual preferences, religious beliefs, ethnic origin, etc.) due to the privacy risks associated to such information. The GDPR refers to these categories as sensitive personal data. This paper quantifies the portion of Facebook (FB) users, across 197 countries, who are labeled with advertising interests linked to potentially sensitive personal data. Our study reveals that Facebook labels 67% of users with potential sensitive interests. This corresponds to 22% of the population in the referred 197 countries. Moreover, our work shows that the GDPR enforcement had a negligible impact in this context since the portion of FB users labeled with sensitive interests in the European Union remains almost the same 5 months before and 9 months after the GDPR was enacted. The paper also illustrates potential risks associated to the use of sensitive interests. For instance, we quantify the portion of FB users labelled with the interest \"Homosexuality\" in countries where being gay may be punished with the death penalty. The last contribution is the implementation of a web browser extension that allows FB users removing in a simple way the potentially sensitive interests FB has assigned them.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2008.04113",
"title": "Data Minimization for GDPR Compliance in Machine Learning Models",
"authors": [
"Abigail Goldsteen",
"Gilad Ezov",
"Ron Shmelkin",
"Micha Moffie",
"Ariel Farkash"
],
"date": "2020-08-06",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2008.04113v1",
"pdfUrl": "https://arxiv.org/pdf/2008.04113v1",
"doi": "10.1007/s43681-021-00095-8",
"abstract": "The EU General Data Protection Regulation (GDPR) mandates the principle of data minimization, which requires that only data necessary to fulfill a certain purpose be collected. However, it can often be difficult to determine the minimal amount of data required, especially in complex machine learning models such as neural networks. We present a first-of-a-kind method to reduce the amount of personal data needed to perform predictions with a machine learning model, by removing or generalizing some of the input features. Our method makes use of the knowledge encoded within the model to produce a generalization that has little to no impact on its accuracy. This enables the creators and users of machine learning models to acheive data minimization, in a provable manner.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "crossref:10.56028/aehssr.11.1.164.2024",
"title": "New Media User Privacy Protection Mechanism Based on Differential Privacy and Data Anonymization",
"authors": [
"Yuting Xu",
"Yanghe Liu",
"Mingshan Hou"
],
"date": "2024-07-18",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.56028/aehssr.11.1.164.2024",
"pdfUrl": "https://admin.madison-publishing.com/index.php/aehssr/article/download/2571/2593",
"doi": "10.56028/aehssr.11.1.164.2024",
"abstract": "With the rapid development of new media, user privacy issues have become increasingly important. New media platforms, such as TikTok, Twitter, and WhatsApp, process vast amounts of user data daily, including personal information, behavioral data, and social relationships. The extensive collection and use of this data present numerous privacy protection challenges. Many users are not fully aware of how their data is collected and used when using new media platforms, lacking informed consent regarding data collection. Consequently, relying on users to take proactive privacy measures to prevent the disclosure of critical information is difficult to achieve. To address this issue, this paper proposes a privacy protection mechanism that combines differential privacy and data anonymization. The mechanism protects query results through differential privacy techniques and hides user identity information using data anonymization techniques, thereby ensuring user privacy during data analysis and processing. This paper conducts necessary experimental analysis on the proposed method, and the results demonstrate its usability and effectiveness.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "Advances in Education, Humanities and Social Science Research",
"language": "en"
},
{
"id": "s2:4aedb881a0b6671556935324bc69efb28b77a9f7",
"title": "SafePub: A Truthful Data Anonymization Algorithm With Strong Privacy Guarantees",
"authors": [
"Raffael Bild",
"K. Kuhn",
"Fabian Prasser"
],
"date": "2018",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/4aedb881a0b6671556935324bc69efb28b77a9f7",
"pdfUrl": "https://content.sciendo.com/downloadpdf/journals/popets/2018/1/article-p67.pdf",
"doi": "10.1515/popets-2018-0004",
"abstract": "Abstract Methods for privacy-preserving data publishing and analysis trade off privacy risks for individuals against the quality of output data. In this article, we present a data publishing algorithm that satisfies the differential privacy model. The transformations performed are truthful, which means that the algorithm does not perturb input data or generate synthetic output data. Instead, records are randomly drawn from the input dataset and the uniqueness of their features is reduced. This also offers an intuitive notion of privacy protection. Moreover, the approach is generic, as it can be parameterized with different objective functions to optimize its output towards different applications. We show this by integrating six well-known data quality models. We present an extensive analytical and experimental evaluation and a comparison with prior work. The results show that our algorithm is the first practical implementation of the described approach and that it can be used with reasonable privacy parameters resulting in high degrees of protection. Moreover, when parameterizing the generic method with an objective function quantifying the suitability of data for building statistical classifiers, we measured prediction accuracies that compare very well with results obtained using state-of-the-art differentially private classification algorithms.",
"topics": [
"data_anonymization",
"offline_local_processing"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "Proceedings on Privacy Enhancing Technologies",
"language": "en"
},
{
"id": "openaire:10.69554/uukl8163",
"title": "General Data Protection Regulation (GDPR) ambiguity, national diversity and data protection officer certification: Implementing Art. 39(1) GDPR in France, Italy, Luxembourg and Spain",
"authors": [
"Jacob Kornbeck"
],
"date": "2021-09-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.69554/uukl8163",
"pdfUrl": "",
"doi": "10.69554/uukl8163",
"abstract": "The General Data Protection Regulation (GDPR) of the European Union (EU) does not always make legally binding provisions with unambiguous implications. The implementation of Art. 39(1) GDPR regarding the certification of Data Protection Officers (DPOs) is left to the discretion of Member States. This paper will show what action has been taken by the national data protection authorities (DPAs) of France, Italy, Luxembourg and Spain. Insights gained from examining the four national frameworks, which are quite dissimilar in many ways, will be compared and contrasted. This will lead to a systematic and teleological interpretation, as well as to a more general discussion of GDPR ambiguity and the prospect of fragmentation through national implementation diversity. The paper will conclude with some thoughts on the need for controllers to invest in qualified staff to perform DPO roles, as well as some reflection on the human resources (HR) policies of DPAs.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "crossref:10.30837/rt.2025.3.222.05",
"title": "Zero-knowledge proof protocols: theoretical foundations and applications in modern cryptography",
"authors": [
"R.I. Mordvinov"
],
"date": "2025-09-18",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.30837/rt.2025.3.222.05",
"pdfUrl": "http://rt.nure.ua/article/download/343483/331321",
"doi": "10.30837/rt.2025.3.222.05",
"abstract": "The article presents a comprehensive overview of zero-knowledge proof (ZKP) protocols as a fundamental concept of modern cryptography. The historical background of their emergence and the main properties ensuring reliability and confidentiality, i.e., completeness, soundness, and zero-knowledge — are considered. A classification of protocols into interactive and non-interactive ones is provided, with a special focus on modern solutions such as the zk-SNARK and the zk-STARK. The mathematical foundations of ZKPs are described in detail, including discrete logarithm proofs, the use of homomorphic encryption, polynomial commitments, hashing, and elliptic curves. Practical application areas are analyzed, including cryptocurrencies (Zcash, Ethereum), authentication systems, digital identity, and electronic voting. The advantages of using ZKPs are shown, such as enhanced privacy, reduced need for trusted intermediaries, and strengthened security. At the same time, key challenges are outlined, including scalability, implementation complexity, the problem of trusted setup, and potential vulnerability to quantum computing. It is concluded that zero-knowledge proof protocols are a powerful tool for ensuring confidentiality and reliability of digital systems, while further research is aimed at creating more efficient and quantum-resistant solutions.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "Radiotekhnika",
"language": "en"
},
{
"id": "crossref:10.1093/oso/9780198841982.003.0003",
"title": "The Development of European Data Protection Law and Regulation",
"authors": [
"David Erdos"
],
"date": "2019-12-05",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.1093/oso/9780198841982.003.0003",
"pdfUrl": "https://academic.oup.com/book/chapter-pdf/57593641/oso-9780198841982-chapter-3.pdf",
"doi": "10.1093/oso/9780198841982.003.0003",
"abstract": "Abstract\n This chapter explores the development of European data protection, both as a codified form of regulation and as a human right, from its inception to the present day. In contrast to more ʻclassicalʼ rights, such as freedom of expression and even privacy, data protection only emerged as a discrete concept with the rise of computer power in the 1970s. The focus in Europe from this time has been on elaborating a progressively more detailed and harmonized regulatory code to govern the processing of personal data across the EU and wider European Economic Area (EEA). Advisory Council of Europe Resolutions in the 1970s led to a binding but optional Data Protection Convention in the 1980s, to a mandatory Data Protection Directive in the 1990s, and finally to a General Data Protection Regulation (GDPR) in the 2010s which is directly applicable across the EU. In addition, data protection has increasingly been recognized as a fundamental right and, in particular, was included within the EU Charter that was drafted in 2000 and acquired pan-EU legal status in 2009. These developments have dovetailed with the emergence of a significant body of relevant Court of Justice of the EU (CJEU) jurisprudence. However, the regulatory Data Protection Authorities (DPAs) also remain critical interpretative actors and have issued a number of important opinions including through the Article 29 Working Party that under the GDPR has become the European Data Protection Board.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "European Data Protection Regulation, Journalism, and Traditional Publishers",
"language": "en"
},
{
"id": "crossref:10.1093/oso/9780198841982.003.0009",
"title": "The Future Shape of European Data Protection Regulation and Professional Journalism",
"authors": [
"David Erdos"
],
"date": "2019-12-05",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.1093/oso/9780198841982.003.0009",
"pdfUrl": "https://academic.oup.com/book/chapter-pdf/57593913/oso-9780198841982-chapter-9.pdf",
"doi": "10.1093/oso/9780198841982.003.0009",
"abstract": "Abstract\n This chapter explores the approach European Data Protection Authorities (DPAs) should take to their role vis-à-vis the professional journalistic media under the General Data Protection Regulation (GDPR). Such an approach must take into account the contextual trend within European Court of Human Rights case law, the growth of a stricter Court of Justice of the European Union data protection jurisprudence, and continuing severe resource constraints. In the area of standards, DPAs should endorse a broad construction of the journalistic derogation that encompasses news/media archives but should also promote a specific and structured approach to contextual balancing within this derogation. Such detailed standard-setting raises acute sensitivities. Therefore, guidance should be formulated through a co-regulatory process which adopts the GDPR’s code of conduct provisions as a broad guideline. Enforcement remains even more delicate, potentially very expensive, but nevertheless vital. A strategic co-regulatory approach is appropriate here too. DPAs should encourage self-regulatory monitoring mechanisms and, in cases where these meet the criteria laid down in the GDPR, should defer to them other than when particular systematic or serious issues arise. If such criteria are not satisfied, DPAs need to deploy their powers proactively across the board. Finally, where no self-regulatory mechanism exists, DPAs must independently ensure a proportionate response to all complaints and issues that arise. Media regulation rightly remains largely within State jurisdiction. Therefore, the European Data Protection Regulation should avoid coercive intervention here. Nevertheless, it should play a valuable ʻsoftʼ role through drafting non-binding guidance and promoting information exchange, dialogue, and cooperation.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "European Data Protection Regulation, Journalism, and Traditional Publishers",
"language": "en"
},
{
"id": "crossref:10.69554/tbru2322",
"title": "Internet of things data protection and privacy in the era of the General Data Protection Regulation",
"authors": [
"Abhik Chaudhuri"
],
"date": "2016-12-01",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.69554/tbru2322",
"pdfUrl": "",
"doi": "10.69554/tbru2322",
"abstract": "The emerging internet of things (IoT) technology has immense potential for unprecedented business offerings in various domains. To provide reliable IoT products and services that comply with regulatory demands, businesses must meet users’ data protection and privacy needs. With the General Data Protection Regulation (GPDR) coming into force from 24th May, 2016 and applicable from 25th May, 2018, IoT businesses must strategise privacy alignment for their products or services by incorporating in their design the privacy and data protection capabilities necessary for regulatory compliance and gaining user trust. This paper discusses the associated data protection and user privacy concerns, making reference to such IoT service offerings as smart retail, the smart home, smart wearables, smart health devices, smart television and smart toys. The three steps to privacy alignment strategy discussed in this paper comprise the privacy inquisition (PI) analysis model, the IoT privacy impact assessment (iPIA) and the privacy state transition process through which IoT businesses pass on their path to attaining ‘perfect alignment’ with respect to the GDPR data protection requirements and user privacy needs. Privacy inquisition, iPIA and privacy state transition should be performed on a periodic basis, preferably under the guidance of a privacy governance board with supervisory authority and representation from the organisation’s board of directors, the controller and the data protection officer.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "openaire:10.69554/jvii4684",
"title": "Data subject consent: How will the General Data Protection Regulation affect this?",
"authors": [
"Hana Ross"
],
"date": "2017-04-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.69554/jvii4684",
"pdfUrl": "",
"doi": "10.69554/jvii4684",
"abstract": "EU data protection law assumes an innate right to privacy. Current consent requirements are contained in Directive 95/46/EC, which sets the standard of consent given by data subjects as ‘freely given, specific and informed’. The General Data Protection Regulation (GDPR) is due to come into force in 2018. The standard of consent is being raised to being ‘freely given, specific, informed and unambiguous’. The current Article 29 Working Party approach to consent sets a high bar. The Information Commissioner’s Office (ICO) has a more relaxed position than the Article 29 Working Party. Obtaining consent to direct marketing is challenging. The ICO view is that consent should be given on an opt-in rather than opt-out basis. Indirect consent is particularly difficult to obtain. Article 7(3) of the GDPR will give data subjects the right to revoke their consent at any time. The e-Privacy Directive governing electronic marketing is currently under review and will bring with it crucial changes that are expected to harmonise with the GDPR. Best practice advocates a layered approach to privacy notices. Privacy notices can be used as a tool to enhance customer engagement experiences.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "crossref:10.11591/ijece.v14i4.pp4686-4696",
"title": "Big data anonymization using Spark for enhanced privacy protection",
"authors": [
"Abdelmadjid Guessoum Graba",
"Adil Toumouh"
],
"date": "2024-08-01",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.11591/ijece.v14i4.pp4686-4696",
"pdfUrl": "https://ijece.iaescore.com/index.php/IJECE/article/viewFile/35089/17583",
"doi": "10.11591/ijece.v14i4.pp4686-4696",
"abstract": "This article introduces an advanced solution for anonymizing large-scale sensitive data, addressing the limitations of traditional approaches when applied to vast datasets. By leveraging the Spark distributed computing framework, we propose a method that parallelizes the data anonymization process, enhancing efficiency and scalability. Utilizing Spark's resilient distributed datasets (RDD), the approach integrates two primary operations, Map_RDD and ReduceByKey_RDD, to execute the anonymization tasks. Our comprehensive experimental evaluation demonstrates our solution's effectiveness and improved performance in preserving data privacy while balancing data utility and confidentiality. A significant contribution of our study is the development of a wide array of solutions for data owners, particularly notable for a 500 MB dataset at an anonymity level of K=100, where our methodology produces 832 unique solutions. This study also opens avenues for future research in applying different privacy models within the Spark ecosystem, such as l-diversity and t-closeness.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "International Journal of Electrical and Computer Engineering (IJECE)",
"language": "en"
},
{
"id": "crossref:10.1088/1742-6596/1616/1/012034",
"title": "Personal Data Protection and Anonymization in the Process of Data Commodity Trading",
"authors": [
"Jing Su",
"Jiale Gai",
"Yaqing Si",
"Xinyu Zheng",
"Guangkai Li",
"Zhixue Liu"
],
"date": "2020-08-01",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.1088/1742-6596/1616/1/012034",
"pdfUrl": "https://iopscience.iop.org/article/10.1088/1742-6596/1616/1/012034/pdf",
"doi": "10.1088/1742-6596/1616/1/012034",
"abstract": "Abstract\n Big data brings tremendous commercial value, but at the same time, it also leads to personal information leakage and other problem. This paper analyses the laws and regulations of the personal information and anonymization at home and abroad, and discusses the legal identification criterion of personal information, personal data and data anonymization systematically. And combining with the practice, this paper provides general methods for anonymizing data with personal privacy when they are used or traded by companies.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "Journal of Physics: Conference Series",
"language": "en"
},
{
"id": "crossref:10.54648/gplr2025017",
"title": "Opinion: Towards a Legal Reconceptualization of Algorithmic ‘Inferences’ as ‘Collection’ of Personal Data under the GDPR",
"authors": [
"Divyam Krishna"
],
"date": "2025-07-01",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.54648/gplr2025017",
"pdfUrl": "https://kluwerlawonline.com/journalarticle/Global+Privacy+Law+Review/6.2/GPLR2025017",
"doi": "10.54648/gplr2025017",
"abstract": "The consensus from the techno-legal literature is that the standing provisions of the General Data Protection Regulation (GDPR) do not offer meaningful protections against legal harms arising from the process of algorithmic inferences of psychological traits. However, this literature presupposes that the computational processes of inference and collection of personal data deserve separate legal treatments. This opinion makes the provocative argument that despite being computationally distinct, these two processes must be treated as legally equivalent and accordingly, inter alia, algorithmic inferences must be subjected to the rigours of data minimization in the same way as collection of personal data within the GDPR. In this process, this opinion takes a first principles approach to furnish the necessary taxonomy and conceptual underpinnings to ground the legal logic behind recent decision of the Court of Justice of the European Union (CJEU) in Maximilian Schrems v. Meta Platforms.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Global Privacy Law Review",
"language": "en"
},
{
"id": "crossref:10.69554/frkj2284",
"title": "Privacy nutrition labels, App Store and the GDPR: Unintended consequences?",
"authors": [
"Miloš Novović"
],
"date": "2023-01-01",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.69554/frkj2284",
"pdfUrl": "",
"doi": "10.69554/frkj2284",
"abstract": "In an effort to increase the transparency of personal data processing carried out via applications listed on their mobile store, Apple recently announced the launch of privacy nutrition labels (PNLs). Aimed at informing users about an application's use of data, these card-like labels are prominently visible on each application's App Store page. This paper explores whether such disclosures made via PNLs can help data controllers fulfil their duty of transparency under the EU General Data Protection Regulation (GDPR). It establishes that the PNLs, in their current, highly standardised fashion, cannot convey the mandatory obligations required by the GDPR. Added to this, they cannot adequately supplement existing privacy policies, either — as they neither serve an adequate role as a ‘first layer’ of a privacy notice, nor help communicate information more efficiently. However, the paper finds that the PNLs might serve another purpose: enhancing data controllers' internal compliance routines. PNLs, even with their current limitations, can bring tangible improvements to cross-functional communication, third-party sharing awareness, records of processing accuracy, adherence to the data protection principles and adequate resource assignment. The overall conclusion of the paper, counterintuitive as it might appear, is that PNLs should be viewed as an organisational measure-enhancing mechanism rather than a transparency tool.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "openaire:10.2139/ssrn.2992042",
"title": "Old Wine with a New Label: Rights of Data Subjects Under GDPR",
"authors": [
"Sandeep Mittal"
],
"date": "2017-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2139/ssrn.2992042",
"pdfUrl": "",
"doi": "10.2139/ssrn.2992042",
"abstract": "Recent reforms in the data privacy protection framework in the European Union have led to the enactment of the General Data Protection Regulation (GDPR). However, it remains debatable whether the GDPR will lead to significant improvements in the protection of the privacy rights of individuals, which are always classified as fundamental rights. The advent of technology, the movement of data across geographical barriers, and the outsourcing of data processing jobs to countries outside the EU necessitated the enactment of the GDPR. Although some of the provisions of the GDPR remain generically similar to analogous provisions in the 1995 Data Protection Directive, the GDPR differs in some respects. As a “Regulation,” not a “Directive,” the GDPR is better equipped to overcome the problem of harmonization across the EU member-states. Furthermore, the GDPR incorporates the ‘right to be forgotten,’ clarifies and fortifies the concept of consent, provides data protection by design and default, increases the accountability of data controllers, and expands the jurisdictional scope of the Directive to include some extra-territorial (i.e., non-EU) data processors and controllers. It remains to be seen whether the GDPR is an old wine with the new label or something new in a wine bottle.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1093/oso/9780198826491.001.0001",
"title": "The EU General Data Protection Regulation (GDPR)",
"authors": [
"Russell, Scott"
],
"date": "2020-02-13",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1093/oso/9780198826491.001.0001",
"pdfUrl": "http://hdl.handle.net/2142/99959",
"doi": "10.1093/oso/9780198826491.001.0001",
"abstract": "Abstract This new book provides an article-by-article commentary on the new EU General Data Protection Regulation. Adopted in April 2016 and applicable from May 2018, the GDPR is the centrepiece of the recent reform of the EU regulatory framework for protection of personal data. It replaces the 1995 EU Data Protection Directive and has become the most significant piece of data protection legislation anywhere in the world. This book is edited by three leading authorities and written by a team of expert specialists in the field from around the EU and representing different sectors (including academia, the EU institutions, data protection authorities, and the private sector), thus providing a pan-European analysis of the GDPR. It examines each article of the GDPR in sequential order and explains how its provisions work, thus allowing the reader to easily and quickly elucidate the meaning of individual articles. An introductory chapter provides an overview of the background to the GDPR and its place in the greater structure of EU law and human rights law. Account is also taken of closely linked legal instruments, such as the Directive on Data Protection and Law Enforcement that was adopted concurrently with the GDPR, and of the ongoing work on the proposed new E-Privacy Regulation.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-319-99713-1_5",
"title": "The EU’s General Data Protection Regulation (GDPR) in a Research Context",
"authors": [
"Mondschein, Christopher",
"Monda, Cosimo"
],
"date": "2018-12-22",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-319-99713-1_5",
"pdfUrl": "https://link.springer.com/content/pdf/10.1007%2F978-3-319-99713-1_5.pdf",
"doi": "10.1007/978-3-319-99713-1_5",
"abstract": "AbstractThis chapter introduces the rational and regulatory mechanism underlying the EU data protection framework with specific focus on the EU’s General Data Protection Regulation (GDPR). It outlines the applicability of the research exemption included in the GDPR and discusses further or secondary use of personal data for research purposes.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:S1472669618000063",
"title": "Data Protection in UK Library and Information Services: Are We Ready for GDPR?",
"authors": [
"Josephine Bailey"
],
"date": "2018-03-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1017/s1472669618000063",
"pdfUrl": "",
"doi": "10.1017/s1472669618000063",
"abstract": "AbstractAgainst a backdrop of increasing data security and privacy concerns, current data protection law will soon be overhauled by the General Data Protection Regulation (GDPR). Previous research has indicated a lack of data protection management in libraries, however, it has been nine years since the latest study. This article by Josephine Bailey aims to provide an updated review of the extent of data protection management in UK library and information services and gauge preparation for the incoming GDPR.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Legal Information Management",
"language": "en"
},
{
"id": "openaire:10.21533/iuslawjournal.v1i1.9",
"title": "Privacy between Regulation and Technology: GDPR and the Blockchain",
"authors": [
"Asim Jusić"
],
"date": "2022-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.21533/iuslawjournal.v1i1.9",
"pdfUrl": "",
"doi": "10.21533/iuslawjournal.v1i1.9",
"abstract": "Compliance with the GDPR while using blockchain technology for data processing results in compliance issues, due to the fact that the blockchain and the GDPR employ different methods to ensure privacy-by-design and privacy-by-default. The blockchain is built on disintermediation and relative decentralization, whereas the GDPR aims for re-intermediation and relative centralization of the data protection process. This paper provides an overview of and suggestions on how to secure compliance with the GDPR while processing data using the blockchain. A focus is placed on the data protection impact assessment on the blockchain network, issues in identifying and determining the role(s) of sole and joint data controllers and data processors, obstacles to exercising the right to rectification and right to be forgotten when the data is recorded on the blockchain, GDPR data transfer requirements as applied to the blockchain, and the protection of privacy in the process of creating blockchain-based smart contracts.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.21125/edulearn.2019.0555",
"title": "GENERAL DATA PROTECTION REGULATION IMPLEMENTATION IN HIGHER EDUCATION INSTITUTIONS",
"authors": [
"Aurimas Šidlauskas",
"Tadas Limba"
],
"date": "2019-07-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.21125/edulearn.2019.0555",
"pdfUrl": "",
"doi": "10.21125/edulearn.2019.0555",
"abstract": "The General Data Protection Regulation, more commonly known as “GDPR”, is a regulation in the European Union law implemented since the 25th of May, 2018. It aims to increase data protection for EU citizens and individuals within the European Economic Area and simplify international regulations by unifying the European system. The GDPR is a law that protects the personal information of all EU citizens, regardless of where their personal information is located and stored. The GDPR aims to give EU citizens greater protection and control of their personal information. Regulation coverage extends to all organizations – whether or not they have physical EU footprints – that control or process the personal information of EU citizens. Many higher education institutions are gaining international students at a high rate throughout their various online education programs. If any portion of your online educations student base is made up of EU citizens, you will want to ensure that you have GDPR compliance plans in place. The scientific problem, GDPR leaves much to interpretation and higher education institutions unaware of how to implement GDPR requirements. The main purpose of this article is to provide an action plan to help higher education institutions implement GDPR requirements. Tasks: 1. Identify the key aspects that GDPR should have on conceptual impact on data protection law. 2. Describe the challenges faced by higher education institutions in implementing the GDPR. 3. Provide a GDPR implementation model. In this scientific article, methods of document analysis, scientific literature review, case study and generalization are used.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:S2352711024001924",
"title": "GDPR consent management and automated compliance verification tool",
"authors": [
"Chhetri, Tek Raj",
"Fensel, Anna",
"DeLong, Rance J."
],
"date": "2024-09-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1016/j.softx.2024.101821",
"pdfUrl": "",
"doi": "10.1016/j.softx.2024.101821",
"abstract": "This paper presents our scalable and interoperable tool for GDPR (General Data Protection Regulation) consent management and automated compliance verification. The tool enables GDPR-compliant data sharing and is beneficial to the industries that process personally identifiable data. The tool has been designed following the GDPR data protection by design principles and has been successfully validated against real-world industrial use case scenarios in smart cities and insurance.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.69554/epnj3857",
"title": "Blockchain and the GDPR: Coexisting in contradiction?",
"authors": [
"John Timmons",
"Tim Hickman"
],
"date": "2020-06-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.69554/epnj3857",
"pdfUrl": "",
"doi": "10.69554/epnj3857",
"abstract": "The recent adoption of the General Data Protection Regulation (GDPR) has fundamentally altered the legal landscape in the European Union and beyond with respect to data protection. Organisations that process personal data must ensure their data-processing practices are compliant with the requirements of the GDPR, irrespective of the technology used. The use of new technologies to process personal data can lead to additional complexities from a compliance perspective, particularly where the technology has intrinsic features that appear to be at odds with certain fundamental requirements of data protection law. This is an issue that applies to the use of blockchain technology as key features of the technology do not, at first glance, appear to be consistent with the requirements of the GDPR. While it is accurate to state that the GDPR has created some challenges regarding the adoption of blockchain technology to process personal data, these challenges are not necessarily insurmountable. This paper discusses the most pertinent challenges to the adoption of blockchain technology from a data protection compliance perspective.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:26663570(20230501)4:2;1-Z",
"title": "The Personal Data Under the GDPR: Concept, Elements, and Boundaries",
"authors": [
"A. B. Menezes Cordeiro"
],
"date": "2023-05-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.54648/gplr2023009",
"pdfUrl": "",
"doi": "10.54648/gplr2023009",
"abstract": "The concept of personal data plays a foundational role in data protection law. The application of the General Data Protection Regulation (GDPR), as well as virtually all other national or transnational legislation that regulates the processing of personal data, depends on the identification of an actual personal data. Despite being a concept that is perfectly consolidated, especially within the European Union, its exact boundaries continue to raise some questions from an application point of view, particularly with regard to the element of identifiable. In this article, we intend to examine the origins of the concept of personal data and analyse its various elements and boundaries under the GDPR data protection, privacy, personal data, GDPR, identifiable information",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1177/0266382118777808",
"title": "GDPR",
"authors": [
"Claire Laybats",
"John Davies"
],
"date": "2018-06-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1177/0266382118777808",
"pdfUrl": "https://link.springer.com/content/pdf/10.1007/978-1-4842-7968-7_1",
"doi": "10.1177/0266382118777808",
"abstract": " This article discusses the main changes to data protection regulation with the introduction of the General Data Protection Regulation (GDPR) that comes into effect on 25 May 2018. It considers the effect on organizations coming under its jurisdiction through an interview with John Davies, Managing Director of digital agency Reading Room, and then goes on to consider the implications for organizations currently out of the geographical area the GDPR controls. It finally considers the implications for the future as the GDPR becomes established. ",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Blockchain and Regulation",
"language": "en"
},
{
"id": "openaire:10.1145/3277570.3277590",
"title": "An Ontology Capturing the Interdependence of the General Data Protection Regulation (GDPR) and Information Security",
"authors": [
"Melisa Geko",
"Simon Tjoa"
],
"date": "2018-11-15",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/3277570.3277590",
"pdfUrl": "",
"doi": "10.1145/3277570.3277590",
"abstract": "High returns for processing personal data and low penalties for privacy violations led to the circumstance that protection of privacy was often not considered a priority. To counter this habit and to harmonize data protection laws throughout the European Union, the EU-Commission has adopted the General Data Protection Regulation (GDPR), clarifying data subject rights and ensuring an appropriate level of privacy protection.Through high penalties for non-compliance (i.e. up to 2% - 4% of the annual worldwide turnover), GDPR was able to put high pressure on organizations to comply with the requirements. However, studies have shown that organizations are often overwhelmed by the actual requirements.In this paper, we therefore aim to support organization to understand this complex topic by providing an ontology-based data protection knowledge base, which highlights the interdependency of GDPR and information security.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "CECC",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-319-99136-8_19",
"title": "Verifiable Decryption for Fully Homomorphic Encryption",
"authors": [
"Fucai Luo",
"Kunpeng Wang"
],
"date": "2018-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-319-99136-8_19",
"pdfUrl": "",
"doi": "10.1007/978-3-319-99136-8_19",
"abstract": "Verifiable decryption allows one to prove the correct decryption of encrypted data. When the encrypted data is derived from homomorphic evaluations in the context of fully homomorphic encryption (FHE), verifiable decryption will be very useful in cloud computing or cryptographic protocols, e.g., secure medical computation, cryptographically verifiable election, etc. In this paper, we consider the problem of proving the correct decryption of an FHE ciphertext. Namely, we are interested in zero-knowledge proofs of knowledge of triples \\((m, \\mathbf {s}, \\mathbf {c})\\) such that the message m is the correct decryption of a ciphertext \\(\\mathbf {c}\\) for a secret key \\(\\mathbf {s}\\). While analogous statements admit efficient zero-knowledge proof protocols in the discrete logarithm setting, they have never been addressed in FHE so far. We provide such verifiable decryption for Brakerski-Gentry-Vaikuntanathan (BGV) scheme, since this scheme was recognized as one of the most efficient leveled FHE schemes. Our solution is nearly “one shot”, in the sense that a single instance of the proof already has negligible soundness error, yielding compact proofs even for individual ciphertexts. Furthermore, to illustrate the applicability of verifiable decryption, we also give two example instantiations.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "hal:5017332",
"title": "Developing with Compliance in Mind: Addressing Data Protection Law, Cybersecurity Regulation, and AI Regulation During Software Development",
"authors": [
"Bjørn Aslak Juliussen",
"Jon Petter Rui",
"Dag Johansen"
],
"date": "2023-08-08",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-05017332v1",
"pdfUrl": "https://inria.hal.science/hal-05017332/document",
"doi": "10.1007/978-3-031-57978-3_6",
"abstract": "This paper explores the concept of complying with relevant legal requirements when developing software systems. Specifically, it focuses on data protection law, cybersecurity regulation, and Artificial Intelligence (AI) regulation requirements in the software system development processes. The paper analyses the impact of three key regulatory frameworks in the European Union: the General Data Protection Regulation (GDPR), the Network and Information Security (NIS) 2 Directive, and the proposed Artificial Intelligence Act (AIA). The article examines the interplay and potential conflicts between different requirements in these rule sets. Towards the end of the paper, some suggestions are made for achieving alignment with these regulations in software systems, enabling concurrent compliance with the GDPR, the NIS 2 Directive, and the AIA, in situations where all the regulations enter into effect simultaneously.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Privacy and Identity Management",
"language": "en"
},
{
"id": "openaire:10.70015/ril_v59_n233_p201",
"title": "The use of AI in digital health services and privacy regulation in GDPR and LGPD: between revolution and (dis)respect",
"authors": [
"Mateus de Oliveira Fornasier"
],
"date": "2022-03-31",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.70015/ril_v59_n233_p201",
"pdfUrl": "",
"doi": "10.70015/ril_v59_n233_p201",
"abstract": "This article studies the complexity of protecting personal data in the face of the challenges and risks that data collection and processing by AI offer to the fundamental right to privacy. Its hypothesis is that the General Data Protection Regulation (GDPR) and the Brazilian General Data Protection Law (LGPD) are not sufficient to cover several of the problems that emerge from the capture and treatment of sensitive data by companies that develop devices and services based on AI, although such laws have many important points for the regulation of such activities. Thus, new dialogic understandings, in addition to State regulatory efforts, must be developed. Methodology: hypothetical-deductive procedure method, with a qualitative approach and bibliographic review research technique",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.2139/ssrn.3643979",
"title": "Privacy Rights and Data Security: GDPR and Personal Data Driven Markets",
"authors": [
"Tony Ke",
"K. Sudhir"
],
"date": "2020-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2139/ssrn.3643979",
"pdfUrl": "https://doi.org/10.2139/ssrn.3643979",
"doi": "10.2139/ssrn.3643979",
"abstract": "The paper investigates how the two key features of GDPR (EU’s data protection regulation)— privacy rights and data security—impact personal data driven markets. First, GDPR recognizes that individuals own and control their data in perpetuity, leading to three critical privacy rights: (i) right to explicit consent (data opt-in), (ii) right to be forgotten (data erasure), and (iii) right to portability (switch data to competitor). Second, GDPR has data security mandates protection against privacy breaches through unauthorized access. The right to explicit opt-in allows goods exchange without data exchange. Erasure and portability rights discipline firms to provide ongoing value and reduces consumers’ holdup using their own data. Overall, privacy rights restrict legal collection and use, while data security protects against illegal access and use. We develop a two- period model of forward-looking firms and consumers where consumers exercise data privacy rights balancing the cost (privacy breach, price discrimination) and benefits (product personalization, price subsidies) of sharing data with firms. We find that by reducing expected privacy breach costs, data security mandates increase opt-in, consumer surplus and firm profit. Privacy rights reduce opt-in and mostly increase consumer surplus at the expense of firm profits; interestingly they hurt firms more in competitive than in monopolistic markets. While privacy rights can reduce surplus for both firms and consumers, these conditions are unlikely to be realized when breach risk is endogenized. Further, by unbundling data exchange from goods exchange, privacy rights facilitate trade in goods that may otherwise fail to occur due to privacy breach risk.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "SSRN Electronic Journal",
"language": "en"
},
{
"id": "openaire:10.30574/wjarr.2020.5.1.0053",
"title": "Homomorphic encryption for privacy-preserving computation",
"authors": [
"null Nataraja B S",
"null Meenakshi R",
"null Shwetha T P"
],
"date": "2020-01-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.30574/wjarr.2020.5.1.0053",
"pdfUrl": "",
"doi": "10.30574/wjarr.2020.5.1.0053",
"abstract": "With the rapid advancement of cloud computing and data outsourcing, ensuring data privacy has emerged as a critical challenge. Traditional encryption methods protect data at rest and in transit but require decryption for processing, exposing sensitive information to potential security threats. Homomorphic encryption (HE) offers a promising cryptographic solution by enabling computations directly on encrypted data without the need for decryption, thereby maintaining privacy throughout the computational process. This paper provides a comprehensive analysis of various homomorphic encryption schemes, including partially homomorphic encryption (PHE), somewhat homomorphic encryption (SHE), leveled fully homomorphic encryption (LFHE), and fully homomorphic encryption (FHE). Each scheme is evaluated based on its computational complexity, security guarantees, and practical applicability in real-world scenarios. Additionally, the study explores key applications of HE in privacy-preserving machine learning, secure cloud computing, healthcare data security, and financial transactions. To assess the efficiency and feasibility of different HE techniques, the paper presents comparative analyses using tables and bar charts. These evaluations highlight the trade-offs between security strength, computational overhead, and practical implementation challenges. Furthermore, recent advancements in hardware acceleration, algorithmic optimizations, and hybrid cryptographic approaches are discussed to address the performance limitations of HE.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.26740/jieet.v7n1.p49-58",
"title": "The Application of Fully Homomorphic Encryption on XGBoost Based Multiclass Classification",
"authors": [
"Rini Deviani"
],
"date": "2023-06-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.26740/jieet.v7n1.p49-58",
"pdfUrl": "",
"doi": "10.26740/jieet.v7n1.p49-58",
"abstract": "Fully Homomorphic Encryption (FHE) is a ground breaking cryptographic technique that allows computations to be performed directly on encrypted data, preserving privacy and security. This paper explores the application of Fully Homomorphic Encryption on Extreme Gradient Boosting (XGBoost) multiclass classification, demonstrating its potential to enable secure and privacy-preserving machine learning. The paper presents a framework for training and evaluating XGBoost models using encrypted data, leveraging FHE operations for encrypted feature engineering, model training, and inference. The experimental results showcase the feasibility of applying Fully Homomorphic Encryption to XGBoost-based multiclass classification tasks while maintaining data confidentiality. The findings highlight the trade-off between computation complexity and model accuracy in FHE-based approaches and provide insights into the challenges and future directions of utilizing Fully Homomorphic Encryption in practical machine learning scenarios. The study underscores the significance of privacy-preserving machine learning techniques and paves the way for secure data analysis in sensitive domains where data privacy is of utmost importance.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/bibe.2019.00169",
"title": "Privacy Protection with Pseudonymization and Anonymization In a Health IoT System: Results from OCARIoT",
"authors": [
"Sérgio Luís Ribeiro",
"Emilio Tissato Nakamura"
],
"date": "2019-10-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/bibe.2019.00169",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/8936463/8941582/08941690.pdf?arnumber=8941690",
"doi": "10.1109/bibe.2019.00169",
"abstract": "This paper presents the implementation of a users' privacy protection approach in a health Internet of Things (IoT) system. It is composed of a set of security layers based on cryptography, pseudonymization and anonymization techniques applied to processed (Data-In-Use, DIU), stored (Data-At-Rest, DAR) and transmitted (Data-In-Motion, DIM) data. Regarding security and privacy in IoT systems, especially in digital health systems, it is necessary to guarantee that the user rights are respected. This requires a security-in-depth strategy established based on risk-based results, every interconnecting actors, their security and privacy requirements and the specific aspects of the entire ecosystem, including the applications and platform. The presented privacy protection approach was developed and applied in a digital health platform, OCARIoT.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "2019 IEEE 19th International Conference on Bioinformatics and Bioengineering (BIBE)",
"language": "en"
},
{
"id": "doaj:7051dbd2db8a4cc38135ca26a1efb3d9",
"title": "Toward Privacy Preservation Using Clustering Based Anonymization: Recent Advances and Future Research Outlook",
"authors": [
"Abdul Majeed",
"Safiullah Khan",
"Seong Oun Hwang"
],
"date": "2022",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/9775092/",
"pdfUrl": "https://ieeexplore.ieee.org/ielx7/6287639/6514899/09775092.pdf",
"doi": "10.1109/access.2022.3175219",
"abstract": "With the continuous increase in avenues of personal data generation, privacy protection has become a hot research topic resulting in various proposed mechanisms to address this social issue. The main technical solutions for guaranteeing a user’s privacy are encryption, pseudonymization, anonymization, differential privacy (DP), and obfuscation. Despite the success of other solutions, anonymization has been widely used in commercial settings for privacy preservation because of its algorithmic simplicity and low computing overhead. It facilitates unconstrained analysis of published data that DP and the other latest techniques cannot offer, and it is a mainstream solution for responsible data science. In this paper, we present a comprehensive analysis of clustering-based anonymization mechanisms (CAMs) that have been recently proposed to preserve both privacy and utility in data publishing. We systematically categorize the existing CAMs based on heterogeneous types of data (tables, graphs, matrixes, etc.), and we present an up-to-date, extensive review of existing CAMs and the metrics used for their evaluation. We discuss the superiority and effectiveness of CAMs over traditional anonymization mechanisms. We highlight the significance of CAMs in different computing paradigms, such as social networks, the internet of things, cloud computing, AI, and location-based systems with regard to privacy preservation. Furthermore, we present various proposed representative CAMs that compromise individual privacy, rather than safeguarding it. Besides, this article provides an extended knowledge (e.g., key assertion(s), strengths, weaknesses, clustering methods used in the anonymization process, and %age improvements in quantitative results) about each technique that provides a clear view of how much this topic has been investigated thus far, and what are the research gaps that seek pertinent solutions in the near future. Finally, we discuss the technical challenges of applying CAMs, and we suggest promising opportunities for future research. To the best of our knowledge, this is the first work to systematically cover current CAMs involving different data types and computing paradigms.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-030-71885-5_7",
"title": "Pseudonymization and Anonymization of Radiology Data",
"authors": [
"van Ooijen, Peter",
"Aryanto, Kadek Yota Ernanda"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-030-71885-5_7",
"pdfUrl": "https://link.springer.com/content/pdf/10.1007/978-3-030-71885-5_7",
"doi": "10.1007/978-3-030-71885-5_7",
"abstract": "The necessity to protect patient or participant privacy when using imaging data for other purposes than clinical care requires the de-identification of these data. Although rules concerning de-identification exist in the standards and tools are available both in commercial and freeware software, careful consideration of the whole de-identification process is still required.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "Imaging Informatics for Healthcare Professionals",
"language": "en"
},
{
"id": "openaire:10.56553/popets-2023-0014",
"title": "Designing a Location Trace Anonymization Contest",
"authors": [
"Murakami, Takao",
"Arai, Hiromi",
"Hamada, Koki",
"Hatano, Takuma",
"Iguchi, Makoto",
"Kikuchi, Hiroaki",
"Kuromasa, Atsushi",
"Nakagawa, Hiroshi",
"Nakamura, Yuichi",
"Nishiyama, Kenshiro",
"Nojima, Ryo",
"Oguri, Hidenobu",
"Watanabe, Chiemi",
"Yamada, Akira",
"Yamaguchi, Takayasu",
"Yamaoka, Yuji"
],
"date": "2023-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.56553/popets-2023-0014",
"pdfUrl": "",
"doi": "10.56553/popets-2023-0014",
"abstract": "For a better understanding of anonymization methods for location traces, we have designed and held a location trace anonymization contest that deals with a long trace (400 events per user) and fine-grained locations (1024 regions). In our contest, each team anonymizes her original traces, and then the other teams perform privacy attacks against the anonymized traces. In other words, both defense and attack compete together, which is close to what happens in real life. Prior to our contest, we show that re-identification alone is insufficient as a privacy risk and that trace inference should be added as an additional risk. Specifically, we show an example of anonymization that is perfectly secure against re-identification and is not secure against trace inference. Based on this, our contest evaluates both the re-identification risk and trace inference risk and analyzes their relationship. Through our contest, we show several findings in a situation where both defense and attack compete together. In particular, we show that an anonymization method secure against trace inference is also secure against re-identification under the presence of appropriate pseudonymization. We also report defense and attack algorithms that won first place, and analyze the utility of anonymized traces submitted by teams in various applications such as POI recommendation and geo-data analysis.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/services.2019.00101",
"title": "Policy-Based De-Identification Test Framework",
"authors": [
"Armin Gerl",
"Stefan Becher"
],
"date": "2019-07-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/services.2019.00101",
"pdfUrl": "",
"doi": "10.1109/services.2019.00101",
"abstract": "Protecting privacy of individuals is a basic right, which has to be considered in our data-centered society in which new technologies emerge rapidly. To preserve the privacy of individuals de-identifying technologies have been developed including pseudonymization, personal privacy anonymization, and privacy models. Each having several variations with different properties and contexts which poses the challenge for the proper selection and application of de-identification methods. We tackle this challenge proposing a policy-based de-identification test framework for a systematic approach to experimenting and evaluation of various combinations of methods and their interplay. Evaluation of the experimental results regarding performance and utility is considered within the framework. We propose a domain-specific language, expressing the required complex configuration options, including data-set, policy generator, and various de-identification methods.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "World Congress on Services",
"language": "en"
},
{
"id": "openaire:app112210740",
"title": "Efficiently Supporting Online Privacy-Preserving Data Publishing in a Distributed Computing Environment",
"authors": [
"Kim, Jong Wook"
],
"date": "2021-11-14",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3390/app112210740",
"pdfUrl": "https://www.mdpi.com/2076-3417/11/22/10740/pdf?version=1637046541",
"doi": "10.3390/app112210740",
"abstract": "There has recently been an increasing need for the collection and sharing of microdata containing information regarding an individual entity. Because microdata typically contain sensitive information on an individual, releasing it directly for public use may violate existing privacy requirements. Thus, extensive studies have been conducted on privacy-preserving data publishing (PPDP), which ensures that any microdata released satisfy the privacy policy requirements. Most existing privacy-preserving data publishing algorithms consider a scenario in which a data publisher, receiving a request for the release of data containing personal information, anonymizes the data prior to publishing—a process that is usually conducted offline. However, with the increasing demand for the sharing of data among various parties, it is more desirable to integrate the data anonymization functionality into existing systems that are capable of supporting online query processing. Thus, we developed a novel scheme that is able to efficiently anonymize the query results on the fly, and thus support efficient online privacy-preserving data publishing. In particular, given a user’s query, the proposed approach effectively estimates the generalization level of each quasi-identifier attribute, thereby achieving the k-anonymity property in the query result datasets based on the statistical information without applying k-anonymity on all actual datasets, which is a costly procedure. The experiment results show that, through the proposed method, significant gains in processing time can be achieved.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "openaire:10.1109/dapps49028.2020.00003",
"title": "A Data-Driven Analysis of Blockchain Systems' Public Online Communications on GDPR",
"authors": [
"Sağlam, Rahime Belen",
"Aslan, Çağrı B.",
"Li, Shujun",
"Dickson, Lisa",
"Pogrebna, Ganna"
],
"date": "2020-08-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/dapps49028.2020.00003",
"pdfUrl": "",
"doi": "10.1109/dapps49028.2020.00003",
"abstract": "After the European Union's new General Data Protection Regulation (GDPR) became applicable in May 2018,concerns about the legal compliance of public blockchain systems with rights guaranteed by GDPR have emerged, e.g., on the \"right to be forgotten\". In order to better understand how the blockchain sector sees the challenges raised by GDPR and how such their communications could influence their users, this paper reports our data-driven analysis of GDPR-related public online communications of blockchain developers and service providers.Our analysis covers 314 public blockchain systems, and two different online communication channels: legal documents including privacy policies, T&C (Terms and Conditions) documents and other similar legal documents published on systems’ official websites and public tweets of their official Twitter accounts.Our analysis revealed that only a minority (86/314≈27.5%)of the investigated blockchain systems had covered GDPR at least once using one or both communication channels. Among the 86systems, only 27 systems (8.6%) had at least one legal document that actually talks about GDPR for the corresponding blockchain system. We noticed a systematic lack of detail about why and how the GDPR compliance issue was addressed, and most systems made questionable statements about GDPR compliance. There sults are surprising considering that the GDPR was enacted in 2016 and has been in effect since May 2018.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "hal:4395464",
"title": "Comparison of Legal Systems for Data Portability in the EU, the US and Japan and the Direction of Legislation in Japan",
"authors": [
"Mika Nakashima"
],
"date": "2022-09-08",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-04395464v1",
"pdfUrl": "https://inria.hal.science/hal-04395464/document",
"doi": "10.1007/978-3-031-15688-5_14",
"abstract": "The General Data Protection Regulation (GDPR) is legislation for the protection of personal data that applies in the EU. Article 20 of the GDPR stipulates the Right to data portability as one of the rights of data subjects. The monopoly on data held by digital platforms, such as GAFA (Google, Amazon, Facebook, Apple), is becoming a significant issue, and in this context, there is a need for the right to data portability in terms of not only the right of data subjects to reclaim their personal data but also promoting competition among businesses. The California Consumer Privacy Act (CCPA) of 2018 is the first comprehensive legislation for the protection of personal data in the US, albeit at the state level, with provisions similar to the EU GDPR; the CCPA establishes the Right of access and portability in Section 1798.100 as one of the rights of consumers. The California Privacy Rights Act (CPRA), passed in 2021, amends the CCPA to further strengthen the rights stipulated therein. The Bill of the Consumer Online Privacy Rights Act of 2019 (CORPA) was introduced in the Congress in 2019 and may become the first comprehensive legislation for the protection of personal information in the US at the state level. In recent years, in addition to the GDPR in the EU and the CCPA, the CPRA and the CORPA in the US, provisions relating to the obligation of data portability from the perspective of policy on competition are also included in the new Digital Markets Act (DMA) proposed in the EU and the (federal-level) ACCESS proposed in the US. This study compares the legal systems of the EU, the US and Japan with regard to data portability and shows the direction of legislation in Japan.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.2139/ssrn.4205933",
"title": "Consent Management Platforms Under the GDPR: Processors and/or Controllers?",
"authors": [
"Santos, Cristiana",
"Nouwens, Midas",
"Toth, Michael",
"Bielova, Nataliia",
"Roca, Vincent"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2139/ssrn.4205933",
"pdfUrl": "https://inria.hal.science/hal-03169436/document",
"doi": "10.2139/ssrn.4205933",
"abstract": "Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB's TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "hal:3182599",
"title": "GDPR Modelling for Log-Based Compliance Checking",
"authors": [
"Colombe De Montety",
"Thibaud Antignac",
"Christophe Slim"
],
"date": "2019-07-17",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-03182599v1",
"pdfUrl": "https://inria.hal.science/hal-03182599/document",
"doi": "10.1007/978-3-030-33716-2_1",
"abstract": "Since the entry into force of the General Data Protection Regulation (GDPR), public and private organizations face unprecedented challenges to ensure compliance with new data protection rules. To help its implementation, academics and technologists proposed innovative solutions leading to what is known today as privacy engineering. Among the main goals of these solutions are to enable compliant data processing by controllers and to increase trust in compliance by data subjects. While data protection by design (Article 25 of GDPR) constitutes a keystone of the regulation, many legacy systems are not designed and implemented with this concept in mind, but still process large quantities of personal data. Consequently, there is a need for “after design” ways to check compliance and remediate to data protection issues. In this paper, we propose to monitor and check the compliance of legacy systems through their logs. In order to make it possible, we modelled a core subset of the GDPR in the Prolog language. The approach we followed produced an operational model of the GDPR which eases the interactions with standard operational models of Information Technology (IT) systems. Different dimensions required to properly address data protection obligations have been covered, and in particular time-related properties such as retention time. The logic-based GDPR model has also been kept as close as possible to the legal wording to allow a Data Protection Officer to explore the model in case of need. Finally, even if we don’t have a completed tool yet, we created a proof-of-concept framework to use the GDPR model to detect data protection compliance violations by monitoring the IT system logs.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/caipt.2017.8320669",
"title": "A study of performance enhancement in big data anonymization",
"authors": [
"Sung-Bong Jang"
],
"date": "2017-08-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/caipt.2017.8320669",
"pdfUrl": "",
"doi": "10.1109/caipt.2017.8320669",
"abstract": "This paper presents the schemes to solve problems when k-anonymity and l-diversity are applied to Big-Data anonymization. The first problem is that information loss and distortion are unavoidable by anonymization job. To reduce the distortion, this paper presents an efficient method that is based on deep anonymization detection. In the method, data publishers analyze the anonymization work, and determine if it is deep or light. If it is thought as deep anonymization, high information distortion is allowed when being distributed to a third party after anonymization. Otherwise, information distortion is kept as low as possible when anonymizing Big-Data to provide the receivers with more meaningful data. The decision for deep anonymization is done by considering a domain data characteristic, data receiver's purpose, and data criticality. The second problem is that it takes much time and requires large buffer space to process the anonymization. To solve the problem, this paper present enhanced read/write schemes.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.62051/ijcsit.v4n3.15",
"title": "Is Data Anonymization an Effective Way to Protect Privacy or Not",
"authors": [
"Yiping Han",
"Xinqian Lu"
],
"date": "2024-11-24",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.62051/ijcsit.v4n3.15",
"pdfUrl": "",
"doi": "10.62051/ijcsit.v4n3.15",
"abstract": "This paper examines whether data anonymization is an effective method for protecting personal privacy. With the rapid development of the Internet and artificial intelligence, data has become a key driver of modern societal development, but it also raises ethical and technological challenges regarding privacy protection. Data anonymization protects sensitive data by encrypting it and removing personally identifiable information, aiming to reduce the likelihood of identifying individuals within a dataset. The article analyzes the benefits of data anonymization, including the protection of personal privacy, facilitation of data sharing and transactions, and enhancement of data value utilization, while also highlighting the risks associated with data anonymization, particularly the potential for de-anonymization techniques to re-identify personal data, thereby threatening privacy. The study emphasizes that, despite the risks of data misuse, the rational use of data can bring significant positive value to society. The paper concludes that data anonymization itself is not the problem; the real threat lies in data de-anonymization. To maximize benefits, data anonymization should be used rationally, and risks associated with data de-anonymization should be mitigated through various methods. The article suggests that data collectors should prioritize the protection of sensitive data, and regulatory bodies should strengthen the protection of personal data privacy, adopting technologies such as differential privacy to reduce the risk of data correlation attacks.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::168edf3c586e0a172c4ef63bd15a6640",
"title": "A Comprehensive Review of Data Anonymization Techniques",
"authors": [
"Dhananjay M.Kanade",
"Prof. Dr. Cherish S. Sane"
],
"date": "2025-11-22",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.17678323",
"pdfUrl": "",
"doi": "10.5281/zenodo.17678323",
"abstract": "The exponential growth of data across healthcare, education, social networks, automotive systems, and cloud environments has intensified the need for robust and practical data anonymization strategies. This review synthesizes findings from multiple contemporary research works addressing anonymization frameworks, distributed anonymization, privacy–utility trade-offs, vulnerability analysis, clustering-based anonymization, diversity constraints, encryption-assisted anonymization, and novel methods including DNA-computing-based storage. The review identifies methodological advances, evaluates performance and scalability, and highlights challenges such as re-identification vulnerabilities, attribute sensitivity, bias propagation, and trade-offs between utility and privacy. The comparative analysis shows that while traditional techniques such as k-anonymity and l-diversity remain foundational, modern solutions integrate machine learning, distributed architectures, encryption, and clustering and mechanism design. Finally, the review outlines future research directions for developing context-aware, utility-optimized, and adversary-resistant anonymization systems suitable for heterogeneous and large-scale data ecosystems.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/punecon.2018.8745425",
"title": "Anonymization Techniques for Protecting Privacy: A Survey",
"authors": [
"Ambika Pawar",
"Swati Ahirrao",
"Prathamesh P. Churi"
],
"date": "2018-11-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/punecon.2018.8745425",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/8742695/8745313/08745425.pdf?arnumber=8745425",
"doi": "10.1109/punecon.2018.8745425",
"abstract": "Anonymization is one of fruitful privacy protection technique used in various technology fields such as data mining, cloud computing, big data to secure very sensitive data against third party. In today’s world, the value and the amount of data is increasing, hence the protection of data against all possible threats are equally necessary. This paper focuses a brief on data anonymization and differential privacy techniques. Various anonymization techniques which are researched by various researchers across various fields have limitations such as communication and computation cost overhead, accuracy of results after data Anonymization and possibility of different types of attacks. The paper discussed all these issues and their counter-measures through readings of various papers. Finally, this paper presents detailed discussion about existing anonymization techniques (Data anonymization and differential privacy), their comparative analysis by leaving a footprints of future research directions.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "2018 IEEE Punecon",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-319-93354-2_5",
"title": "How to Quantify Graph De-anonymization Risks",
"authors": [
"Wei-Han Lee",
"Changchang Liu",
"Shouling Ji",
"Prateek Mittal",
"Ruby B. Lee"
],
"date": "2018-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-319-93354-2_5",
"pdfUrl": "",
"doi": "10.1007/978-3-319-93354-2_5",
"abstract": "An increasing amount of data are becoming publicly available over the Internet. These data are released after applying some anonymization techniques. Recently, researchers have paid significant attention to analyzing the risks of publishing privacy-sensitive data. Even if data anonymization techniques were applied to protect privacy-sensitive data, several de-anonymization attacks have been proposed to break their privacy. However, no theoretical quantification for relating the data vulnerability against de-anonymization attacks and the data utility that is preserved by the anonymization techniques exists.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/sai.2015.7237310",
"title": "A study of usability-aware network trace anonymization",
"authors": [
"Kato Mivule",
"Blake Anderson"
],
"date": "2015-07-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/sai.2015.7237310",
"pdfUrl": "",
"doi": "10.1109/sai.2015.7237310",
"abstract": "The publication and sharing of network trace data is a critical to the advancement of collaborative research among various entities, both in government, private sector, and academia. However, due to the sensitive and confidential nature of the data involved, entities have to employ various anonymization techniques to meet legal requirements in compliance with confidentiality policies. Nevertheless, the very composition of network trace data makes it a challenge when applying anonymization techniques. On the other hand, basic application of microdata anonymization techniques on network traces is problematic and does not deliver the necessary data usability. Therefore, as a contribution, we point out some of the ongoing challenges in the network trace anonymization. We then suggest usability-aware anonymization heuristics by employing microdata privacy techniques while giving consideration to usability of the anonymized data. Our preliminary results show that with trade-offs, it might be possible to generate anonymized network traces with enhanced usability, on a case-by-case basis using micro-data anonymization techniques.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-031-54204-6_16",
"title": "Analyzing Continuous K$$_{s}$$-Anonymization for Smart Meter Data",
"authors": [
"Brunn, Carolin",
"Nuñez von Voigt, Saskia",
"Tschorsch, Florian"
],
"date": "2024-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-031-54204-6_16",
"pdfUrl": "",
"doi": "10.1007/978-3-031-54204-6_16",
"abstract": "Data anonymization is crucial to allow the widespread adoption of some technologies, such as smart meters. However, anonymization techniques should be evaluated in the context of a dataset to make meaningful statements about their eligibility for a particular use case. In this paper, we therefore analyze the suitability of continuous ks-anonymization with CASTLE for data streams generated by smart meters. We compare CASTLE’s continuous, piecewise ks-anonymization with a global process in which all data is known at once, based on metrics like information loss and properties of the sensitive attribute. Our results suggest that continuous ks-anonymization of smart meter data is reasonable and ensures privacy while having comparably low utility loss.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1145/1672308.1672310",
"title": "The role of network trace anonymization under attack",
"authors": [
"Martin Burkhart",
"Dominik Schatzmann",
"Brian Trammell",
"Elisa Boschi",
"Bernhard Plattner"
],
"date": "2010-01-07",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/1672308.1672310",
"pdfUrl": "",
"doi": "10.1145/1672308.1672310",
"abstract": "In recent years, academic literature has analyzed many attacks on network trace anonymization techniques. These attacks usually correlate external information with anonymized data and successfully de-anonymize objects with distinctive signatures. However, analyses of these attacks still underestimate the real risk of publishing anonymized data, as the most powerful attack against anonymization is traffic injection. We demonstrate that performing live traffic injection attacks against anonymization on a backbone network is not difficult, and that potential countermeasures against these attacks, such as traffic aggregation, randomization or field generalization, are not particularly effective. We then discuss tradeoffs of the attacker and defender in the so-called injection attack space. An asymmetry in the attack space significantly increases the chance of a successful de-anonymization through lengthening the injected traffic pattern. This leads us to re-examine the role of network data anonymization. We recommend a unified approach to data sharing, which uses anonymization as a part of a technical, legal, and social approach to data protection in the research and operations communities.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/aina.2014.20",
"title": "Graph Anonymization Using Machine Learning",
"authors": [
"Maag, Maria Laura",
"Denoyer, Ludovic",
"Gallinari, Patrick"
],
"date": "2014-05-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/aina.2014.20",
"pdfUrl": "",
"doi": "10.1109/aina.2014.20",
"abstract": "Data privacy is a major problem that has to be considered before releasing datasets to the public or even to a partner company that would compute statistics or make a deep analysis of these data. This is insured by performing data anonymization as required by legislation. In this context, many different anonymization techniques have been proposed in the literature. These methods are usually specific to a particular de-anonymization procedure - or attack - one wants to avoid, and to a particular known set of characteristics that have to be preserved after the anonymization. They are difficult to use in a general context where attacks can be of different types, and where measures are not known to the anonymizer. The paper proposes a novel approach for automatically finding an anonymization procedure given a set of possible attacks and a set of measures to preserve. The approach is generic and based on machine learning techniques. It allows us to learn directly an anonymization function from a set of training data so as to optimize a tradeoff between privacy risk and utility loss. The algorithm thus allows one to get a good anonymization procedure for any kind of attacks, and any characteristic in a given set. Experiments made on two datasets show the effectiveness and the genericity of the approach.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::e6b28478fba5222b672b8e5650e5f184",
"title": "Data supporting the work \"Subtle biases introduced in equity studies through data anonymization\"",
"authors": [
"Fazendeiro, Paulo"
],
"date": "2024-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.17605/osf.io/p9m7n",
"pdfUrl": "",
"doi": "10.17605/osf.io/p9m7n",
"abstract": "This work explores the trade-offs between data anonymization and utility, with a specific focus on its implications for equity-related research in education. Using microdata from the 2019 Brazilian National Student Performance Exam (ENADE), the study applies the (ε, δ)-Differential Privacy model to analyze how anonymization impacts socio-educational equity assessments. Employing unsupervised clustering and clustering validity analysis, the research examines how anonymization affects group categories associated with key sociodemographic variables, such as gender, race, income, and parental education. The findings reveal that while anonymization techniques often preserve the overall structural integrity of datasets, they can also suppress or distort the representation of minority groups, introducing biases that may undermine equity-focused research objectives.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-319-23633-9_26",
"title": "De-identification of Unstructured Clinical Data for Patient Privacy Protection",
"authors": [
"Stephane M. Meystre"
],
"date": "2015-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-319-23633-9_26",
"pdfUrl": "",
"doi": "10.1007/978-3-319-23633-9_26",
"abstract": "The adoption of Electronic Health Record (EHR) systems is growing at a fast pace in the United States and in Europe, and this growth results in very large quantities of patient clinical information becoming available in electronic format, with tremendous potential, but also equally growing concern for patient confidentiality breaches. Secondary use of clinical information is essential to fulfil the promises for high quality healthcare, improved healthcare management, and effective clinical research. De-identification of patient information has been proposed as a solution to both facilitate secondary use of clinical information, and protect patient information confidentiality. Most clinical information found in the EHR is unstructured and represented as narrative text, and de-identification of clinical text is a tedious and costly manual endeavor. Automated approaches based on Natural Language Processing have been implemented and evaluated, allowing for much faster de-identification than manual approaches. This chapter introduces clinical text-de-identification in general, and then focuses on recent efforts and studies at the U.S. Veterans Health Administration. It includes the origins and definition of text de-identification in the United States and Europe and a discussion about text anonymization. It also presents methods applied for text de-identification, examples of clinical text de-identification applications, and U.S. Veterans Health Administration clinical text de-identification efforts.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/nana.2019.00046",
"title": "Data Privacy Quantification and De-identification Model Based on Information Theory",
"authors": [
"Zeyu Zhang",
"Zhiyang Lu",
"Youliang Tian"
],
"date": "2019-10-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/nana.2019.00046",
"pdfUrl": "",
"doi": "10.1109/nana.2019.00046",
"abstract": "De-identification enables to protect privacy of data from different attacks. At present, the specific de-identification standards and privacy quantification methods are given in many models, such as K-anonymity model and differential privacy model. But, the K-anonymity model does not provide an effective method to prove its degree of privacy protection, and when the model parameters change, the degree of privacy protection cannot be quantified. And due to rigorous calculation method of the differential privacy model, which quantifies the degree of privacy protection based on a mathematical basis, it is difficult to be used widely in organizations and institutions. So, this paper proposes a de-identification model, which includes quantification solution of identifying the sensitivity of the personal information, de-identification approach for adaptively matching different standard de-identification methods to personal information with different sensitivities and de-identification effect detection function. The objective is to provide an automatic, efficient and widely used de-identification model, which is built by quantitatively analyzing degree of privacy protection based on conditional entropy. Finally, performance analysis results show that the model makes the trade-off between privacy and secure of data and the widespread use of data.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.20885/khazanah.vol12.iss2.art64",
"title": "Comparative Study of Children’s Personal Data Protection Regulation on COPPA (Children’s Online Privacy Protection Act) and Children and GDPR",
"authors": [
"Hidayatun Nafi'ah",
"athifah Nur Hasna"
],
"date": "2020-12-13",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.20885/khazanah.vol12.iss2.art64",
"pdfUrl": "",
"doi": "10.20885/khazanah.vol12.iss2.art64",
"abstract": "Background: Personal data is the most fundamental right for everyone including children. Children are the most vulnerable subjects when it comes to the processing of personal data, it is because they do not have awareness and understanding of the risks of misuse of personal data. Regulations regarding the protection of children's personal data in Indonesia are already contained in the draft of personal data protection law but with very limited guidance. Through this comparative study, researchers wanted to compare the United State's COPPA(Children's Online Privacy Protection Act) with the Children and GDPR by the United Kingdom. Both of these regulations are very detailed in regulating the protection of children's personal data. This study will provide a clearer picture of children’s privacy protection regulations so that it can be used as a reference for Indonesia's draft of personal data protection law in regard to the rights of children's privacy. Method: This comparative research uses qualitative descriptive methods with library research and approach. Result: There are fundamental differences regarding the form of guidance, the definition of child, the perpetrator processing of the child's personal data, and things that are included in the child's personal data. Conclusion: The application of children's personal data protection is adjusted to the values and cultures of the country.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:S0020025515009032",
"title": "New directions in anonymization: Permutation paradigm, verifiability by subjects and intruders, transparency to users",
"authors": [
"Josep Domingo-Ferrer",
"Krishnamurty Muralidhar"
],
"date": "2016-04-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1016/j.ins.2015.12.014",
"pdfUrl": "",
"doi": "10.1016/j.ins.2015.12.014",
"abstract": "There are currently two approaches to anonymization: \"utility first\" (use an anonymization method with suitable utility features, then empirically evaluate the disclosure risk and, if necessary, reduce the risk by possibly sacrificing some utility) or \"privacy first\" (enforce a target privacy level via a privacy model, e.g., k-anonymity or epsilon-differential privacy, without regard to utility). To get formal privacy guarantees, the second approach must be followed, but then data releases with no utility guarantees are obtained. Also, in general it is unclear how verifiable is anonymization by the data subject (how safely released is the record she has contributed?), what type of intruder is being considered (what does he know and want?) and how transparent is anonymization towards the data user (what is the user told about methods and parameters used?). We show that, using a generally applicable reverse mapping transformation, any anonymization for microdata can be viewed as a permutation plus (perhaps) a small amount of noise; permutation is thus shown to be the essential principle underlying any anonymization of microdata, which allows giving simple utility and privacy metrics. From this permutation paradigm, a new privacy model naturally follows, which we call (d,v)-permuted privacy. The privacy ensured by this method can be verified by each subject contributing an original record (subject-verifiability) and also at the data set level by the data protector. We then proceed to define a maximum-knowledge intruder model, which we argue should be the one considered in anonymization. Finally, we make the case for anonymization transparent to the data user, that is, compliant with Kerckhoff's assumption (only the randomness used, if any, must stay secret).",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1145/1503402.1503413",
"title": "Towards trajectory anonymization",
"authors": [
"NERGIZ M. E",
"ATZORI, MAURIZIO",
"SAYGIN Y",
"GUÇ B."
],
"date": "2008-11-04",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/1503402.1503413",
"pdfUrl": "",
"doi": "10.1145/1503402.1503413",
"abstract": "Trajectory datasets are becoming more and more popular due to the massive usage of GPS and other location-based devices and services. In this paper, we address privacy issues regarding the identification of individuals in static trajectory datasets. We provide privacy protection by definig trajectory k-anonymity, meaning every released information refers to at least k users/trajectories. We propose a novel generalization-based approach that applies to trajectories and sequences in general. We also suggest the use of a simple random reconstruction of the original dataset from the anonymization, to overcome possible drawbacks of generalization approaches.We present a utility metric that maximizes the probability of a good representation and propose trajectory anonymization techniques to address time and space sensitive applications. The experimental results over synthetic trajectory datasets show the effectiveness of the proposed approach.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/icitr51448.2020.9310884",
"title": "Evaluation of Re-identification Risks in Data Anonymization Techniques Based on Population Uniqueness",
"authors": [
"P.L.M Kelani Bandara",
"HMN Dilum Bandara",
"Shantha Fernando"
],
"date": "2020-12-02",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/icitr51448.2020.9310884",
"pdfUrl": "",
"doi": "10.1109/icitr51448.2020.9310884",
"abstract": "With the increasing appetite for publicly available personal data for various analytics and decision making, due care must be taken to preserve the privacy of data subjects before any disclosure of data. Though many data anonymization techniques are available, there is no holistic understanding of their risk of re-identification and the conditions under which they could be applied. Therefore, it is imperative to study the risk of re-identification of anonymization techniques across different types of datasets. In this paper, we assess the re-identification risk of four popular anonymization techniques against four different datasets. We use population uniqueness to evaluate the risk of re-identification. As per the analysis, k-anonymity shows the lowest re-identification risk for unbiased samples of the population datasets. Moreover, our findings also emphasize that the risk assessment methodology should depend on the chosen dataset. Furthermore, for the datasets with higher linkability, the risk of re-identification measured using the uniqueness is much lower than the real risk of re-identification.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1197/jamia.m2716",
"title": "Protecting Privacy Using k-Anonymity",
"authors": [
"Khaled, El Emam",
"Fida Kamal, Dankar"
],
"date": "2008-09-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1197/jamia.m2716",
"pdfUrl": "",
"doi": "10.1197/jamia.m2716",
"abstract": "AbstractObjective: There is increasing pressure to share health information and even make it publicly available. However, such disclosures of personal health information raise serious privacy concerns. To alleviate such concerns, it is possible to anonymize the data before disclosure. One popular anonymization approach is k-anonymity. There have been no evaluations of the actual re-identification probability of k-anonymized data sets.Design: Through a simulation, we evaluated the re-identification risk of k-anonymization and three different improvements on three large data sets.Measurement: Re-identification probability is measured under two different re-identification scenarios. Information loss is measured by the commonly used discernability metric.Results: For one of the re-identification scenarios, k-Anonymity consistently over-anonymizes data sets, with this over-anonymization being most pronounced with small sampling fractions. Over-anonymization results in excessive distortions to the data (i.e., high information loss), making the data less useful for subsequent analysis. We found that a hypothesis testing approach provided the best control over re-identification risk and reduces the extent of information loss compared to baseline k-anonymity.Conclusion: Guidelines are provided on when to use the hypothesis testing approach instead of baseline k-anonymity.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "europepmc:38313429",
"title": "Purpose definition as a crucial step for determining the legal basis under the GDPR: implications for scientific research.",
"authors": [
"Becker R",
"Chokoshvili D",
"Thorogood A",
"Dove ES",
"Molnár-Gábor F",
"Ziaka A",
"Tzortzatou-Nanopoulou O",
"Comandè G."
],
"date": "2024-01-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1093/jlb/lsae001",
"pdfUrl": "https://europepmc.org/articles/PMC10834358?pdf=render",
"doi": "10.1093/jlb/lsae001",
"abstract": "The General Data Protection Regulation (GDPR) of the European Union, which became applicable in 2018, contains a new accountability principle. Under this principle, controllers (ie parties determining the purposes and the means of the processing of personal data) are responsible for ensuring and demonstrating the overall compliance with the GDPR. However, interpretive uncertainties of the GDPR mean that controllers must exercise considerable judgement in designing and implementing an appropriate compliance strategy, making GDPR compliance both complex and resource-intensive. In this article, we provide conceptual clarity around GDPR compliance with respect to one core aspect of the law: the determination and relevance of the purpose of personal data processing. We derive from the GDPR's text concrete requirements for purpose specification, which we subsequently apply to the area of secondary use of personal data for scientific research. We offer guidance for correctly specifying purposes of data processing under different research scenarios. To illustrate the practical necessity of purpose specification for GDPR compliance, we then show how our proposed approach can enable controllers to meet their compliance obligations, using the example of the overarching GDPR principle of lawfulness to highlight the relevance of purpose specification for the identification of a suitable legal basis.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Journal of law and the biosciences",
"language": "en"
},
{
"id": "hal:4352748",
"title": "Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory",
"authors": [
"Alexander Bernier",
"Fruzsina Molnár-Gábor",
"Bartha M Knoppers",
"Pascal Borry",
"Priscilla M D G Cesar",
"Thijs Devriendt",
"Melanie Goisauf",
"Madeleine Murtagh",
"Pilar Nicolás Jiménez",
"Mikel Recuero",
"Emmanuelle Rial-Sebbag",
"Mahsa Shabani",
"Rebecca C Wilson",
"Davide Zaccagnini",
"Lauren Maxwell"
],
"date": "2023-06-15",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04352748v1",
"pdfUrl": "https://hal.science/hal-04352748/document",
"doi": "10.1038/s41431-023-01403-y",
"abstract": "The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilities of networks of biomedical data users to respond to the shifting norms. It can also delegitimate established institutional bodies that are responsible for assessing and authorising the downstream use of data, including research ethics committees and institutional data custodians. These burdens are especially pronounced for clinical and research networks that are of transnational scale, because the legal compliance burden for outbound international data transfers from the EEA is especially high. Legislatures, courts, and regulators in the EU should therefore implement the following three legal changes. First, the responsibilities of particular actors in a data sharing network should be delimited through the contractual allocation of responsibilities between collaborators. Second, the use of data through secure data processing environments should not trigger the international transfer provisions of the GDPR. Third, the use of federated data analysis methodologies that do not provide analysis nodes or downstream users access to identifiable personal data as part of the outputs of those analyses should not be considered circumstances of joint controllership, nor lead to the users of non-identifiable data to be considered controllers or processors. These small clarifications of, or modifications to, the GDPR would facilitate the exchange of biomedical data amongst clinicians and researchers.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "European Journal of Human Genetics",
"language": "en"
},
{
"id": "pubmed:36056166",
"title": "Analysis of solutions for a blockchain compliance with GDPR.",
"authors": [
"Godyn, Mateusz",
"Kedziora, Michal",
"Ren, Yingying",
"Liu, Yongxin",
"Song, Houbing Herbert"
],
"date": "2022-09-02",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1145/230514.571645",
"pdfUrl": "",
"doi": "10.1145/230514.571645",
"abstract": "The aim of this paper was to perform an analysis of the state-of-the-art solutions of the permissioned blockchain compliance with the General Data Protection Regulation (GDPR), including the implementation of one of the analyzed methods and the own solution. This paper covers the subject of GDPR and its impact on already existing blockchain databases to determine the domain of the problem, including the necessity to introduce mutability in the data structure to comply with the \"right to be forgotten\". The performed analysis made it possible to discuss current research in technical terms as well as in the regulation itself. In the experimental part, attempts were made to research and implement the Reference-based Tree Structure (RBTS), including the performance tests. The proposed solution is efficient and easily reproducible. The deletion of unwanted content is quick and requires consent only from the owner of personal data; therefore, eliminating the dependency on the other blockchain network participants.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Scientific reports",
"language": "en"
},
{
"id": "https://openalex.org/W4225308057",
"title": "Mental data protection and the GDPR",
"authors": [
"Marcello Ienca",
"Gianclaudio Malgieri"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1093/jlb/lsac006",
"pdfUrl": "https://doi.org/10.1093/jlb/lsac006",
"doi": "https://doi.org/10.1093/jlb/lsac006",
"abstract": "Although decoding the content of mental states is currently unachievable, technologies such as neural interfaces, affective computing systems, and digital behavioral technologies enable increasingly reliable statistical associations between certain data patterns and mental activities such as memories, intentions, and emotions. Furthermore, Artificial Intelligence enables the exploration of these activities not just retrospectively but also in a real-time and predictive manner. In this article, we introduce the notion of 'mental data', defined as any data that can be organized and processed to make inferences about the mental states of a person, including their cognitive, affective and conative states. Further, we analyze existing legal protections for mental data by considering the lawfulness of their processing in light of different legal bases and purposes, with special focus on the EU General Data Protection Regulation (GDPR). We argue that the GDPR is an adequate tool to mitigate risks related to mental data processing. However, we recommend that interpreters focus on processing characteristics, rather than merely on the category of data at issue. Finally, we call for a 'Mental Data Protection Impact Assessment', a specific data protection impact assessment designed to better assess and mitigate the risks to fundamental rights and freedoms associated with the processing of mental data.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Journal of Law and the Biosciences",
"language": "en"
},
{
"id": "pubmed:34896635",
"title": "Harmonization after the GDPR? Divergences in the rules for genetic and health data sharing in four member states and ways to overcome them by EU measures: Insights from Germany, Greece, Latvia and Sweden.",
"authors": [
"Molnár-Gábor, Fruzsina",
"Sellner, Julian",
"Pagil, Sophia",
"Slokenberga, Santa",
"Tzortzatou-Nanopoulou, Olga",
"Nyström, Katarina"
],
"date": "2021-12-09",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1016/j.semcancer.2021.12.001",
"pdfUrl": "",
"doi": "10.1016/j.semcancer.2021.12.001",
"abstract": "The EU member states' healthcare and health-related research sectors are both characterized by an emerging infrastructural coalescence on a national and European level. The culmination of this coalescence is the planned creation of a European Health Data Space, an EU-wide infrastructure for the processing of personal data for healthcare and for secondary uses such as scientific research. In contrast to growing technical interoperability, the legal framework for such integration is not yet defined in detail, particularly with regard to data protection law. Its development is accompanied by discussions about divergent member state implementations of the EU General Data Protection Regulation (GDPR) that affect data sharing between healthcare and scientific research actors and across various sectors driven by divergent processing purposes. The article presents four member states' main rules on data sharing based on the respective provision of the GDPR in six health-related contexts regarding data sharing across the healthcare and research sector and between the main actors of those sectors. The striking differences are then evaluated from the perspective of their factual effect on European data sharing depending on the legal characteristics of the GDPR provisions they rely on. Against this backdrop, the planned regulatory measures for the setup of the European Health Data Space are introduced and evaluated with regard to further harmonization between member states' laws and possibilities to overcome divergences in data protection rules relevant for European data sharing. The results of the analysis point to the conclusion that the destructive effect of divergent member state rules depends on the legal qualification of the EU provisions they rely on and that this qualification also determines which further EU regulatory measure would be the most effective to set the framework for the European Health Data Space.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Seminars in cancer biology",
"language": "en"
},
{
"id": "pubmed:34883997",
"title": "A Smart Contract-Based Dynamic Consent Management System for Personal Data Usage under GDPR.",
"authors": [
"Merlec, Mpyana Mwamba",
"Lee, Youn Kyu",
"Hong, Seng-Phil",
"In, Hoh Peter"
],
"date": "2021-11-30",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1109/MODELS.2019.00-20",
"pdfUrl": "",
"doi": "10.1109/MODELS.2019.00-20",
"abstract": "A massive amount of sensitive personal data is being collected and used by scientists, businesses, and governments. This has led to unprecedented threats to privacy rights and the security of personal data. There are few solutions that empower individuals to provide systematic consent agreements on distinct personal information and control who can collect, access, and use their data for specific purposes and periods. Individuals should be able to delegate consent rights, access consent-related information, and withdraw their given consent at any time. We propose a smart-contract-based dynamic consent management system, backed by blockchain technology, targeting personal data usage under the general data protection regulation. Our user-centric dynamic consent management system allows users to control their personal data collection and consent to its usage throughout the data lifecycle. Transaction history and logs are recorded in a blockchain that provides trusted tamper-proof data provenance, accountability, and traceability. A prototype of our system was designed and implemented to demonstrate its feasibility. The acceptability and reliability of the system were assessed by experimental testing and validation processes. We also analyzed the security and privacy of the system and evaluated its performance.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Sensors (Basel, Switzerland)",
"language": "en"
},
{
"id": "pubmed:34270741",
"title": "Signalling Standards for Progress: Bridging the Divide Between a Valid Consent to Use Patient Data Under Data Protection Law and the Common Law Duty of Confidentiality.",
"authors": [
"Dove, Edward S",
"Taylor, Mark J"
],
"date": "2021-10-08",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1093/medlaw/fwab014",
"pdfUrl": "",
"doi": "10.1093/medlaw/fwab014",
"abstract": "In this article, we analyse the legal components of disclosing confidential patient information under the UK's common law duty of confidentiality (CLDoC) and processing personal (health) data under the UK's General Data Protection Regulation (GDPR) and Data Protection Act 2018. We describe the ostensible divide between the CLDoC and data protection law when it comes to the requirements of a valid signal of consent by a patient to use and disclose patient information, obtained by a health professional in the context of direct care, for health care and health research purposes. Ultimately, our analysis suggests that we are saddled, at least in the medium term, with two regimes operating with different standards of a valid consent-while putatively protecting similar interests. There is, however, opportunity for progress. It is possible to improve professional guidance on the interaction between the regimes and to achieve significant normative alignment without aligning the signalling standard for consent; this would promote consistent protection of reasonable expectations of patients across both regimes. Further coherence would require aligning not only the standard, but also the role played by consent under each regime. Here we argue that, in relation to direct care, any such shift should be away from consent as the normal justification. In relation to health research, on the contrary, it should be toward consent as the normal justification for use and disclosure of patient information under both the CLDoC and data protection law.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Medical law review",
"language": "en"
},
{
"id": "pubmed:32728835",
"title": "What GDPR and the Health Research Regulations (HRRs) mean for Ireland: \"explicit consent\"-a legal analysis.",
"authors": [
"Kirwan, Mary",
"Mee, Blanaid",
"Clarke, Niamh",
"Tanaka, Aoife",
"Manaloto, Lino",
"Halpin, Emma",
"Gibbons, Una",
"Cullen, Ann",
"McGarrigle, Sarah",
"Connolly, Elisabeth M",
"Bennett, Kathleen",
"Gaffney, Eoin",
"Flanagan, Ciaran",
"Tier, Laura",
"Flavin, Richard",
"McElvaney, Noel G"
],
"date": "2020-07-30",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1001/jama.298.18.2164",
"pdfUrl": "",
"doi": "10.1001/jama.298.18.2164",
"abstract": "BACKGROUND: Irish Health Research Regulations (HRRs) were introduced following the commencement of the General Data Protection Regulation (GDPR) in 2018. The HRRs set out supplementary regulatory requirements for research. A legal analysis presented under the auspices of the Irish Academy of Medical Sciences (IAMS) on April 8 and November 25, 2019 at the Royal College of Surgeons in Ireland welcomed the introduction of GDPR and the HRRs. The analysis found the GDPR \"explicit consent\" introduced by the HRRs is problematic. A call was made to regulate informed consent in line with the common law as an achievable alternative safeguard, bringing Ireland in line with other EU Member States. AIMS: This article aims to review academic papers, legal opinion, EU opinion and advice and data protection law in relation to research and explicit consent, in order to examine the legal burden of GDPR and the HRRs on health research in Ireland and to determine whether the analysis presented at the IAMS meetings is reflected more widely in legal text. METHODS: Legal literature review of academic papers, legal opinion, EU opinion and advice and data protection legislation. RESULTS: The legal literature review overwhelmingly supports the concerns raised. CONCLUSIONS: Our results confirm the GDPR explicit consent requirement of the HRRs is having had a significantly negative and far-reaching impact on the conduct of health research in Ireland. Urgent review of the HRRs and meaningful engagement between the health research community and legislators in healthcare is required.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Irish journal of medical science",
"language": "en"
},
{
"id": "pubmed:31800037",
"title": "DAISY: A Data Information System for accountability under the General Data Protection Regulation.",
"authors": [
"Becker, Regina",
"Alper, Pinar",
"Grouès, Valentin",
"Munoz, Sandrine",
"Jarosz, Yohan",
"Lebioda, Jacek",
"Rege, Kavita",
"Trefois, Christophe",
"Satagopam, Venkata",
"Schneider, Reinhard"
],
"date": "2019-12-01",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.5524/100664",
"pdfUrl": "",
"doi": "10.5524/100664",
"abstract": "BACKGROUND: The new European legislation on data protection, namely, the General Data Protection Regulation (GDPR), has introduced comprehensive requirements for the documentation about the processing of personal data as well as informing the data subjects of its use. GDPR's accountability principle requires institutions, projects, and data hubs to document their data processings and demonstrate compliance with the GDPR. In response to this requirement, we see the emergence of commercial data-mapping tools, and institutions creating GDPR data register with such tools. One shortcoming of this approach is the genericity of tools, and their process-based model not capturing the project-based, collaborative nature of data processing in biomedical research. FINDINGS: We have developed a software tool to allow research institutions to comply with the GDPR accountability requirement and map the sometimes very complex data flows in biomedical research. By analysing the transparency and record-keeping obligations of each GDPR principle, we observe that our tool effectively meets the accountability requirement. CONCLUSIONS: The GDPR is bringing data protection to center stage in research data management, necessitating dedicated tools, personnel, and processes. Our tool, DAISY, is tailored specifically for biomedical research and can help institutions in tackling the documentation challenge brought about by the GDPR. DAISY is made available as a free and open source tool on Github. DAISY is actively being used at the Luxembourg Centre for Systems Biomedicine and the ELIXIR-Luxembourg data hub.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "GigaScience",
"language": "en"
},
{
"id": "pubmed:31468753",
"title": "Applying the Data Protection Act 2018 and General Data Protection Regulation principles in healthcare settings.",
"authors": [
"Spencer, Aleksandra",
"Patel, Seraphim"
],
"date": "2019-01-16",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.7748/nm.2019.e1806",
"pdfUrl": "",
"doi": "10.7748/nm.2019.e1806",
"abstract": "The Data Protection Act (DPA) of 1998 was radically updated in 2018 and since then there has been much media coverage about the General Data Protection Regulation (GDPR). Recent headlines have featured well known organisations that have been fined under the DPA 1998. This article describes the recent changes in data protection law, including the principles behind the DPA and GDPR, highlights patients' rights and how nurses can advocate for the protection of patients' personal data, and outlines nurses' role in ensuring that the principles of data protection are implemented fully as part of patient care delivery.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Nursing management (Harrow, London, England : 1994)",
"language": "en"
},
{
"id": "pubmed:31126909",
"title": "Re-identifiability of genomic data and the GDPR: Assessing the re-identifiability of genomic data in light of the EU General Data Protection Regulation.",
"authors": [
"Shabani, Mahsa",
"Marelli, Luca"
],
"date": "2019-05-24",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.15252/embr.201948316",
"pdfUrl": "",
"doi": "10.15252/embr.201948316",
"abstract": "The EU Data Protection Regulation has wide‐ranging implications for research based on anonymized personal genomic and genetic data given the realistic risk of re‐identification. [Image: see text]",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "EMBO reports",
"language": "en"
},
{
"id": "pubmed:30345387",
"title": "The destruction of the 'Windrush' disembarkation cards: a lost opportunity and the (re)emergence of Data Protection regulation as a threat to longitudinal research.",
"authors": [
"Boyd, Andy",
"Woollard, Matthew",
"Macleod, John",
"Park, Alison"
],
"date": "2018-09-11",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1136/medethics-2014-102374",
"pdfUrl": "",
"doi": "10.1136/medethics-2014-102374",
"abstract": "Historical records and the research databases of completed studies have the potential either to establish new research studies or to inform follow-up studies assessing long-term health and social outcomes. Yet, such records are at risk of destruction resulting from misconceptions about data protection legislation and research ethics. The recent destruction of the Windrush disembarkation cards, which potentially could have formed the basis of a retrospective cohort study, illustrates this risk. As organisations across Europe transition to the EU General Data Protection Regulation (GDPR), this risk is being amplified due to uncertainty as to how to comply with complex new rules, and the requirement under GDPR that data owners catalogue their data and set data retention and destruction rules. The combination of these factors suggests there is a new meaningful risk that scientifically important historical records will be destroyed, despite the fact that GDPR provides a clear legal basis to hold historical records and to repurpose them for research for the public good. This letter describes this risk; details the legal basis enabling the retention and repurposing of these data; makes recommendations as to how to alleviate this risk; and finally encourages the research and research-active clinical community to contact their 'Data Protection Officers' to promote safe-keeping of historical records.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Wellcome open research",
"language": "en"
},
{
"id": "pubmed:30322998",
"title": "Algorithms that remember: model inversion attacks and data protection law.",
"authors": [
"Veale, Michael",
"Binns, Reuben",
"Edwards, Lilian"
],
"date": "2018-10-15",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1145/2523813",
"pdfUrl": "",
"doi": "10.1145/2523813",
"abstract": "Many individuals are concerned about the governance of machine learning systems and the prevention of algorithmic harms. The EU's recent General Data Protection Regulation (GDPR) has been seen as a core tool for achieving better governance of this area. While the GDPR does apply to the use of models in some limited situations, most of its provisions relate to the governance of personal data, while models have traditionally been seen as intellectual property. We present recent work from the information security literature around 'model inversion' and 'membership inference' attacks, which indicates that the process of turning training data into machine-learned systems is not one way, and demonstrate how this could lead some models to be legally classified as personal data. Taking this as a probing experiment, we explore the different rights and obligations this would trigger and their utility, and posit future directions for algorithmic governance and regulation.This article is part of the theme issue 'Governing artificial intelligence: ethical, legal, and technical opportunities and challenges'.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Philosophical transactions. Series A, Mathematical, physical, and engineering sciences",
"language": "en"
},
{
"id": "pubmed:30069638",
"title": "International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR).",
"authors": [
"Phillips, Mark"
],
"date": "2018-08-01",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1177/1073110516644205",
"pdfUrl": "https://link.springer.com/content/pdf/10.1007/s00439-018-1919-7.pdf",
"doi": "10.1177/1073110516644205",
"abstract": "The evolution of genomic research and its integration into clinical practice, as they become international-even global-endeavors, has brought us to a place where scientists and clinicians may now only ignore the rules governing international data sharing at their own peril. Open data policies, on the one hand, increasingly require custodians of others' genomic data to make it as widely available as feasible, including to researchers in other countries. Data protection law, on the other, has become a significant hurdle to the sharing of personal data across jurisdictional borders. The space between these two competing duties is narrowing. In contrast with the other texts in this volume, which explore the present and future of data sharing and data protection, this article's focus is on the past. It centres on the historical development of the data protection rules regarding the international transfer of personal data up to the present. The article's aim is to bring into focus the underlying objectives that have influenced and that will continue to influence the way that data protection rules are applied to the fields of genomics and health, as well as future developments in data protection generally. The first part of this article describes the development of international data-sharing data protection rules since 1970. The second considers difficulties in applying general data protection rules to the specific context of genomics and health. The third and final part compares the options available to comply with the international transfer restrictions set out in the standard-setting EU General Data Protection Regulation from a genomics perspective.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Human genetics",
"language": "en"
},
{
"id": "pubmed:29788147",
"title": "Will the Eu Data Protection Regulation 2016/679 Inhibit Critical Care Research?",
"authors": [
"Timmers, Marjolein",
"Van Veen, Evert-Ben",
"Maas, Andrew I R",
"Kompanje, Erwin J O"
],
"date": "2019-02-01",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1093/medlaw/fwy023",
"pdfUrl": "",
"doi": "10.1093/medlaw/fwy023",
"abstract": "There is an inherent tension between critical care research and data protection. Because of their condition it is not possible to ask for the patients' informed consent to be enrolled in observational research at the point of admission to the hospital. Often this is not possible at a later moment either. Yet informed consent is the baseline to be enrolled in research with personal data and exceptions must be allowed for by national legislation. This was the case under Directive 95/96/EC and will be the case under the General Data Protection Regulation (GDPR, Regulation 2016/679 EU) which will replace the Directive from 25 May 2018 onwards. Though being a Regulation and therefore directly applicable in the Member States, the long debate about the research exceptions in the GDPR left many aspects of observational research including the exception to the informed consent principle, mainly to the Member States. It may be assumed that most Member States will leave their present state of the law intact in this respect as that was part of the political compromise. We compared existing national privacy legislation from the perspective of critical care research and found great variation. Although this may not impede the collection of emergency and critical care research with data without prior informed consent in countries which are more responsive to such research, it might be a challenge to exchange such data from the national nodes in European wide research collaboration. We make a case that countries which are not responsive to such research should adapt their legislation in the interests of future critical care patients.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Medical law review",
"language": "en"
},
{
"id": "https://openalex.org/W4388731191",
"title": "Advancing Federated Learning through Verifiable Computations and Homomorphic Encryption",
"authors": [
"Bingxue Zhang",
"Guangguang Lu",
"Pengpeng Qiu",
"Xumin Gui",
"Yang Shi"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3390/e25111550",
"pdfUrl": "https://www.mdpi.com/1099-4300/25/11/1550/pdf?version=1700140146",
"doi": "https://doi.org/10.3390/e25111550",
"abstract": "Federated learning, as one of the three main technical routes for privacy computing, has been widely studied and applied in both academia and industry. However, malicious nodes may tamper with the algorithm execution process or submit false learning results, which directly affects the performance of federated learning. In addition, learning nodes can easily obtain the global model. In practical applications, we would like to obtain the federated learning results only by the demand side. Unfortunately, no discussion on protecting the privacy of the global model is found in the existing research. As emerging cryptographic tools, the zero-knowledge virtual machine (ZKVM) and homomorphic encryption provide new ideas for the design of federated learning frameworks. We have introduced ZKVM for the first time, creating learning nodes as local computing provers. This provides execution integrity proofs for multi-class machine learning algorithms. Meanwhile, we discuss how to generate verifiable proofs for large-scale machine learning tasks under resource constraints. In addition, we implement the fully homomorphic encryption (FHE) scheme in ZKVM. We encrypt the model weights so that the federated learning nodes always collaborate in the ciphertext space. The real results can be obtained only after the demand side decrypts them using the private key. The innovativeness of this paper is demonstrated in the following aspects: 1. We introduce the ZKVM for the first time, which achieves zero-knowledge proofs (ZKP) for machine learning tasks with multiple classes and arbitrary scales. 2. We encrypt the global model, which protects the model privacy during local computation and transmission. 3. We propose and implement a new federated learning framework. We measure the verification costs under different federated learning rounds on the IRIS dataset. Despite the impact of homomorphic encryption on computational accuracy, the framework proposed in this paper achieves a satisfactory 90% model accuracy. Our framework is highly secure and is expected to further improve the overall efficiency as cryptographic tools continue to evolve.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "Entropy",
"language": "en"
},
{
"id": "dblp:journals/ijis/JiaAZJC22",
"title": "Flexible privacy-preserving machine learning: When searchable encryption meets homomorphic encryption.",
"authors": [
"Haixin Jia",
"Mohammed Shujaa Aldeen",
"Chuan Zhao",
"Shan Jing",
"Zhenxiang Chen"
],
"date": "2022",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/ijis/JiaAZJC22",
"pdfUrl": "",
"doi": "10.1002/INT.22985",
"abstract": "",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "Int. J. Intell. Syst.",
"language": "en"
},
{
"id": "doaj:1797aacbca7543d29749fbd5e2794924",
"title": "The effects on local innovation arising from replicating the GDPR into the Brazilian General Data Protection Law",
"authors": [
"Renan Gadoni Canaan"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "https://policyreview.info/node/1686",
"pdfUrl": "https://policyreview.info/pdf/policyreview-2023-1-1686.pdf",
"doi": "10.14763/2023.1.1686",
"abstract": "Following the implementation of the European General Data Protection Regulation (GDPR), Europe exported its data protection standards to Brazil’s data protection legislation. Besides its manifest aim of providing data privacy rights, the GDPR also fosters economic benefits by incentivising the innovation of privacy-enhancing technologies. Therefore, using a TWAIL-based de-colonising methodology, this research article assesses the effects for innovation in Brazil arising from reproducing the European data regulation. It argues that this replication provided the LGPD with the principles that compel firms to innovate in the Brazilian privacy-enhancing technologies market. However, the Western firms, to the detriment of Brazilian firms, appropriate the resulting economic benefit of innovation because the former excel at introducing and securing technology monopolies in the Brazilian market. To rebalance opportunities for Brazilian firms, this paper advocates implementing local content policy for privacy-enhancing technologies, which requires firms to purchase a portion of their operations’ inputs in the domestic market.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Internet Policy Review",
"language": "en"
},
{
"id": "doaj:1ae197e8bd584d4288b9d177b7fa3201",
"title": "GDPR-oriented intelligent checking method of privacy policies compliance",
"authors": [
"Xin LI, Peng TANG, Xiheng ZHANG, Weidong QIU, Hong HUI"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "https://www.infocomm-journal.com/cjnis/CN/10.11959/j.issn.2096-109x.2023088",
"pdfUrl": "",
"doi": "10.11959/j.issn.2096-109x.2023088",
"abstract": "The implementation of the EU’s General Data Protection Regulation (GDPR) has resulted in the imposition of over 300 fines since its inception in 2018.These fines include significant penalties for prominent companies like Google, which were penalized for their failure to provide transparent and comprehensible privacy policies.The GDPR, known as the strictest data protection laws in history, has made companies worldwide more cautious when offering cross-border services, particularly to the European Union.The regulation's territorial scope stipulates that it applies to any company providing services to EU citizens, irrespective of their location.This implies that companies worldwide, including domestic enterprises, are required to ensure compliance with GDPR in their privacy policies, especially those involved in international operations.To meet this requirement, an intelligent detection method was introduced.Machine learning and automation technologies were utilized to automatically extract privacy policies from online service companies.The policies were converted into a standardized format with a hierarchical structure.Through natural language processing, the privacy policies were classified, allowing for the identification of relevant GDPR concepts.In addition, a constructed GDPR taxonomy was used in the detection mechanism to identify any missing concepts as required by GDPR.This approach facilitated intelligent detection of GDPR-oriented privacy policy compliance, providing support to domestic enterprises while they provided cross-border services to EU users.Analysis of the corpus samples reveals the current situation that mainstream online service companies generally fail to meet GDPR compliance requirements.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "网络与信息安全学报",
"language": "en"
},
{
"id": "doaj:1d9c4e54ccb3445796b1d4d42633dc1a",
"title": "A systematic literature review of the tension between the GDPR and public blockchain systems",
"authors": [
"Rahime Belen-Saglam",
"Enes Altuncu",
"Yang Lu",
"Shujun Li"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "http://www.sciencedirect.com/science/article/pii/S2096720923000040",
"pdfUrl": "",
"doi": "10.1016/j.bcra.2023.100129",
"abstract": "Blockchain technology has been rapidly growing since Bitcoin was invented in 2008. The most common type of blockchain system, public (permissionless) blockchain system, has some unique features that lead to a tension with the European Union’s General Data Protection Regulation (GDPR) and other similar data protection laws. In this paper, we report the results of a systematic literature review (SLR) on 114 research papers discussing and/or addressing such a tension. To the best of our knowledge, our SLR is the most comprehensive review of this tension, leading to a more in-depth and broader analysis of related research work on this important topic. Our results revealed three main types of issues: (i) difficulties in exercising data subjects’ rights such as the ‘right to be forgotten’ (RTBF) due to the immutable nature of public blockchains; (ii) difficulties in identifying roles and responsibilities in the public blockchain data processing ecosystem (particularly on the identification of data controllers and data processors); and (iii) ambiguities regarding the application of the relevant law(s) due to the distributed nature of blockchains. Our work also led to a better understanding of solutions for improving the GDPR compliance of public blockchain systems. It can help inform not only blockchain researchers and developers but also policymakers and law markers to consider how to reconcile the tension between public blockchain systems and data protection laws (the GDPR and beyond).",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Blockchain: Research and Applications",
"language": "en"
},
{
"id": "doaj:f9f417f7544e4b88b1c4fae04cd8e078",
"title": "Privacy-preserving attribute-based access control using homomorphic encryption",
"authors": [
"Malte Kerl",
"Ulf Bodin",
"Olov Schelén"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1186/s42400-024-00323-8",
"pdfUrl": "",
"doi": "10.1186/s42400-024-00323-8",
"abstract": "Abstract Authentication and access control for Cyber-Physical Systems (CPSs) are pivotal for protecting systems and their users from problems related to harmful actions and the malicious use of retrieved data. In some situations, making access decisions requires using user information, thereby challenging their privacy. Attribute-based access control (ABAC) supports dynamic and context-aware access decisions that are attractive in cyber-physical system environments. However, privacy preservation for access decisions is an open issue for authorization and is not supported by existing ABAC models. For example, if access decisions need to be made based on private attribute values such as health data, the corresponding access control policies need to be revealed. This paper reviews the ABAC, homomorphic encryption (HE), and zero-knowledge proof (ZKP) approaches, confirming the gap in privacy preservation in ABAC. Based on this observation, we further present the application of a new ZKP-based protocol in which ABAC allows for the privacy-preserving evaluation of attributes. This protocol is implemented and evaluated in terms of its performance and security. The evaluation demonstrates that there is a possibility for privacy-preserving ABAC, which may benefit the use of CPS, e.g., in underground and open-pit mines.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "Cybersecurity",
"language": "en"
},
{
"id": "doaj:091945c8e2874191997b73b58d800fef",
"title": "General Data Protection Regulation, Right to Be Forgotten, Blockchain Technology and Human Rights",
"authors": [
"Oscar Celador Angón"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://revistasepre.ujaen.es/index.php/TAHRJ/article/view/8702",
"pdfUrl": "",
"doi": "10.17561/tahrj.v23.8702",
"abstract": "The aim of this paper is to offer some reflections on the role that new technologies can play in the field of human rights, and specially from the point of view of the general data protection regulation and blockchain technology. The European Union General Data Protection Regulation of 2016 has modified the regulatory framework in key aspects for human rights, such as the consent of the individuals affected by the processing of their data, the right to data portability, or the right to be forgotten.\nIn line with this approach, the first part of the study focuses especially on the regulation of the right to be forgotten and the rights to privacy and respect for privacy. In the second part of my study, the paper analyses the role that blockchain technology can play in guaranteeing and protecting human rights, as well as in the implementation of the Sustainable Development Goals.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "Age of Human Rights Journal",
"language": "en"
},
{
"id": "doaj:037773df58094234af43da2471582f1e",
"title": "EDLaaS:Fully Homomorphic Encryption over Neural Network Graphs for Vision and Private Strawberry Yield Forecasting",
"authors": [
"George Onoufriou",
"Marc Hanheide",
"Georgios Leontidis"
],
"date": "2022",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/1424-8220/22/21/8124",
"pdfUrl": "",
"doi": "10.3390/s22218124",
"abstract": "We present automatically parameterised Fully Homomorphic Encryption (FHE) for encrypted neural network inference and exemplify our inference over FHE-compatible neural networks with our own open-source framework and reproducible examples. We use the fourth generation Cheon, Kim, Kim, and Song (CKKS) FHE scheme over fixed points provided by the Microsoft Simple Encrypted Arithmetic Library (MS-SEAL). We significantly enhance the usability and applicability of FHE in deep learning contexts, with a focus on the constituent graphs, traversal, and optimisation. We find that FHE is not a panacea for all privacy-preserving machine learning (PPML) problems and that certain limitations still remain, such as model training. However, we also find that in certain contexts FHE is well-suited for computing completely private predictions with neural networks. The ability to privately compute sensitive problems more easily while lowering the barriers to entry can allow otherwise too-sensitive fields to begin advantaging themselves of performant third-party neural networks. Lastly, we show how encrypted deep learning can be applied to a sensitive real-world problem in agri-food, i.e., strawberry yield forecasting, demonstrating competitive performance. We argue that the adoption of encrypted deep learning methods at scale could allow for a greater adoption of deep learning methodologies where privacy concerns exist, hence having a large positive potential impact within the agri-food sector and its journey to net zero.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "Sensors",
"language": "en"
},
{
"id": "doaj:03b30cc2471b48f29fea8418d8fd44b6",
"title": "Recent advances of privacy-preserving machine learning based on (Fully) Homomorphic Encryption",
"authors": [
"Hong Cheng"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://sands.edpsciences.org/articles/sands/full_html/2025/01/sands20240021/sands20240021.html",
"pdfUrl": "",
"doi": "10.1051/sands/2024012",
"abstract": "Fully Homomorphic Encryption (FHE), known for its ability to process encrypted data without decryption, is a promising technique for solving privacy concerns in the machine learning era. However, there are many kinds of available FHE schemes and way more FHE-based solutions in the literature, and they are still fast evolving, making it difficult to get a complete view. This article aims to introduce recent representative results of FHE-based privacy-preserving machine learning, helping users understand the pros and cons of different kinds of solutions, and choose an appropriate approach for their needs.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "Security and Safety",
"language": "en"
},
{
"id": "doaj:10654ea478914ee8a83dcc2900622827",
"title": "PipFHE: Resource-Efficient Privacy-Preserving Deep CNN Inference via Padded Batch Packing and Channel Merging over FHE",
"authors": [
"Tianyu Wang",
"Zewen Ye",
"Tianshun Huang",
"Chengxuan Wang",
"Kuangye Ying",
"Kejie Huang"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://tches.iacr.org/index.php/TCHES/article/view/12665",
"pdfUrl": "",
"doi": "10.46586/tches.v2026.i1.1-25",
"abstract": "Privacy-Preserving Machine Learning (PPML) has demonstrated great potential in data-sensitive industries, driving the development of low-latency CNN architectures using Fully Homomorphic Encryption (FHE). However, existing methods encounter two primary challenges when processing large image datasets: 1) Multithreading approaches, which classify one image per thread, necessitate a large number of threads and demand significant memory and CPU resources. 2) Batch packing methods are hampered by inflated ciphertext counts and inefficient handling of manage image padding and consecutive convolutions, limiting their use in deep networks. These issues create a clear need for more resource-efficient and architecturally flexible FHE-based CNN inference. To address this, we propose PipFHE, an FHE-friendly privacy-preserving CNN inference approach based on RNS-CKKS. We leverage the batch packing method and introduce two effective padding strategies for efficient encrypted image convolution. Furthermore, we propose a Channel Merging method, which notably reduces the ciphertext numbers, enabling deep network architecture. PipFHE is also compatible with pre-trained standard model parameters, ensuring high flexibility. Evaluations on the CIFAR-10 and CIFAR-100 show that PipFHE achieves an amortized inference speedup and throughput increase of 1.35x to 1.83x compared to state-of-the-art designs on the same test platform. Moreover, PipFHE performs inference on 227 encrypted images using only 36 threads and 144 GB of memory, which is 2.8x lower than other research. While PipFHE incurs an accuracy drop of <0.9% compared to plaintext inference, this strategic trade-off delivers substantial reductions in hardware requirements and enable deep network architectures. Its significant resource efficiency and support for deep networks make PipFHE a practical solution for processing large image batches in resource-constrained, privacy-sensitive cloud environments.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.625,
"venue": "Transactions on Cryptographic Hardware and Embedded Systems",
"language": "en"
},
{
"id": "hal:2271655",
"title": "Implementing GDPR in the Charity Sector: A Case Study",
"authors": [
"Jane Henriksen-Bulmer",
"Shamal Faily",
"Sheridan Jeary"
],
"date": "2019",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-02271655v1",
"pdfUrl": "https://inria.hal.science/hal-02271655/document",
"doi": "10.1007/978-3-030-16744-8_12",
"abstract": "Due to their organisational characteristics, many charities are poorly prepared for the General Data Protection Regulation (GDPR). We present an exemplar process for implementing GDPR and the DPIA Data Wheel, a DPIA framework devised as part of the case study, that accounts for these characteristics. We validate this process and framework by conducting a GDPR implementation with a charity that works with vulnerable adults. This charity processes both special category (sensitive) and personally identifiable data. This GDPR implementation was conducted and devised for the charity sector, but can be equally applied in any organisation that need to implement GDPR or conduct DPIAs.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "hal:1629151",
"title": "Not just User Control in the General Data Protection Regulation",
"authors": [
"Claudia Quelle"
],
"date": "2016",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-01629151v1",
"pdfUrl": "https://inria.hal.science/hal-01629151/document",
"doi": "10.1007/978-3-319-55783-0_11",
"abstract": "User control is increasingly prominent in the discourse surrounding the General Data Protection Regulation (GDPR). However, alongside user control, the GDPR also tries to achieve what will be called controller responsibility. Is this unjust paternalism or does it correctly place the responsibility for data protection with the controller and its supervisory authority? This paper argues that the question of responsibility should be evaluated in light of the overarching objective of the GDPR to protect the fundamental rights of natural persons. It describes the problems of a focus on the “choice” of data subjects, but also takes seriously the charge of paternalism which more protective data protection laws are faced with, tying the resulting dilemma to the objectives of data protection and ultimately to the debate on the nature of rights. Does data protection law seek to protect certain interests, such as secrecy and seclusion, or does it seek to give data subjects control over their data, and thereby political power regarding the substance of their fundamental rights? The paper concludes that a further exploration of will theories and interest theories of rights would shed light on the appropriate roles for user control and controller responsibility.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.625,
"venue": "",
"language": "en"
},
{
"id": "hal:4703957",
"title": "Conformité au RGPD dans les Pratiques de Gestion des Processus Métier : Revue Systématique de la Littérature",
"authors": [
"Rychkova Irina",
"Deneckere Rebecca",
"Jeyakumaran Sothiya"
],
"date": "2024",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04703957v1",
"pdfUrl": "https://hal.science/hal-04703957/document",
"doi": "10.21494/ISTE.OP.2024.1140",
"abstract": "Le règlement général sur la protection des données (RGPD) affecte considérablement la façon dont les organisations doivent aborder la confidentialité des données, les forçant à repenser et à mettre à niveau leurs processus métiers afin de se conformer au RGPD. A travers cette revue systématique de la littérature, nous examinons les études primaires concernant cette problématique, recensons les recherches effectuées et les méthodes proposées, appliquées et intégrées dans le cycle de vie d'un processus métiers (selon BPM) pour faire face à cette nouvelle réglementation. ABSTRACT. The General Data Protection Regulation (GDPR) dramatically affects the way organizations approach data privacy, forcing them to rethink and upgrade their business processes in order to comply with GDPR. Through this systematic literature review (SLR) we examine the primary studies, identify the research carried out and the methods that are proposed, applied and integrated into a business process life cycle (as defined by BPM) to cope with this new regulation. MOTS-CLÉS. Règlement général sur la protection des données (RGPD) -processus métiers -revue systématique de la littérature (SLR) -cycle de vie d'un processus métiers -modélisation KEYWORDS. General Data Protection Regulation (GDPR) -business processes -systematic literature review (SLR)business process life cycle -modeling
With the European Union leading a regulatory transformation through laws like the General Data Protection Regulation (GDPR), the Artificial Intelligence Act (AI Act), the Digital Services Act (DSA), and the Cyber Resilience Act (CRA), organizations face unprecedented compliance challenges. In this context, the nascent field of Compliance Operations (ComplOps) is critical for aligning technological systems with ever-evolving regulatory demands. This paper explores how ComplOps can bridge the gap between technological innovation and regulatory requirements, ensuring that compliance is seamlessly embedded into operational workflows. A case study from recent research demonstrates how compliance can be operationalized in AI systems.
This chapter looks at the origins and the current state of EU data protection law, and highlights the context of the ongoing review of Directive 95/46/EC as its key instrument, as well as the main lines of the proposed General Data Protection Regulation which will replace the Directive in the near future. The analysis shows a gradual development along two lines: one aiming at stronger rights in order to provide more effective protection, and one ensuring more consistent application of those rights across the EU. It also demonstrates the increasing impact of the Charter of Fundamental Rights, both in the case law of the Court of Justice and in the review of the legal framework. At the same time, it is argued that a lack of awareness of the difference in character between Articles 7 and 8 of the Charter could prevent Article 8 from reaching its full potential.
",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Oxford Scholarship Online",
"language": "en"
},
{
"id": "crossref:10.21552/edpl/2020/3/8",
"title": "Forgetful AI: AI and the Right to Erasure under the GDPR",
"authors": [
"T. Sérgio Cabral"
],
"date": "2020",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.21552/edpl/2020/3/8",
"pdfUrl": "",
"doi": "10.21552/edpl/2020/3/8",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "European Data Protection Law Review",
"language": "en"
},
{
"id": "crossref:10.21552/edpl/2017/4/10",
"title": "Nature and Ideal Steps of the Data Protection Impact Assessment Under the General Data Protection Regulation",
"authors": [
"A. Yordanov"
],
"date": "2017",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.21552/edpl/2017/4/10",
"pdfUrl": "",
"doi": "10.21552/edpl/2017/4/10",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "European Data Protection Law Review",
"language": "en"
},
{
"id": "crossref:10.5771/9783845276090-49",
"title": "C. Lawful processing of personal data in companies under the General Data Protection Regulation Sebastian DienstLawful processing of personal data in companies under the GDPR",
"authors": [],
"date": "2017",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.5771/9783845276090-49",
"pdfUrl": "",
"doi": "10.5771/9783845276090-49",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "New European General Data Protection Regulation",
"language": "en"
},
{
"id": "crossref:10.21552/edpl/2022/4/11",
"title": "European Union ∙ EDPB Adopts updated Guidelines on Personal Data Breach Notification under GDPR: The End of the One-Stop-Shop Reporting Mechanism for Non-EU Establishments",
"authors": [
"S. Schmitz-Berndt"
],
"date": "2022",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.21552/edpl/2022/4/11",
"pdfUrl": "",
"doi": "10.21552/edpl/2022/4/11",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "European Data Protection Law Review",
"language": "en"
},
{
"id": "openaire:10.29012/jpc.776",
"title": "Synthetic Data Generation with Differential Privacy via Bayesian Networks",
"authors": [
"Ergute Bao",
"Xiaokui Xiao",
"Jun Zhao",
"Dongping Zhang",
"Bolin Ding"
],
"date": "2021-12-24",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.29012/jpc.776",
"pdfUrl": "https://journalprivacyconfidentiality.org/index.php/jpc/article/download/776/723",
"doi": "10.29012/jpc.776",
"abstract": "This paper describes PrivBayes, a differentially private method for generating synthetic datasets that was used in the 2018 Differential Privacy Synthetic Data Challenge organized by NIST.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "Journal of Privacy and Confidentiality",
"language": "en"
},
{
"id": "crossref:10.1016/j.cose.2024.103715",
"title": "Efficient federated learning privacy preservation method with heterogeneous differential privacy",
"authors": [
"Jie Ling",
"Junchang Zheng",
"Jiahui Chen"
],
"date": "2024-04",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.1016/j.cose.2024.103715",
"pdfUrl": "https://api.elsevier.com/content/article/PII:S0167404824000166?httpAccept=text/xml",
"doi": "10.1016/j.cose.2024.103715",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "Computers & Security",
"language": "en"
},
{
"id": "crossref:10.7490/f1000research.1119545.1",
"title": "HEaaN: A scalable privacy-preserving machine learning using homomorphic encryption for bioinformatician",
"authors": [
"Soo-Heang Abel Eo",
"Song Hyeop Park"
],
"date": "2025-11-21",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.7490/f1000research.1119545.1",
"pdfUrl": "",
"doi": "10.7490/f1000research.1119545.1",
"abstract": "Homomorphic Encryption (HE) is a cryptographic scheme that enables arbitrary computations over encrypted data. It offers perfect protection for data at rest, in use, and in transit because encrypted data can be analyzed without decryption. We introduce HEaaN, a new scalable privacy-preserving data analysis tool that uses HE technology. HEaaN provides various statistics and machine learning toolkits, such as linear models, logistic regression, and more. The package offers user-friendly APIs similar to those of popular data analysis tools like Pandas and scikit-learn in Python and R. Additionally, HEaaN supports data analysis such as Polygenic Risk Scores and Ancestry Inference and integrates with tools developed within R/Bioconductor packages.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "crossref:10.12732/ijam.v38i10s.1024",
"title": "HOMOMORPHIC ENCRYPTION AND ALGEBRAIC GEOMETRY FOR PRIVACY-PRESERVING MACHINE LEARNING",
"authors": [
"Mital Patel,"
],
"date": "2025-11-10",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.12732/ijam.v38i10s.1024",
"pdfUrl": "https://ijamjournal.org/ijam/publication/index.php/ijam/article/download/1024/940",
"doi": "10.12732/ijam.v38i10s.1024",
"abstract": "Homomorphic encryption combined with algebraic geometry is emerging as one of the most mathematically powerful strategies for enabling privacy-preserving machine learning in environments where data confidentiality cannot be compromised. Traditional cryptographic methods protect data only at rest or in transit, but expose it during computation, creating substantial vulnerability in modern AI pipelines. Homomorphic encryption enables computation directly on encrypted inputs, while algebraic geometry provides the structural foundation for constructing efficient polynomial representations, ciphertext rings, and error-tolerant operations required by encrypted learning algorithms. This paper examines the integration of lattice-based homomorphic schemes with algebraic-geometric tools such as ideal lattices, algebraic curves, and Gröbner-basis methods to support encrypted inference and training. The analysis focuses on three core challenges: minimizing noise growth during encrypted computation, reducing model complexity for polynomial-friendly transformations, and preserving accuracy while enforcing strict privacy guarantees. The study argues that algebraic-geometric optimisation significantly improves the feasibility of encrypted neural networks, encrypted linear models, and encrypted gradient updates, especially for cloud-hosted and multi-party learning environments. By demonstrating how these mathematical frameworks interact, the paper positions homomorphic encryption and algebraic geometry as a critical foundation for future secure AI systems capable of operating without exposing sensitive information at any stage of computation.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "International Journal of Applied Mathematics",
"language": "en"
},
{
"id": "crossref:10.4324/9781315240350-4",
"title": "Anonymization and Pseudonymization",
"authors": [
"Carlos María Romeo Casabona"
],
"date": "2017-07-05",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.4324/9781315240350-4",
"pdfUrl": "",
"doi": "10.4324/9781315240350-4",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "The Data Protection Directive and Medical Research Across Europe",
"language": "en"
},
{
"id": "s2:e7942b044c1a18cf2b64e544dfdcc1051ee0c9bf",
"title": "Mobile Anonymization and Pseudonymization of Structured Health Data for Research",
"authors": [
"Stella Dimopoulou",
"Chrysostomos Symvoulidis",
"Konstantinos Koutsoukos",
"Athanasios Kiourtis",
"Argyro Mavrogiorgou",
"D. Kyriazis"
],
"date": "2022-02-26",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/e7942b044c1a18cf2b64e544dfdcc1051ee0c9bf",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/9727189/9727203/09727206.pdf?arnumber=9727206",
"doi": "10.1109/MobiSecServ50855.2022.9727206",
"abstract": "Healthcare Organizations need to share the health data of the patients with Research Centers in order to fulfill research purposes and improve the healthcare services provided to the patients. However, the information being processed by the Research Centers includes personal and/or sensitive data, which puts the privacy of the individuals at stake. To mitigate the risk of identity disclosure and privacy violation, a variety of privacy mechanisms, such as anonymization and pseudonymization, can be applied to the personal data of the data subjects. In this paper a mobile library is presented in order to either anonymize or pseudonymize the individuals’ personal information which follows the Fast Healthcare Interoperability Resources protocol. To evaluate the implementation and the functionalities of the library two case studies are described – one for each privacy mechanism.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "2022 Seventh International Conference On Mobile And Secure Services (MobiSecServ)",
"language": "en"
},
{
"id": "s2:8179983f04ccb8260c2af4567d6a2ffcb8eb44fd",
"title": "Patterns for Anonymization, Pseudonymization and Perturbation: Focus Group Report",
"authors": [
"Mariana Monteiro",
"Filipe F. Correia",
"Paulo G. G. Queiroz"
],
"date": "2024-07-03",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/8179983f04ccb8260c2af4567d6a2ffcb8eb44fd",
"pdfUrl": "https://dl.acm.org/doi/10.1145/3698322.3698360",
"doi": "10.1145/3698322.3698360",
"abstract": "Ensuring privacy while sharing sensitive data is critical, particularly in fields such as healthcare, and everywhere compliance with data protection regulations is required. Anonymization and pseudonymization techniques are essential for preserving individual privacy but it is challenging to select the most appropriate methods given particular privacy and utility requirements. We conducted a focus group during the EuroPLoP 2024 conference that aimed to obtain feedback on patterns that we documented in this space and on a pattern map we outlined, and to identify patterns related to anonymization or pseudonymization of data that have not yet been documented. Some of the patterns we documented were not known by participants. On the other hand, we found some techniques that are potentially privacy-preserving patterns that have not yet been documented, and framed these techniques according to the category in our pattern map. Although the results suggest that our current patterns address some recurring privacy challenges, further exploration and documentation of the techniques are necessary to capture the full range of privacy-preserving solutions.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "European Conference on Pattern Languages of Programs",
"language": "en"
},
{
"id": "crossref:10.18653/v1/2024.caldpseudo-1.1",
"title": "Handling Name Errors of a BERT-Based De-Identification System: Insights from Stratified Sampling and Markov-based Pseudonymization",
"authors": [
"Dalton Simancek",
"V.G.Vinod Vydiswaran"
],
"date": "2024",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.18653/v1/2024.caldpseudo-1.1",
"pdfUrl": "",
"doi": "10.18653/v1/2024.caldpseudo-1.1",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "Proceedings of the Workshop on Computational Approaches to Language Data Pseudonymization (CALD-pseudo 2024)",
"language": "en"
},
{
"id": "crossref:10.22214/ijraset.2018.3493",
"title": "B-Anonymization: Privacy beyond k-Anonymization and l-Diversity",
"authors": [
"B. Prakash"
],
"date": "2018-03-31",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.22214/ijraset.2018.3493",
"pdfUrl": "",
"doi": "10.22214/ijraset.2018.3493",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "International Journal for Research in Applied Science and Engineering Technology",
"language": "en"
},
{
"id": "crossref:10.1002/eng2.12297",
"title": "Parking recommender system privacy preservation through anonymization and differential privacy",
"authors": [
"Yasir Saleem",
"Mubashir Husain Rehmani",
"Noel Crespi",
"Roberto Minerva"
],
"date": "2021-02",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.1002/eng2.12297",
"pdfUrl": "https://onlinelibrary.wiley.com/doi/pdf/10.1002/eng2.12297",
"doi": "10.1002/eng2.12297",
"abstract": "AbstractRecent advancements in the Internet of Things (IoT) have enabled the development of smart parking systems that use services of third‐party parking recommender system to provide recommendations of personalized parking spot to users based on their past experience. However, the indiscriminate sharing of users' data with an untrusted (or semitrusted) parking recommender system may breach the privacy because users' behavior and mobility patterns could be inferred by analyzing their past history. Therefore, in this article, we present two solutions that preserve privacy of users in parking recommender systems while analyzing the past parking history usingk‐anonymity (anonymization) and differential privacy (perturbation) techniques. Specifically, given an original parking database containing users' parking information, thek‐anonymity mechanism constructs an anonymized database, while differential privacy perturbs the query response using the Laplace mechanism, making the users indistinguishable in both approaches, hence preserving the privacy. Experimental results on a data set constructed from real parking measurements evaluate the trade‐off between privacy and utility, therefore enabling users to receive parking spots recommendations while preserving their privacy.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "Engineering Reports",
"language": "en"
},
{
"id": "crossref:10.1109/iccta65425.2025.11166256",
"title": "The role of Anonymization Techniques in Differential Privacy",
"authors": [
"Marios Vardalachakis",
"Christos Kalloniatis"
],
"date": "2025-05-21",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.1109/iccta65425.2025.11166256",
"pdfUrl": "http://xplorestaging.ieee.org/ielx8/11165799/11165845/11166256.pdf?arnumber=11166256",
"doi": "10.1109/iccta65425.2025.11166256",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "2025 International Conference on Computer Technology Applications (ICCTA)",
"language": "en"
},
{
"id": "s2:09d3ac255615abc36365ee9eb4abd1c11ccc5736",
"title": "The Conflict and Balance between Public Disclosure of Judicial Documents and Personal Data Protection: An Examination of the Anonymization Mechanism",
"authors": [
"Weitong Yu"
],
"date": "2023",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/09d3ac255615abc36365ee9eb4abd1c11ccc5736",
"pdfUrl": "http://www.clausiuspress.com/assets/default/article/2023/10/24/article_1698158145.pdf",
"doi": "10.23977/law.2023.020909",
"abstract": ": The public disclosure of judicial documents has produced numerous positive effects in judicial transparency, fairness, legal public education, risk prevention for societal entities, and specialized education and research across various industries. However, without a clear understanding of the primary functions and value of public disclosure, excessive exposure of litigants' personal information and privacy in these disclosed documents has led to a conflict between public interest and individual rights. It is recommended to prioritize the protection of individual rights and procedural justice, in tandem with the proportionality principle, to achieve public interest objectives with the least infringement on personal rights. By utilizing an anonymization mechanism, a dynamic balance between the public disclosure of judicial documents and personal data protection can be established.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "Science of Law Journal",
"language": "en"
},
{
"id": "crossref:10.1109/fruct-ispit.2016.7561500",
"title": "Sensor data anonymization based on genetic algorithm clustering with L-Diversity",
"authors": [
"Ainur Abdrashitov",
"Anton Spivak"
],
"date": "2016-04",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.1109/fruct-ispit.2016.7561500",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/7556943/7561497/07561500.pdf?arnumber=7561500",
"doi": "10.1109/fruct-ispit.2016.7561500",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "2016 18th Conference of Open Innovations Association and Seminar on Information Security and Protection of Information Technology (FRUCT-ISPIT)",
"language": "en"
},
{
"id": "openaire:50|datacite____::6cfdb20dd4d4caa7f69c841850239585",
"title": "A Critical Appraisal of Big Data Analytics within the General Data Protection Regulation (GDPR) Landscape",
"authors": [
"Ajibade, O.A."
],
"date": "2018-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.13140/rg.2.2.18365.31207",
"pdfUrl": "",
"doi": "10.13140/rg.2.2.18365.31207",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::6e6d774e342fc1ef817d162d65667945",
"title": "Data protection in pandemic times: is the General Data Protection Regulation (GDPR) adequate to share sensitive data?",
"authors": [
"Mitrou, Lilian"
],
"date": "2024-01-24",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.11217608",
"pdfUrl": "",
"doi": "10.5281/zenodo.11217608",
"abstract": "The BY-COVID project works towards enabling and improving the accessibility of COVID-19 and other infectious disease data to researchers, policy-makers, and the public. The BY-COVID Fest took place on 23-25 January 2024 in Athens, Greece, as the final event in a series of training events on Research Data Management (RDM) and the General Data Protection Regulation (GDPR). This presentation gives an introduction to data protection, GDPR, and sensitive data.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W3036361211",
"title": "General Data Protection Regulation (GDPR) in Healthcare: Hot Topics and Research Fronts",
"authors": [
"Farhad Fatehi",
"Farkhondeh Hassandoust",
"Ryan K. L. Ko",
"Saeed Akhlaghpour"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3233/shti200336",
"pdfUrl": "https://doi.org/10.3233/shti200336",
"doi": "https://doi.org/10.3233/shti200336",
"abstract": "General Data Protection Regulation came into effect across the European Union in May 2018 but its implications in healthcare are yet to be fully understood. The aim of this study was to identify the fronts and hot topics in research on GDPR in healthcare. We analyzed the relevant records in Scopus through bibliometric and scientometric approach and visualization techniques. A set of 155 records was obtained and processed for co-occurrence analysis of key terms and concept mapping. The number of published papers showed a steep rise in the past two years, mainly by European countries. Analysis of the abstract of the papers showed that data protection, privacy, and big data were the most frequently used terms. Three dominant research fronts of GDPR are 1) general implications of GDPR, 2) technology aspects of GDPR, and 3) GDPR in healthcare service. Blockchain and machine learning are among the remerging topics of GDPR research.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Studies in health technology and informatics",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-030-17287-9_14",
"title": "How Does GDPR (General Data Protection Regulation) Affect Persuasive System Design: Design Requirements and Cost Implications",
"authors": [
"Oinas-Kukkonen Harri",
"Shao Xiuyan"
],
"date": "2019-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-030-17287-9_14",
"pdfUrl": "",
"doi": "10.1007/978-3-030-17287-9_14",
"abstract": "In May 2018, GDPR came into effect in the European Union, placing additional requirements for data sensitive companies on data protection. For persuasive systems which deal with users’ data, taking GDPR into consideration in the design phase is necessary. This paper analyzes and summarizes the requirements by GDPR and discusses how they affect persuasive systems design in terms of design requirements and cost implications.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "PERSUASIVE",
"language": "en"
},
{
"id": "https://openalex.org/W2792196336",
"title": "General Data Protection Regulation (GDPR) and implications for research",
"authors": [
"Marc Cornock"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1016/j.maturitas.2018.01.017",
"pdfUrl": "http://www.maturitas.org/article/S0378512218300367/pdf",
"doi": "https://doi.org/10.1016/j.maturitas.2018.01.017",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Maturitas",
"language": "en"
},
{
"id": "openaire:10.2139/ssrn.4601974",
"title": "Post-GDPR Lawmaking in the Digital Data Society: Mimesis Without Integration. Topological Understandings of Twisted Boundary Setting in EU Data Protection Law",
"authors": [
"De Hert, Paul"
],
"date": "2023-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2139/ssrn.4601974",
"pdfUrl": "",
"doi": "10.2139/ssrn.4601974",
"abstract": "Abstract Following up on previous research conducted on post-GDPR lawmaking, this chapter seeks to explore a second wave of post-GDPR lawmaking, particularly regarding the European Strategy for Data and its relation with the field of data protection. For this purpose, a selection of case studies is analysed to look at whether EU lawmakers seek integration, denial or mimetics of the GDPR in different data-intensive activities that have been recently regulated or are soon to be. Following this analysis, the chapter explores different paths to explain the reasons and rationale behind the adopted approach and argues for careful integration with the legal rules of a pre-existing framework of the GDPR and its principles and rules. Only then will boundaries of data protection law be able to function properly. The chapter ends with a perspective on regulatory change in EU lawmaking on the Digital Single Market and its subsequent regulatory strategies as a result of this process.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.4324/9781003004790-1",
"title": "What is the General Data Protection Regulation (GDPR)?",
"authors": [
"Samantha Alford"
],
"date": "2020-02-10",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.4324/9781003004790-1",
"pdfUrl": "",
"doi": "10.4324/9781003004790-1",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1093/asj/sjy296",
"title": "General Data Protection Regulation (GDPR) and Data Breaches: What You Should Know",
"authors": [
"Foad, Nahai"
],
"date": "2018-10-29",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1093/asj/sjy296",
"pdfUrl": "",
"doi": "10.1093/asj/sjy296",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Aesthetic surgery journal",
"language": "en"
},
{
"id": "openaire:10.1145/3626232.3653261",
"title": "From Theory to Comprehension: A Comparative Study of Differential Privacy and k-Anonymity",
"authors": [
"Saskia Nuñez von Voigt",
"Luise Mehner",
"Florian Tschorsch"
],
"date": "2024-06-19",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/3626232.3653261",
"pdfUrl": "",
"doi": "10.1145/3626232.3653261",
"abstract": "The notion of \\varepsilon-differential privacy is a widely used concept of providing quantifiable privacy to individuals. However, it is unclear how to explain the level of privacy protection provided by a differential privacy mechanism with a set \\varepsilon. In this study, we focus on users' comprehension of the privacy protection provided by a differential privacy mechanism. To do so, we study three variants of explaining the privacy protection provided by differential privacy: (1) the original mathematical definition; (2) \\varepsilon translated into a specific privacy risk; and (3) an explanation using the randomized response technique. We compare users' comprehension of privacy protection employing these explanatory models with their comprehension of privacy protection of k-anonymity as baseline comprehensibility. Our findings suggest that participants' comprehension of differential privacy protection is enhanced by the privacy risk model and the randomized response-based model. Moreover, our results confirm our intuition that privacy protection provided by k-anonymity is more comprehensible.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.2197/ipsjjip.31.812",
"title": "On Rényi Differential Privacy in Statistics-based Synthetic Data Generation",
"authors": [
"Miura, Takayuki",
"Shibahara, Toshiki",
"Kii, Masanobu",
"Ichikawa, Atsunori",
"Yamamoto, Juko",
"Chida, Koji"
],
"date": "2023-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2197/ipsjjip.31.812",
"pdfUrl": "",
"doi": "10.2197/ipsjjip.31.812",
"abstract": "18 pages, 3 figures",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-031-41181-6_4",
"title": "Smart Contract-Based E-Voting System Using Homomorphic Encryption and Zero-Knowledge Proof",
"authors": [
"Yuxiao Wu",
"Shoji Kasahara"
],
"date": "2023-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-031-41181-6_4",
"pdfUrl": "",
"doi": "10.1007/978-3-031-41181-6_4",
"abstract": "",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "ACNS Workshops",
"language": "en"
},
{
"id": "openaire:50|datacite____::d88029dfc885abbe5eb8f7ba9f9cd561",
"title": "Synthetic Data Generation and Differential Privacy using Tensor Networks' Matrix Product States (MPS)",
"authors": [
"R., Alejandro Moreno",
"Fentaw, Desale",
"Palmer, Samuel",
"de Padua, Raúl Salles",
"Dixit, Ninad",
"Mugel, Samuel",
"Orús, Roman",
"Radons, Manuel",
"Menter, Josef",
"Abedi, Ali"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.48550/arxiv.2508.06251",
"pdfUrl": "",
"doi": "10.48550/arxiv.2508.06251",
"abstract": "10 pages",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::cd1ff111e27424429439e83aa2d81386",
"title": "Secure and Privacy-Preserving Machine Learning in Healthcare using Partial Homomorphic Encryption",
"authors": [
"Jeevarag N P",
"Jinson Devis"
],
"date": "2024-04-16",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.11190691",
"pdfUrl": "",
"doi": "10.5281/zenodo.11190691",
"abstract": "Abstract—Secure and privacy-preserving machine learning in healthcare has the potential to enhance diagnostics and treatment while protecting patient confidentiality. This paper introduces a framework that integrates partial homomorphic encryption (PHE) with machine learning to enable robust data analysis in medical settings. Leveraging PHE allows for the encryption of sensitive medical data to maintain privacy while still enabling computational operations needed for machine learning algorithms. The framework's goal is to assist healthcare institutions in maximizing the use of machine learning techniques while respecting patient privacy rights. Case studies and demonstrations illustrate the effectiveness of the framework in facilitating secure data analysis in healthcare, emphasizing its importance in advancing medical research and enhancing patient care. Keywords—Secure Machine Learning, Privacy-Preserving Data Analysis, Homomorphic Encryption, Healthcare, Patient Confidentiality.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::09cbccb9d79dc70b8f3e88f14d78c32a",
"title": "Secondary Analysis of Audio Data. Technical Procedures for Virtual Anonymization and Pseudonymization",
"authors": [
"Henning Pätzold"
],
"date": "2005-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.17169/fqs-6.1.512",
"pdfUrl": "",
"doi": "10.17169/fqs-6.1.512",
"abstract": "Forum Qualitative Sozialforschung / Forum: Qualitative Social Research, Vol 6, No 1 (2005): Secondary Analysis of Qualitative Data",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1177/00258024221118411",
"title": "The European General Data Protection Regulation (GDPR) in mHealth: Theoretical and practical aspects for practitioners’ use",
"authors": [
"Carmi, Lior",
"Zohar, Mishael",
"Riva, Gianluigi M."
],
"date": "2022-08-10",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1177/00258024221118411",
"pdfUrl": "",
"doi": "10.1177/00258024221118411",
"abstract": " The extensive use of smart technology (smartphones and wearables) and the vast amount of information they contain have positioned remote devices and technology as a massive database resource. Harnessing these big data into the clinical and research fields has introduced a new horizon of possibilities along with significant privacy issues. A significant evolution in this respect has been the introduction of the new European Union (EU) General Data Protection Regulation (GDPR). The GDPR acknowledges that information related to individuals (i.e. personal data), as well as data flow, and thus databases, are of high political, clinical, and economic value. Hence, the Regulation aims to protect personal data and, consequentially, privacy. Nevertheless, the GDPR is a legal document with legal language. The purpose of this paper is to serve as a – practical guidance as well as a theoretical framework – for clinicians (and non-clinicians) who integrates digital tools in their clinical and research work. ",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Medicine, science, and the law",
"language": "en"
},
{
"id": "openaire:S1073110500023949",
"title": "Lost in Anonymization — A Data Anonymization Reference Classification Merging Legal and Technical Considerations",
"authors": [
"Vokinger, Kerstin Noëlle",
"Stekhoven, Daniel J",
"Krauthammer, Michael"
],
"date": "2020-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1177/1073110520917025",
"pdfUrl": "",
"doi": "10.1177/1073110520917025",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1097/mlr.0b013e3182585355",
"title": "Strategies for De-identification and Anonymization of Electronic Health Record Data for Use in Multicenter Research Studies",
"authors": [
"Clete A, Kushida",
"Deborah A, Nichols",
"Rik, Jadrnicek",
"Ric, Miller",
"James K, Walsh",
"Kara, Griffin"
],
"date": "2012-07-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1097/mlr.0b013e3182585355",
"pdfUrl": "",
"doi": "10.1097/mlr.0b013e3182585355",
"abstract": "De-identification and anonymization are strategies that are used to remove patient identifiers in electronic health record data. The use of these strategies in multicenter research studies is paramount in importance, given the need to share electronic health record data across multiple environments and institutions while safeguarding patient privacy.Systematic literature search using keywords of de-identify, deidentify, de-identification, deidentification, anonymize, anonymization, data scrubbing, and text scrubbing. Search was conducted up to June 30, 2011 and involved 6 different common literature databases. A total of 1798 prospective citations were identified, and 94 full-text articles met the criteria for review and the corresponding articles were obtained. Search results were supplemented by review of 26 additional full-text articles; a total of 120 full-text articles were reviewed.A final sample of 45 articles met inclusion criteria for review and discussion. Articles were grouped into text, images, and biological sample categories. For text-based strategies, the approaches were segregated into heuristic, lexical, and pattern-based systems versus statistical learning-based systems. For images, approaches that de-identified photographic facial images and magnetic resonance image data were described. For biological samples, approaches that managed the identifiers linked with these samples were discussed, particularly with respect to meeting the anonymization requirements needed for Institutional Review Board exemption under the Common Rule.Current de-identification strategies have their limitations, and statistical learning-based systems have distinct advantages over other approaches for the de-identification of free text. True anonymization is challenging, and further work is needed in the areas of de-identification of datasets and protection of genetic information.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W4281653602",
"title": "General Data Protection Regulation (GDPR) Toolkit for Digital Health",
"authors": [
"Rada Hussein",
"Daniela Wurhofer",
"Eva-Maria Strumegger",
"Andreas Stainer-Hochgatterer",
"Stefan Tino Kulnik",
"Rik Crutzen",
"Josef Niebauer"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3233/shti220066",
"pdfUrl": "https://ebooks.iospress.nl/pdf/doi/10.3233/SHTI220066",
"doi": "https://doi.org/10.3233/shti220066",
"abstract": "The General Data Protection Regulation (GDPR) entered into force on May 25, 2018. Compliance with GDPR is especially relevant to the Digital Health (DH) domain, as it is common to process highly sensitive personal data regarding a person's health. However, GDPR compliance is a very challenging process since it requires implementing several technical and organizational measures to maintain compliance. With the aim to facilitate this process, we reviewed the published best practices in GDPR compliance. Then, we customized the findings to fit into the DH domain and created a toolkit for GDPR implementation and compliance. The Activity Planning Tool (APT) is provided as an example of how this toolkit could be utilized in new application development in mobile health in Austria. In the case of our APT, the toolkit was very helpful in integrating the GDPR technical requirements in addition to creating the corresponding compliance impact assessment, processing agreements, privacy policy, data flowcharts, and compliance checklists.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Studies in health technology and informatics",
"language": "en"
},
{
"id": "pubmed:32368505",
"title": "Writing case reports, consent for publication and General Data Protection Regulation (GDPR).",
"authors": [
"Roguljić, Marija",
"Ščepanović, Rea",
"Rees, Margaret"
],
"date": "2020-04-19",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1186/s41073-019-0062-x",
"pdfUrl": "",
"doi": "10.1186/s41073-019-0062-x",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Case reports in women's health",
"language": "en"
},
{
"id": "https://openalex.org/W2995865201",
"title": "To What Extent Does the EU General Data Protection Regulation (GDPR) Apply to Citizen Scientist-Led Health Research with Mobile Devices?",
"authors": [
"Edward S. Dove",
"Jiahong Chen"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1177/1073110520917046",
"pdfUrl": "https://journals.sagepub.com/doi/pdf/10.1177/1073110520917046",
"doi": "https://doi.org/10.1177/1073110520917046",
"abstract": "In this article, we consider the possible application of the European General Data Protection Regulation (GDPR) to \"citizen scientist\"-led health research with mobile devices. We argue that the GDPR likely does cover this activity, depending on the specific context and the territorial scope. Remaining open questions that result from our analysis lead us to call for lex specialis that would provide greater clarity and certainty regarding the processing of health data by for research purposes, including these non-traditional researchers.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "The Journal of Law Medicine & Ethics",
"language": "en"
},
{
"id": "https://openalex.org/W3000746727",
"title": "General Data Protection Regulation (GDPR) and Data Protection Act 2018: What does this mean for clinicians?",
"authors": [
"Bridget Francis"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1136/archdischild-2018-316057",
"pdfUrl": "",
"doi": "https://doi.org/10.1136/archdischild-2018-316057",
"abstract": "Do not panic this is an evolution not a revolution!\n\nHealthcare services, such as the National Health Service (NHS), have been working with data protection legislation for many years so there is little or no difference in the way in which we handle personal confidential information. However, the General Data Protection Regulation (GDPR)1 now provides enhanced rights for individuals.\n\nSo, what does this actually mean for you and your patients?\n\nEveryone who uses healthcare services should be able to trust that their personal confidential data are protected. People should be assured that those involved in their care, and in running and improving services, are using such information appropriately and only when absolutely necessary. Transparency is key and your organisation should have publicly available Privacy Notices describing how you process and share personal data. Personal confidential information should only be used if there is consent particularly for purposes outside of direct care, …",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Archives of Disease in Childhood Education & Practice",
"language": "en"
},
{
"id": "pubmed:31088229",
"title": "Review of a medical illustration department's data processing system to confirm general data protection regulation (GDPR) compliance.",
"authors": [
"Edwards, Simon"
],
"date": "2019-05-15",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1080/17453054.2019.1594724",
"pdfUrl": "",
"doi": "10.1080/17453054.2019.1594724",
"abstract": "This article reviews the clinical photography and video data processing and storage arrangements of the Medical Illustration Department (MID) at the Queen Elizabeth Hospital Birmingham National Health Service (NHS) Foundation Trust (QEHB), part of the University Hospitals Birmingham (UHB) NHS Foundation Trust umbrella group. This review suggests that the department's current workflow and technical processing solution satisfies the requirements of the general data protection regulation (GDPR). At the time of writing, there were no additional financial costs or technical skills required for implementing GDPR regulations but this could change in future data processing systems. There are significant potential costs for non-compliance with GDPR. Brexit is unlikely to have any effect on complying with GDPR requirements. The GDPR gives the public the right to access information and be informed of how and why it is processed. It is recommended that improved administrative processing capability to accommodate this requirement should be included in future data processing designs. At the QEHB informed consent for use of photographs and videos is currently adequate to satisfy the common law of confidence.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Journal of visual communication in medicine",
"language": "en"
},
{
"id": "https://openalex.org/W2923390494",
"title": "The Policy Effect of the General Data Protection Regulation (GDPR) on the Digital Public Health Sector in the European Union: An Empirical Investigation",
"authors": [
"Bocong Yuan",
"Jiannan Li"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3390/ijerph16061070",
"pdfUrl": "https://www.mdpi.com/1660-4601/16/6/1070/pdf?version=1553766789",
"doi": "https://doi.org/10.3390/ijerph16061070",
"abstract": "The rapid development of digital health poses a critical challenge to the personal health data protection of patients. The European Union General Data Protection Regulation (EU GDPR) works in this context; it was passed in April 2016 and came into force in May 2018 across the European Union. This study is the first attempt to test the effectiveness of this legal reform for personal health data protection. Using the difference-in-difference (DID) approach, this study empirically examines the policy influence of the GDPR on the financial performance of hospitals across the European Union. Results show that hospitals with the digital health service suffered from financial distress after the GDPR was published in 2016. This reveals that during the transition period (2016⁻2018), hospitals across the European Union indeed made costly adjustments to meet the requirements of personal health data protection introduced by this new regulation, and thus inevitably suffered a policy shock to their financial performance in the short term. The implementation of GDPR may have achieved preliminary success.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "International Journal of Environmental Research and Public Health",
"language": "en"
},
{
"id": "pubmed:30069435",
"title": "How the writers of case reports need to consider and address consent and the General Data Protection Regulation (GDPR).",
"authors": [
"Cornock, Marc"
],
"date": "2018-04-13",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1016/j.crwh.2018.e00060",
"pdfUrl": "",
"doi": "10.1016/j.crwh.2018.e00060",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Case reports in women's health",
"language": "en"
},
{
"id": "pubmed:29959687",
"title": "General Data Protection Regulation (GDPR) and paediatric medical practice in Ireland: a personal reflection.",
"authors": [
"Philip, Roy K"
],
"date": "2018-06-29",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1007/s11845-018-1857-3",
"pdfUrl": "",
"doi": "10.1007/s11845-018-1857-3",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Irish journal of medical science",
"language": "en"
},
{
"id": "dblp:conf/icadl/PapaioannouS18",
"title": "The General Data Protection Regulation (GDPR, 2016/679/EE) and the (Big) Personal Data in Cultural Institutions: Thoughts on the GDPR Compliance Process.",
"authors": [
"Georgios Papaioannou",
"Ioannis Sarakinos"
],
"date": "2018",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/conf/icadl/PapaioannouS18",
"pdfUrl": "",
"doi": "10.1007/978-3-030-04257-8_21",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "ICADL",
"language": "en"
},
{
"id": "dblp:conf/trustbus/Lambrinoudakis18",
"title": "The General Data Protection Regulation (GDPR) Era: Ten Steps for Compliance of Data Processors and Data Controllers.",
"authors": [
"Costas Lambrinoudakis"
],
"date": "2018",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/conf/trustbus/Lambrinoudakis18",
"pdfUrl": "",
"doi": "10.1007/978-3-319-98385-1_1",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "TrustBus",
"language": "en"
},
{
"id": "https://openalex.org/W4399986746",
"title": "An Exploratory Mixed-Methods Study on General Data Protection Regulation (GDPR) Compliance in Open-Source Software",
"authors": [
"Lucas Franke",
"Huayu Liang",
"Sahar Farzanehpour",
"Aaron Brantly",
"James C. Davis",
"Chris Brown"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "http://arxiv.org/abs/2406.14724",
"pdfUrl": "https://arxiv.org/pdf/2406.14724",
"doi": "https://doi.org/10.48550/arxiv.2406.14724",
"abstract": "Background: Governments worldwide are considering data privacy regulations. These laws, e.g. the European Union's General Data Protection Regulation (GDPR), require software developers to meet privacy-related requirements when interacting with users' data. Prior research describes the impact of such laws on software development, but only for commercial software. Open-source software is commonly integrated into regulated software, and thus must be engineered or adapted for compliance. We do not know how such laws impact open-source software development. Aims: To understand how data privacy laws affect open-source software development. We studied the European Union's GDPR, the most prominent such law. We investigated how GDPR compliance activities influence OSS developer activity (RQ1), how OSS developers perceive fulfilling GDPR requirements (RQ2), the most challenging GDPR requirements to implement (RQ3), and how OSS developers assess GDPR compliance (RQ4). Method: We distributed an online survey to explore perceptions of GDPR implementations from open-source developers (N=56). We further conducted a repository mining study to analyze development metrics on pull requests (N=31462) submitted to open-source GitHub repositories. Results: GDPR policies complicate open-source development processes and introduce challenges for developers, primarily regarding the management of users' data, implementation costs and time, and assessments of compliance. Moreover, we observed negative perceptions of GDPR from open-source developers and significant increases in development activity, in particular metrics related to coding and reviewing activity, on GitHub pull requests related to GDPR compliance. Conclusions: Our findings motivate policy-related resources and automated tools to support data privacy regulation implementation and compliance efforts in open-source software.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "arXiv (Cornell University)",
"language": "en"
},
{
"id": "https://openalex.org/W4398239205",
"title": "A First Look at the General Data Protection Regulation (GDPR) in Open-Source Software",
"authors": [
"Lucas Franke",
"Huayu Liang",
"Aaron Brantly",
"James C. Davis",
"Chris Brown"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1145/3639478.3643077",
"pdfUrl": "https://dl.acm.org/doi/pdf/10.1145/3639478.3643077",
"doi": "https://doi.org/10.1145/3639478.3643077",
"abstract": "This poster describes work on the General Data Protection Regulation (GDPR) in open-source software. Although open-source software is commonly integrated into regulated software, and thus must be engineered or adapted for compliance, we do not know how such laws impact open-source software development.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "ICSE Companion",
"language": "en"
},
{
"id": "dblp:journals/compsec/MollaeefarR23",
"title": "Identifying and quantifying trade-offs in multi-stakeholder risk evaluation with applications to the data protection impact assessment of the GDPR.",
"authors": [
"Majid Mollaeefar",
"Silvio Ranise"
],
"date": "2023",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/compsec/MollaeefarR23",
"pdfUrl": "",
"doi": "10.1016/J.COSE.2023.103206",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Comput. Secur.",
"language": "en"
},
{
"id": "dblp:conf/blockchain/SchmelzPNG21",
"title": "Towards Informational Self-determination: Data Portability Requests Based on GDPR by Providing Public Platforms for Authorised Minimal Invasive Privacy Protection.",
"authors": [
"Dominik Schmelz",
"Karl Pinter",
"Phillip Niemeier",
"Thomas Grechenig"
],
"date": "2021",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/conf/blockchain/SchmelzPNG21",
"pdfUrl": "",
"doi": "10.1007/978-3-030-86162-9_11",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "BLOCKCHAIN",
"language": "en"
},
{
"id": "https://openalex.org/W3121737709",
"title": "Compatibility of a Security Policy for a Cloud-based Healthcare System with the EU General Data Protection Regulation (GDPR)",
"authors": [
"Dimitra Georgiou",
"Costas Lambrinoudakis"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.20944/preprints202010.0577.v1",
"pdfUrl": "https://www.preprints.org/manuscript/202010.0577/v1/download",
"doi": "https://doi.org/10.20944/preprints202010.0577.v1",
"abstract": "Currently, there are several challenges that Cloud-based health-care Systems, around the world, are facing. The most important issue is to ensure security and privacy or in other words to ensure the confidentiality, integrity and availability of the data. Although the main provisions for data security and privacy were present in the former legal framework for the protection of personal data, the General Data Protection Regulation (GDPR) introduces new concepts and new requirements. In this paper, we present the main changes and the key challenges of the General Data Protection Regulation, and also at the same time we present how the Cloud-based Security Policy methodology proposed in [1] could be modified in order to be compliant with the GDPR and how Cloud environments can assist developers to build secure and GDPR compliant Cloud-based health Systems. The major concept of this paper is, primarily, to facilitate Cloud Providers in comprehending the framework of the new General Data Protection Regulation and secondly, to identify security measures and security policy rules for the protection of sensitive data in a Cloud-based Health System, following our risk-based Security Policy Methodology that assesses the associated security risks and takes into account different requirements from patients, hospitals, and various other professional and organizational actors.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Preprints.org",
"language": "en"
},
{
"id": "https://openalex.org/W2990724439",
"title": "Design principles for the General Data Protection Regulation (GDPR): A formal concept analysis and its evaluation",
"authors": [
"Damian A. Tamburri"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1016/j.is.2019.101469",
"pdfUrl": "https://doi.org/10.1016/j.is.2019.101469",
"doi": "https://doi.org/10.1016/j.is.2019.101469",
"abstract": "Data and software are nowadays one and the same: for this very reason, the European Union (EU) and other governments introduce frameworks for data protection — a key example being the General Data Protection Regulation (GDPR). However, GDPR compliance is not straightforward: its text is not written by software or information engineers but rather, by lawyers and policy-makers. As a design aid to information engineers aiming for GDPR compliance, as well as an aid to software users’ understanding of the regulation, this article offers a systematic synthesis and discussion of it, distilled by the mathematical analysis method known as Formal Concept Analysis (FCA). By its principles, GDPR is synthesised as a concept lattice, that is, a formal summary of the regulation, featuring 144372 records — its uses are manifold. For example, the lattice captures so-called attribute implications, the implicit logical relations across the regulation, and their intensity. These results can be used as drivers during systems and services (re-)design, development, operation, or information systems’ refactoring towards more GDPR consistency.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Information Systems",
"language": "en"
},
{
"id": "https://openalex.org/W2920976262",
"title": "Mobile Apps for People with Dementia: Are They Compliant with the General Data Protection Regulation (GDPR)?",
"authors": [
"Joana Muchagata",
"Ana Ferreira"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.5220/0007352200680077",
"pdfUrl": "https://doi.org/10.5220/0007352200680077",
"doi": "https://doi.org/10.5220/0007352200680077",
"abstract": "Mobile apps have the potential to improve the overall patients and caregivers’ quality of life and, particularly, of those with dementia. The ability to stimulate cognitive functions, keep the brain active and helping people to be as independent as possible in their daily lives are considered highly valued characteristics. But despite those advantages, there is a lack of security standards and guidelines focused on mobile apps and the general sense is that those provide low or no privacy/security and commonly do not comply with current regulations. We analysed eighteen apps with the ability to stimulate cognitive functions for people with dementia to verify if they were GDPR compliant. Results show that most analysed apps (78%) do not provide any information regarding how personal data are processed, and if they do, this is not clear. Also, users’ consent to allow that processing is rarely sought (11%). In conclusion, GDPR mandated requirements are still not implemented in most of the analysed mental health apps to ensure privacy and security in the interactions between users and mobile apps. This work intends to bring awareness to this issue to both researchers and developers, especially in the area of healthcare and mental health.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "HEALTHINF",
"language": "en"
},
{
"id": "https://openalex.org/W2892056081",
"title": "Buchbesprechungen. Feiler, Lukas / Forgó, Nikolaus / Weigl, Michaela: The Eu General Data Protection Regulation (Gdpr): A Commentary",
"authors": [
"Joachim Scherer",
"Gerd Kiparski"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.9785/cr-2018-340626",
"pdfUrl": "",
"doi": "https://doi.org/10.9785/cr-2018-340626",
"abstract": "Article Buchbesprechungen. Feiler, Lukas / Forgó, Nikolaus / Weigl, Michaela: The Eu General Data Protection Regulation (Gdpr): A Commentary was published on June 1, 2018 in the journal Computer und Recht (volume 34, issue 6).",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Computer und Recht",
"language": "en"
},
{
"id": "dblp:conf/ccs/SirurNW18",
"title": "Are We There Yet?: Understanding the Challenges Faced in Complying with the General Data Protection Regulation (GDPR).",
"authors": [
"Sean Sirur",
"Jason R. C. Nurse",
"Helena Webb"
],
"date": "2018",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/conf/ccs/SirurNW18",
"pdfUrl": "",
"doi": "10.1145/3267357.3267368",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "MPS@CCS",
"language": "en"
},
{
"id": "dblp:conf/mie/Goncalves-Ferreira18",
"title": "HS.Register - An Audit-Trail Tool to Respond to the General Data Protection Regulation (GDPR).",
"authors": [
"Duarte Nuno Gonçalves-Ferreira",
"Mariana Leite",
"Cátia Santos-Pereira",
"Manuel Eduardo Correia",
"Luis Filipe Coelho Antunes",
"Ricardo Cruz-Correia"
],
"date": "2018",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/conf/mie/Goncalves-Ferreira18",
"pdfUrl": "",
"doi": "10.3233/978-1-61499-852-5-81",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "MIE",
"language": "en"
},
{
"id": "dblp:journals/corr/abs-2510-11299",
"title": "How to Get Actual Privacy and Utility from Privacy Models: the k-Anonymity and Differential Privacy Families.",
"authors": [
"Josep Domingo-Ferrer",
"David Sánchez 0001"
],
"date": "2025",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/corr/abs-2510-11299",
"pdfUrl": "",
"doi": "10.48550/ARXIV.2510.11299",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "CoRR",
"language": "en"
},
{
"id": "dblp:journals/jip/SaishoMIKO25",
"title": "Active Synthetic Data Generation with Joint Consideration of Differential Privacy and Labeling Efficiency.",
"authors": [
"Osamu Saisho",
"Takayuki Miura",
"Kazuki Iwahana",
"Masanobu Kii",
"Rina Okada"
],
"date": "2025",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/jip/SaishoMIKO25",
"pdfUrl": "",
"doi": "10.2197/IPSJJIP.33.1172",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "J. Inf. Process.",
"language": "en"
},
{
"id": "dblp:conf/latincom/GomesCV23",
"title": "Differential Privacy: Exploring Federated Learning Privacy Issue to Improve Mobility Quality.",
"authors": [
"Gabriel L. Gomes",
"Felipe D. da Cunha",
"Leandro A. Villas"
],
"date": "2023",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/conf/latincom/GomesCV23",
"pdfUrl": "",
"doi": "10.1109/LATINCOM59467.2023.10361884",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "LATINCOM",
"language": "en"
},
{
"id": "https://openalex.org/W4406080953",
"title": "Approximate homomorphic encryption based privacy-preserving machine learning: a survey",
"authors": [
"Jiangjun Yuan",
"Weinan Liu",
"Jiawen Shi",
"Qingqing Li"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1007/s10462-024-11076-8",
"pdfUrl": "https://link.springer.com/content/pdf/10.1007/s10462-024-11076-8.pdf",
"doi": "https://doi.org/10.1007/s10462-024-11076-8",
"abstract": "Machine Learning (ML) is rapidly advancing, enabling various applications that improve people’s work and daily lives. However, this technical progress brings privacy concerns, leading to the emergence of Privacy-Preserving Machine Learning (PPML) as a popular research topic. In this work, we investigate the privacy protection topic in ML, and showcase the advantages of Homomorphic Encryption (HE) among different privacy-preserving techniques. Additionally, this work presents an introduction of approximate HE, emphasizing its advantages and providing the detail of some representative schemes. Moreover, we systematically review the related works about approximate HE based PPML schemes from the four technical applications and three advanced applications, along with their application scenarios, models and datasets. Finally, we suggest some potential future directions to guide readers in extending the research of PPML.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "Artificial Intelligence Review",
"language": "en"
},
{
"id": "dblp:conf/africacrypt/NjungleK25",
"title": "Activate Me!: Designing Efficient Activation Functions for Privacy-Preserving Machine Learning with Fully Homomorphic Encryption.",
"authors": [
"Nges Brian Njungle",
"Michel A. Kinsy"
],
"date": "2025",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/conf/africacrypt/NjungleK25",
"pdfUrl": "",
"doi": "10.1007/978-3-031-97260-7_3",
"abstract": "",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "AFRICACRYPT",
"language": "en"
},
{
"id": "dblp:journals/jip/KobayashiFCNY25",
"title": "km-anonymization Meets Differential Privacy under Sampling.",
"authors": [
"Masaya Kobayashi",
"Atsushi Fujioka",
"Koji Chida",
"Akira Nagai",
"Kan Yasuda"
],
"date": "2025",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/jip/KobayashiFCNY25",
"pdfUrl": "",
"doi": "10.2197/IPSJJIP.33.646",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "J. Inf. Process.",
"language": "en"
},
{
"id": "dblp:journals/kbs/ManzanaresSalorS25",
"title": "Enhancing text anonymization via re-identification risk-based explainability.",
"authors": [
"Benet Manzanares-Salor",
"David Sánchez 0001"
],
"date": "2025",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/kbs/ManzanaresSalorS25",
"pdfUrl": "",
"doi": "10.1016/J.KNOSYS.2024.112945",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "Knowl. Based Syst.",
"language": "en"
},
{
"id": "dblp:journals/digitalsociety/SasFM25",
"title": "Personal Health Data in xR Games: Exploring Purpose Limitation in the General Data Protection Regulation and European Health Data Space Regulation.",
"authors": [
"Martin Sas",
"Elora Fernandes",
"Marta Musidlowska"
],
"date": "2025",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/digitalsociety/SasFM25",
"pdfUrl": "",
"doi": "10.1007/S44206-025-00219-1",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Digit. Soc.",
"language": "en"
},
{
"id": "dblp:journals/clsr/Calvi24",
"title": "Data Protection Impact Assessment under the EU General Data Protection Regulation: A feminist reflection.",
"authors": [
"Alessandra Calvi"
],
"date": "2024",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/clsr/Calvi24",
"pdfUrl": "",
"doi": "10.1016/J.CLSR.2024.105950",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Comput. Law Secur. Rev.",
"language": "en"
},
{
"id": "dblp:journals/clsr/Demetzou19",
"title": "Data Protection Impact Assessment: A tool for accountability and the unclarified concept of 'high risk' in the General Data Protection Regulation.",
"authors": [
"Katerina Demetzou"
],
"date": "2019",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/clsr/Demetzou19",
"pdfUrl": "",
"doi": "10.1016/J.CLSR.2019.105342",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Comput. Law Secur. Rev.",
"language": "en"
},
{
"id": "dblp:journals/corr/abs-2601-19893",
"title": "Enabling SSI-Compliant Use of EUDI Wallet Credentials through Trusted Execution Environment and Zero-Knowledge Proof.",
"authors": [
"Nacereddine Sitouah",
"Francesco Bruschi",
"Stefano De Cillis"
],
"date": "2026",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/corr/abs-2601-19893",
"pdfUrl": "",
"doi": "10.48550/ARXIV.2601.19893",
"abstract": "",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "CoRR",
"language": "en"
},
{
"id": "https://openalex.org/W2900704586",
"title": "From Alexa to Siri and the GDPR: The Gendering of Virtual Personal Assistants and the Role of EU Data Protection Law",
"authors": [
"Nóra Ní Loideáin",
"Rachel Adams"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.2139/ssrn.3281807",
"pdfUrl": "https://doi.org/10.2139/ssrn.3281807",
"doi": "https://doi.org/10.2139/ssrn.3281807",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "SSRN Electronic Journal",
"language": "en"
},
{
"id": "s2:86b0f7fa10fe1eccab0ed5beb50f0facfd74318e",
"title": "Proposal of Differential Privacy Anonymization for IoT Applications Using MQTT Broker",
"authors": [
"Kentaro Morise",
"Tokimasa Toyohara",
"Hiroaki Nishi"
],
"date": "2024-01-06",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/86b0f7fa10fe1eccab0ed5beb50f0facfd74318e",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/10454139/10454627/10454877.pdf?arnumber=10454877",
"doi": "10.1109/CCNC51664.2024.10454877",
"abstract": "IoT applications require secure communication methods that protect personal information contained in communication data. This study focuses on MQTT, a low-cost protocol used for IoT communication, and proposes a mechanism to anonymize communication data between IoT and clients. MQTT is a publish-subscribe model of communication where a broker handles many-to-many communications among clients. Due to the concentration of communications on the broker, it is efficient to anonymize data there. Therefore, the proposed mechanism performs differential privacy anonymization of communication data on the MQTT broker. We also propose a mechanism to anonymize data according to anonymization criteria required by senders and receivers using topic names and user properties, which are features of MQTT. We implemented the proposed mechanism in an FPGA-based MQTT broker and confirmed that it achieves the same throughput and low latency as regular MQTT communication and satisfies IoT applications such as power control and automated driving that require sub-millisecond latency.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "Consumer Communications and Networking Conference",
"language": "en"
},
{
"id": "crossref:10.5040/9781526524812.schedule-009",
"title": "EU-US Transfers: Trans-Atlantic Data Privacy Framework (replacing Privacy Shield)",
"authors": [],
"date": "2023",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.5040/9781526524812.schedule-009",
"pdfUrl": "",
"doi": "10.5040/9781526524812.schedule-009",
"abstract": "",
"topics": [
"jurisdiction_regulatory"
],
"painPointTracks": [
"Sector Regulations"
],
"relevanceScore": 0.567,
"venue": "Data Protection and Data Transfers Law",
"language": "en"
},
{
"id": "https://openalex.org/W2911752833",
"title": "The Eu General Data Protection Regulation (Gdpr): A Practical Guide",
"authors": [
"Paul Voigt",
"Axel von dem Bussche"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=029688307&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA",
"pdfUrl": "",
"doi": "https://doi.org/10.1007/978-3-031-62328-8",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2768181417",
"title": "The EU General Data Protection Regulation (GDPR): European Regulation that has a Global Impact",
"authors": [
"Michelle Goddard"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.2501/ijmr-2017-050",
"pdfUrl": "",
"doi": "https://doi.org/10.2501/ijmr-2017-050",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "International Journal of Market Research",
"language": "en"
},
{
"id": "https://openalex.org/W3211016066",
"title": "GDPR - General Data Protection Regulation",
"authors": [
"Edison Luiz Gonçalves Fontes"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.63451/ti.v1i10.104",
"pdfUrl": "https://www.direitoeti.com.br/direitoeti/article/download/104/101",
"doi": "https://doi.org/10.63451/ti.v1i10.104",
"abstract": "O presente artigo apresenta considerações iniciais sobre o Regulamento Geral de Proteção de Dados com validade a partir de 25 de maio de 2018, considerando que ele é um marco no tratamento da informação e impactará, de imediato ou em curto prazo, todas as organizações que utilizam a tecnologia da informação, inclusive as brasileiras.[...]",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Direito & TI",
"language": "pt"
},
{
"id": "https://openalex.org/W2891108302",
"title": "Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR)",
"authors": [
"Marta Otto"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.5771/9783845266190-974",
"pdfUrl": "",
"doi": "https://doi.org/10.5771/9783845266190-974",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Nomos Verlagsgesellschaft mbH & Co. KG eBooks",
"language": "en"
},
{
"id": "https://openalex.org/W3013316000",
"title": "Online Customer Trust in the Context of the General Data Protection Regulation (GDPR)",
"authors": [
"Jingjing Zhang",
"Farkhondeh Hassandoust",
"Jocelyn Williams"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.17705/1pais.12104",
"pdfUrl": "",
"doi": "https://doi.org/10.17705/1pais.12104",
"abstract": "Background: A recent global survey found that almost half of Internet users who never buy online indicated lack of trust as the main reason. The General Data Protection Regulation (GDPR) is new legislation expected to provide the opportunity for organizations to improve their customer trust through personal data governance. Few studies explore online customer trust from the GDPR perspective. This study aims to fill this gap by drawing on the Technology Acceptance Model (TAM) and Self-Determination Theory (SDT), examining the antecedents of online customer trust from the GDPR perspective. The study also attempts to derive insights about the GDPR that may affect online customer trust, but which to date have little presence in frameworks of the antecedents of online trust. The main research questions are as follows. First, what are the impacts of perceived technology, perceived risks and perceived trustworthiness on online customer trust in the GDPR context? Second, what are the GDPR-specific factors that may affect online customer trust? Method: This positivist study used a survey strategy with a deductive approach to investigate the research questions. A questionnaire was designed for primary data collection as the basis for quantitative data analysis. Results: Data analysis confirmed that several GDPR-related trust antecedents – perceived security, perceived third-party assurance and perceived openness – are positively associated with online customer trust. This study offers new insights into the SDT adaptation that suggest the value of motivation theory for trust research in the GDPR context. This study also generates insights about the GDPR that may affect online customer trust. Conclusions: This study suggests that the GDPR plays a significant role in online customer trust by bringing about stronger rights and more transparency for online customers. Both the confirmation and insights are a contribution that can lead seemingly old-fashioned trust antecedents into a new application. Available at: https://aisel.aisnet.org/pajais/vol12/iss1/4/",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Pacific Asia journal of the Association for Information Systems",
"language": "en"
},
{
"id": "https://openalex.org/W4303627787",
"title": "The right to privacy and an implication of the EU General Data Protection Regulation (GDPR) in Europe: challenges to the companies",
"authors": [
"Simant Shankar Bharti",
"Saroj Kumar Aryal"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1080/14782804.2022.2130193",
"pdfUrl": "",
"doi": "https://doi.org/10.1080/14782804.2022.2130193",
"abstract": "The article traces the European Union (EU)’s General Data Protection Regulation (GDPR) and implication in the Europe. In the era of global digitalisation, the right to respect private life, communication and the home has become a matter of protection. Protecting the right to privacy is a responsibility of a state which includes privacy of personal information, e.g. birth, messages, phone call and number and emails. Likewise, this study explains EU concern’s about its citizens’ privacy and the recent inclusion of the GDPR for the protection of natural persons. The article aims to explore individual fundamental rights and implications in the digital age, as well as cooperation data rules between companies and public bodies. At the same time, questions arise about the rightful implication of GDPR and the right to privacy of the public through protection, especially from tech companies. For validating the argument, various qualitative research methods were applied. The COVID-19 pandemic has raised a serious question over privacy rights protection by the government, which supports our findings that EU GDPR has a long road to go and have challenges. Its credibility of lawful data activities is also a matter of concern and a reliable promise by the member states and the EU.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Journal of Contemporary European Studies",
"language": "en"
},
{
"id": "https://openalex.org/W4408334499",
"title": "The impact of the General Data Protection Regulation (GDPR) on online tracking",
"authors": [
"Klaus M. Miller",
"Karlo Lukic",
"Bernd Skiera"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1016/j.ijresmar.2025.03.002",
"pdfUrl": "https://doi.org/10.1016/j.ijresmar.2025.03.002",
"doi": "https://doi.org/10.1016/j.ijresmar.2025.03.002",
"abstract": "This study explores the impact of the General Data Protection Regulation (GDPR) on online trackers—vital elements in the online advertising ecosystem. Using a difference-in-differences approach with a balanced panel of 294 publishers, it compares publishers subject to the GDPR with those unaffected (the control group). Drawing on data from WhoTracks.me , which spans 32 months from May 2017 to December 2019, it analyzes how the number of trackers used by publishers changed before and after the GDPR. The findings reveal that although online tracking increased for both groups, the rise was less significant for EU-based publishers subject to the GDPR. Specifically, the GDPR reduced about four trackers per publisher, equating to a 14.79 % decrease compared to the control group. The GDPR was particularly effective in curbing privacy-invasive trackers that collect and share personal data, thereby strengthening user privacy. However, it had a limited impact on advertising trackers and only slightly reduced the presence of analytics trackers.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "International Journal of Research in Marketing",
"language": "en"
},
{
"id": "https://openalex.org/W2912427167",
"title": "Preparing Students for the Era of the General Data Protection Regulation (GDPR)",
"authors": [
"Maja Gligora Marković",
"Sandra Debeljak",
"Nikola Kadoić"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.18421/tem81-21",
"pdfUrl": "http://www.temjournal.com/content/81/TEMJournalFebruary2019_150_156.pdf",
"doi": "https://doi.org/10.18421/tem81-21",
"abstract": "One of the main goals of the General Data Protection Regulation (GDPR) is to protect the personal data of individuals. Each organization (company, association, school, institution, university, etc.) has an obligation to protect all of the individual data that it obtains. Those data can belong to employees, members, students, clients, etc. The research in this paper is related to the higher education students in Croatia. This study is being conducted in three parts. The first part was conducted in April of 2017 (N=159) and the second in April/May of 2018 (N=141), in a period before the GDPR became valid (May 25th, 2018). In this paper, we are analysing the results of the second part of the study. Additionally, we are discussing risks that might appear if students do not know the GDPR. Risk matrix results are used to represent a basis which higher education administrations can utilize to make corrective decisions. The main conclusion of the research is that there are still issues with understanding the basic concepts of personal data and the GDPR, which may cause some problems during studying process. The main recommendation for HEIs or students organizations (such as student councils) is to organize lectures and workshops related to the GDPR.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "TEM Journal",
"language": "en"
},
{
"id": "https://openalex.org/W3010985141",
"title": "The European Union’s General Data Protection Regulation (GDPR)",
"authors": [
"Sérgio Tenreiro de Magalhães"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1142/9789811204463_0015",
"pdfUrl": "",
"doi": "https://doi.org/10.1142/9789811204463_0015",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "WORLD SCIENTIFIC eBooks",
"language": "en"
},
{
"id": "https://openalex.org/W2952163446",
"title": "Are we there yet? Understanding the challenges faced in complying with the General Data Protection Regulation (GDPR)",
"authors": [
"Sean Sirur",
"Jason R. C. Nurse",
"Helena Webb"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "http://arxiv.org/abs/1808.07338",
"pdfUrl": "https://arxiv.org/pdf/1808.07338",
"doi": "https://doi.org/10.48550/arxiv.1808.07338",
"abstract": "The EU General Data Protection Regulation (GDPR), enforced from 25th May 2018, aims to reform how organisations view and control the personal data of private EU citizens. The scope of GDPR is somewhat unprecedented: it regulates every aspect of personal data handling, includes hefty potential penalties for non-compliance, and can prosecute any company in the world that processes EU citizens' data. In this paper, we look behind the scenes to investigate the real challenges faced by organisations in engaging with the GDPR. This considers issues in working with the regulation, the implementation process, and how compliance is verified. Our research approach relies on literature but, more importantly, draws on detailed interviews with several organisations. Key findings include the fact that large organisations generally found GDPR compliance to be reasonable and doable. The same was found for small-to-medium organisations (SMEs/SMBs) that were highly security-oriented. SMEs with less focus on data protection struggled to make what they felt was a satisfactory attempt at compliance. The main issues faced in their compliance attempts emerged from: the sheer breadth of the regulation; questions around how to enact the qualitative recommendations of the regulation; and the need to map out the entirety of their complex data networks.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "arXiv (Cornell University)",
"language": "en"
},
{
"id": "https://openalex.org/W4249509933",
"title": "EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition",
"authors": [
"IT GOVERNANCE PRIVACY TEAM"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.2307/j.ctv17f12pc",
"pdfUrl": "https://doi.org/10.2307/j.ctv17f12pc",
"doi": "https://doi.org/10.2307/j.ctv17f12pc",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "IT Governance Publishing eBooks",
"language": "en"
},
{
"id": "https://openalex.org/W2803444721",
"title": "Challenges of General Data Protection Regulation (GDPR)",
"authors": [
"Dragan Savić",
"Mladen Veinović"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.15308/sinteza-2018-23-30",
"pdfUrl": "http://portal.sinteza.singidunum.ac.rs/Media/files/2018/23-30.pdf",
"doi": "https://doi.org/10.15308/sinteza-2018-23-30",
"abstract": "The aim of this paper is The General Data Protection Regulation (GDPR), an overview of current achievements in this domain within the framework of existing knowledge in literature, international standards and the best practice as far as the GDPR is concerned",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2958575648",
"title": "Editorial: Artificial intelligence, customized communications, privacy, and the General Data Protection Regulation (GDPR)",
"authors": [
"Charles R. Taylor"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1080/02650487.2019.1618032",
"pdfUrl": "",
"doi": "https://doi.org/10.1080/02650487.2019.1618032",
"abstract": "We have reached the point where advertisers face a dilemma in the online environment as consumers increasingly expect messages to be relevant and even targeted to but simultaneously have concerns a...",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "International Journal of Advertising",
"language": "en"
},
{
"id": "https://openalex.org/W3186704557",
"title": "Un General Data Protection Regulation (GDPR) non molto general",
"authors": [
"Elena Bougleux"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.4000/aam.4098",
"pdfUrl": "https://journals.openedition.org/aam/pdf/4098",
"doi": "https://doi.org/10.4000/aam.4098",
"abstract": "La ricerca antropologica e in generale quella sociale si trovano ad affrontare le restrizioni e le nuove procedure di gestione dei dati stabilite dalla nuova regolamentazione europea, entrata in vigore nel 2018. Prima di entrare nel merito tecnico di cosa sia ancora possibile fare e di come poterlo fare nel rispetto della regolamentazione vigente, il saggio si chiede in che misura il concetto di dato per come inteso dal GDPR si adatti al caso della nostra disciplina. Il saggio analizza la genesi e la specificità dei dati antropologici, principalmente di quelli etnografici, affronta le questioni epistemologiche e procedurali poste dalla diversa natura dei dati in antropologia e in altre discipline del sapere, e richiama varie tradizioni di studi – in filosofia, storia, critica culturale e linguistica – che hanno approfondito il tema della genesi della conoscenza, contribuendo a mettere in luce la limitatezza e i rischi di un approccio che propone una gestione unica per una molteplicità di circostanze della ricerca assai variabile e non riducibile.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Archivio antropologico mediterraneo",
"language": "it"
},
{
"id": "s2:9a8b6d3bdb99132f681161fbc721a9ac158ce55e",
"title": "Protected how? Problem representations of risk in the General Data Protection Regulation (GDPR)",
"authors": [
"M. Padden",
"Andreas Öjehag‐Pettersson"
],
"date": "2021-05-20",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/9a8b6d3bdb99132f681161fbc721a9ac158ce55e",
"pdfUrl": "https://www.tandfonline.com/doi/pdf/10.1080/19460171.2021.1927776?needAccess=true",
"doi": "10.1080/19460171.2021.1927776",
"abstract": "ABSTRACT How we choose to utilize digital technology has the potential to undermine the healthy functioning of democratic systems. Surveillance practices such as the tracking, collection and profiling of our online and real-world behavior pose a direct challenge to privacy rights and democratic freedoms such as fairness and anti-discrimination. This paper aims to understand how the GDPR represents risk and, in turn, how that representation shapes protection. Using Carol Bacchi’s ‘What’s the Problem Represented to Be?’ (WPR) approach to policy analysis, we illustrate how the GDPR’s dual aims of protecting both people and the free flow of personal data exist in a state of tension and that the GDPR’s framing of ‘public interest’ privileges economic growth over individual rights. Also problematic is the assumption that people are sufficiently informed to exercise control over their data, yet are being asked to agree to practices which may undermine that very autonomy.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Critical Policy Studies",
"language": "en"
},
{
"id": "https://openalex.org/W2805691443",
"title": "Global Convergence of Data Privacy Standards and Laws: Speaking Notes for the European Commission Events on the Launch of the General Data Protection Regulation (GDPR) in Brussels & New Delhi, 25 May 2018",
"authors": [
"Graham Greenleaf"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.2139/ssrn.3184548",
"pdfUrl": "https://doi.org/10.2139/ssrn.3184548",
"doi": "https://doi.org/10.2139/ssrn.3184548",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "SSRN Electronic Journal",
"language": "en"
},
{
"id": "https://openalex.org/W2960120584",
"title": "General Data Protection Regulation and Horizon 2020 Ethics Review Process: Ethics Compliance under GDPR",
"authors": [
"Albena Kuyumdzhieva"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.12681/bioeth.20832",
"pdfUrl": "https://ejournals.epublishing.ekt.gr/index.php/bioethica/article/download/20832/18011",
"doi": "https://doi.org/10.12681/bioeth.20832",
"abstract": "The present manuscript examines the new ethics data protection requirements introduced for the research projects funded by the European Programme Horizon 2020.Initially, reference is made to the basic data protection principles introduced by the General Data Protection Regulation (GDPR) and the derogations permitted in the research field in favor of the science advancement. Although these derogations are subject to a number of safeguards to protect personal data, new ethics requirements are introduced for research projects funded by the European Programme Horizon 2020. The aim of these safeguards is the increased transparency and accountability at the data processing and the consequent enhanced protection of the individuals’ rights. These requirements are geared to the main research ethics postulate, which requires free, voluntary and informed participation of the research subject.Under these new requirements, Horizon 2020 beneficiaries/applicants must comply with a set of predefined standards, reflecting their ethical and legal obligations, provide a detailed and precise description of the technical and organisational measures that will be implemented in order to safeguard the rights of the research participants and also demonstrate their observance. In addition, depending on the type of the data being processed and the data processing techniques, the H2020 applicants/beneficiaries may need to provide a number of additional documents/explanations and implement further measures.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Bioethica",
"language": "en"
},
{
"id": "https://openalex.org/W3214955558",
"title": "Beyond the ‘Brussels Effect’? Kenya’s Data Protection Act (DPA) 2019 and the European Union’s General Data Protection Regulation (GDPR) 2018",
"authors": [
"Hellen Mukiri‐Smith",
"Ronald Leenes"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.21552/edpl/2021/4/7",
"pdfUrl": "",
"doi": "https://doi.org/10.21552/edpl/2021/4/7",
"abstract": "This paper conducts an analysis of several key provisions of the Kenyan Data Protection Act 2019 (DPA) and the European Union's General Data Protection Regulation (GDPR) 2018. Analysis is carried out through the lens of 'the Brussels Effect' theory developed by Anu Bradford to understand ways in which the GDPR has impacted the development and content of the DPA, and areas where the DPA is different from the GDPR. We argue that while the DPA has been influenced by the Brussels effect, other country specific contextual factors including 'the Huduma Effect' have helped to shape the DPA. Key Words: Data Governance | GDPR | Kenya Data Protection Act | Brussel's Effect | Huduma Effect and Other Contextual Influences",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "European Data Protection Law Review",
"language": "en"
},
{
"id": "https://openalex.org/W2772072272",
"title": "HL7 Standards and Components to Support Implementation of the European General Data Protection Regulation (GDPR)",
"authors": [
"Alexander Mense",
"Bernd Blobel"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "http://doi.org/10.24105/ejbi.2017.13.1.5",
"pdfUrl": "https://doi.org/10.24105/ejbi.2017.13.1.5",
"doi": "https://doi.org/10.24105/ejbi.2017.13.1.5",
"abstract": "Objec ves: Aiming to strengthen EU ci zens' fundamental privacy rights in the digital age the new European General Data Protec on Regula on shall apply from May 25th 2018. It will require companies processing personal data to implement a set of organiza onal and technical controls for ensuring proper handling of these data. Obviously this applies for companies providing eHealth services. As HL7 off ers a lot of material to support security and privacy for handling personal healthcare data, this paper aims at showing which HL7 standards and components can be used to support the implementa on of GDPR related controls.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "European Journal for Biomedical Informatics",
"language": "en"
},
{
"id": "https://openalex.org/W2941040893",
"title": "Living with the New General Data Protection Regulation (GDPR)",
"authors": [
"Mark Foulsham"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1007/978-3-030-14511-8_5",
"pdfUrl": "",
"doi": "https://doi.org/10.1007/978-3-030-14511-8_5",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Financial Compliance",
"language": "en"
},
{
"id": "https://openalex.org/W2902323747",
"title": "The Impact of the European General Data Protection Regulation (GDPR) on Future Data Business Models: Toward a New Paradigm and Business Opportunities",
"authors": [
"Sébastien Ziegler",
"Emilia Evequoz",
"Ana Maria Pacheco Huamani"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1007/978-3-319-96902-2_8",
"pdfUrl": "",
"doi": "https://doi.org/10.1007/978-3-319-96902-2_8",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2782976874",
"title": "The Impact of the new European General Data Protection Regulation (GDPR) on the Information Governance Toolkit in Health and Social Care with Special Reference to Primary Care in England",
"authors": [
"Ignatius Ndumbe Shu",
"Hamid Jahankhani"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/ccc.2017.16",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/ccc.2017.16",
"abstract": "The desire for eHealth systems (technology) is ever growing as public institutions (governments), healthcare providers, and its users (patients) see the gains that could possibly arise from having systems like databases of patient health information in a single place which will facilitate the way healthcare can be access by patients and their caregivers. The aim of this paper is to provide a supportive environment for the health and social care workplace with special reference in the Primary Care sector in England on the impact and changes to the information governance toolkit (IGTK) as a result of the new European General Data Protection Regulation (GDPR) which will be implemented in full from May 2018 as agreed by the UK Government thereby replacing the UK Data Protection Act of 1998. These challenges will also include the implementation of the National Data Guardian (NDG) review of data security and opt-outs amongst others.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2988835451",
"title": "EU General Data Protection Regulation (GDPR), third edition",
"authors": [
"IT GOVERNANCE PRIVACY TEAM"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.2307/j.ctvr7fcwb",
"pdfUrl": "",
"doi": "https://doi.org/10.2307/j.ctvr7fcwb",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "IT Governance Publishing eBooks",
"language": "en"
},
{
"id": "https://openalex.org/W4283803391",
"title": "The General Data Protection Regulation (GDPR) for Risk Mitigation in the Insurance Industry",
"authors": [
"Claire Farrugia",
"Simon Grima",
"Kiran Sood"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1108/978-1-80262-605-620221017",
"pdfUrl": "",
"doi": "https://doi.org/10.1108/978-1-80262-605-620221017",
"abstract": "Abstract Purpose: This chapter sets out to lay out and analyse the effectiveness of the General Data Protection Regulation (GDPR), a recently established European Union (EU) regulation, in the local insurance industry. Methodology: This was done through a systematic literature review to determine what has already been done and then a survey as a primary research tool to gather information. The survey was aimed at clients and employees of insurance entities. Findings: The general results are that effectiveness can be segmented into different factors and vary regarding the respondents’ confidence. Other findings include that the GDPR has increased costs, and its expectations are unclear. These findings suggest that although the GDPR was influential in the insurance market, some issues about this regulation still exist. Conclusions: GDPR fulfils its purposes; however, the implementation process of this regulation can be facilitated if better guidelines are issued for entities to follow to understand its expectations better and follow the law and fulfil its purposes most efficiently. Practical implications: These conclusions imply that the GDPR can be improved in the future. Overall, as a regulation, it is suitable for the different member states of the EU, including small states like Malta.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W3114131644",
"title": "Using GDPR to Improve Legal Clarity and Working Conditions on Digital Labour Platforms: Can a Code of Conduct as Provided for by Article 40 of the General Data Protection Regulation (GDPR) Help Workers and Socially Responsible Platforms?",
"authors": [
"Hannah Johnston",
"M. Six Silberman"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.2139/ssrn.3699338",
"pdfUrl": "https://doi.org/10.2139/ssrn.3699338",
"doi": "https://doi.org/10.2139/ssrn.3699338",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "SSRN Electronic Journal",
"language": "en"
},
{
"id": "https://openalex.org/W4200148553",
"title": "Internet of Things (IoT): Data Security and Privacy Concerns under the General Data Protection Regulation (GDPR)",
"authors": [
"Olumide Babalola"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.5121/csit.2021.112324",
"pdfUrl": "https://doi.org/10.5121/csit.2021.112324",
"doi": "https://doi.org/10.5121/csit.2021.112324",
"abstract": "Internet of Things (IoT) refers to the seamless communication and interconnectivity of multiple devices within a certain network enabled by sensors and other technologies facilitating unusual processing of personal data for the performance of a certain goal. This article examines the various definitions of the IoT from technical and socio-technical perspectives and goes ahead to describe some practical examples of IoT by demonstrating their functionalities vis a vis the anticipated privacy and information security implications. Predominantly, the article discusses the information security and privacy risks posed by the operationality of IoT as envisaged under the EU GDPR and makes a few recommendations on how to address the risks.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Natural Language Processing",
"language": "en"
},
{
"id": "https://openalex.org/W4362563319",
"title": "Clarifying 'Personal Data' and the Role of Anonymisation in Data Protection Law: Including and Excluding Data from the Scope of the GDPR (More Clearly) Through Refining the Concept of Data Protection",
"authors": [
"Valentin Rupp",
"Maximilian von Grafenstein"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.2139/ssrn.4409587",
"pdfUrl": "https://doi.org/10.2139/ssrn.4409587",
"doi": "https://doi.org/10.2139/ssrn.4409587",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "SSRN Electronic Journal",
"language": "en"
},
{
"id": "https://openalex.org/W4409836034",
"title": "Impact of General Data Protection Regulation (GDPR) on Data Breach Response Strategies (DBRS)",
"authors": [
"Chris Gilbert",
"Mercy Abiola Gilbert"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.47772/ijriss.2025.914mg0061",
"pdfUrl": "",
"doi": "https://doi.org/10.47772/ijriss.2025.914mg0061",
"abstract": "In today’s digital landscape, data breaches have emerged as a significant threat, endangering both organizations and individuals by exposing sensitive information. The introduction of the General Data Protection Regulation (GDPR) by the European Union in May 2018 has profoundly reshaped global data privacy standards. This regulation not only enforces strict data protection measures within the EU but also extends its reach to organizations worldwide, compelling them to enhance their data breach response strategies. This paper examines the substantial impact of GDPR on how organizations manage data breaches, emphasizing the necessity for proactive measures and well-structured response protocols. By analyzing key provisions of GDPR, particularly the mandatory breach notifications outlined in the surveyed literature, the study underscores the critical role of Data Protection Officers (DPOs) and the importance of collaboration between data controllers and processors. Through case studies across diverse sectors—including aviation, hospitality, healthcare, and finance—the paper illustrates the varied implications of GDPR compliance and the severe consequences of non-compliance. The findings reveal that while GDPR introduces significant compliance challenges, it also fosters a culture of enhanced data security and trust. Organizations are encouraged to adopt advanced technical measures such as encryption and intrusion detection systems, conduct regular security audits, and engage in continuous employee training to mitigate risks and ensure compliance. Ultimately, this paper demonstrates that effective GDPR compliance not only minimizes the risks associated with data breaches but also provides organizations with a competitive advantage in the increasingly data-driven global economy.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "International Journal of Research and Innovation in Social Science",
"language": "en"
},
{
"id": "https://openalex.org/W2982380801",
"title": "GENERAL DATA PROTECTION REGULATION (GDPR) DAN KEDAULATAN NEGARA NON-UNI EROPA",
"authors": [
"Yohanes Hermanto Sirait"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.32662/golrev.v2i2.704",
"pdfUrl": "https://jurnal.unigo.ac.id/index.php/golrev/article/download/704/377",
"doi": "https://doi.org/10.32662/golrev.v2i2.704",
"abstract": "Generally, the GDPR applies to data processing activities conducted by organisations established in the European Union (EU). But in certain activities, GDPR may also apply outside EU according to extra-teritorial principle. This principle has correlation to concept of sovereignty in international law. This article aims to examine whether a state must abide to GDPR when the requirement fulfiled or should the states use their sovereignty as a basis to deny it. This article is normative legal research. It focus on case-law, statutes and other legal source as primary and subsidiary source. The analysis is deductive by reasoning from more general to more specific. The result show that extra-teritorial principle under GDPR is in accordance to international law. The practice is common in the world in order to protect the citizen and national interest from any threat from abroad. The chance of overlapping between this principles with state’s sovereignty is hardly to occur as the principle only works when the interest of European citizen violated.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Gorontalo Law Review",
"language": "en"
},
{
"id": "https://openalex.org/W3015598833",
"title": "Private FL-GAN: Differential Privacy Synthetic Data Generation Based on Federated Learning",
"authors": [
"Bangzhou Xin",
"Wei Yang",
"Yangyang Geng",
"Sheng Chen",
"Shaowei Wang",
"Liusheng Huang"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/icassp40776.2020.9054559",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/icassp40776.2020.9054559",
"abstract": "Generative Adversarial Network (GAN) has already made a big splash in the field of generating realistic \"fake\" data. However, when data is distributed and data-holders are reluctant to share data for privacy reasons, GAN’s training is difficult. To address this issue, we propose private FL-GAN, a differential privacy generative adversarial network model based on federated learning. By strategically combining the Lipschitz limit with the differential privacy sensitivity, the model can generate high-quality synthetic data without sacrificing the privacy of the training data. We theoretically prove that private FL-GAN can provide strict privacy guarantee with differential privacy, and experimentally demonstrate our model can generate satisfactory data.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W3204342778",
"title": "Federated synthetic data generation with differential privacy",
"authors": [
"Bangzhou Xin",
"Yangyang Geng",
"Teng Hu",
"Sheng Chen",
"Wei Yang",
"Shaowei Wang",
"Liusheng Huang"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1016/j.neucom.2021.10.027",
"pdfUrl": "",
"doi": "https://doi.org/10.1016/j.neucom.2021.10.027",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "Neurocomputing",
"language": "en"
},
{
"id": "s2:ac092b010ed7f5152dd5d701ed54680133eb3c3b",
"title": "GuardML: Efficient Privacy-Preserving Machine Learning Services Through Hybrid Homomorphic Encryption",
"authors": [
"E. Frimpong",
"Khoa Nguyen",
"Mindaugas Budzys",
"Tanveer Khan",
"A. Michalas"
],
"date": "2024-01-26",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/ac092b010ed7f5152dd5d701ed54680133eb3c3b",
"pdfUrl": "https://dl.acm.org/doi/pdf/10.1145/3605098.3635983",
"doi": "10.1145/3605098.3635983",
"abstract": "Machine Learning (ML) has emerged as one of data science's most transformative and influential domains. However, the widespread adoption of ML introduces privacy-related concerns owing to the increasing number of malicious attacks targeting ML models. To address these concerns, Privacy-Preserving Machine Learning (PPML) methods have been introduced to safeguard the privacy and security of ML models. One such approach is the use of Homomorphic Encryption (HE). However, the significant drawbacks and inefficiencies of traditional HE render it impractical for highly scalable scenarios. Fortunately, a modern cryptographic scheme, Hybrid Homomorphic Encryption (HHE), has recently emerged, combining the strengths of symmetric cryptography and HE to surmount these challenges. Our work seeks to introduce HHE to ML by designing a PPML scheme tailored for end devices. We leverage HHE as the fundamental building block to enable secure learning of classification outcomes over encrypted data, all while preserving the privacy of the input data and ML model. We demonstrate the real-world applicability of our construction by developing and evaluating an HHE-based PPML application for classifying heart disease based on sensitive ECG data. Notably, our evaluations revealed a slight reduction in accuracy compared to inference on plaintext data. Additionally, both the analyst and end devices experience minimal communication and computation costs, underscoring the practical viability of our approach. The successful integration of HHE into PPML provides a glimpse into a more secure and privacy-conscious future for machine learning on relatively constrained end devices.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "ACM Symposium on Applied Computing",
"language": "en"
},
{
"id": "s2:1fda440226e81df93610f6d77dc51375afd5a2dc",
"title": "A Survey of Deep Learning Architectures for Privacy-Preserving Machine Learning With Fully Homomorphic Encryption",
"authors": [
"Robert Podschwadt",
"Daniel Takabi",
"Peizhao Hu",
"M. Rafiei",
"Zhipeng Cai"
],
"date": "2022",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/1fda440226e81df93610f6d77dc51375afd5a2dc",
"pdfUrl": "https://ieeexplore.ieee.org/ielx7/6287639/6514899/09936637.pdf",
"doi": "10.1109/ACCESS.2022.3219049",
"abstract": "Outsourced computation for neural networks allows users access to state-of-the-art models without investing in specialized hardware and know-how. The problem is that the users lose control over potentially privacy-sensitive data. With homomorphic encryption (HE), a third party can perform computation on encrypted data without revealing its content. In this paper, we reviewed scientific articles and publications in the particular area of Deep Learning Architectures for Privacy-Preserving Machine Learning (PPML) with Fully HE. We analyzed the changes to neural network models and architectures to make them compatible with HE and how these changes impact performance. Next, we find numerous challenges to HE-based privacy-preserving deep learning, such as computational overhead, usability, and limitations posed by the encryption schemes. Furthermore, we discuss potential solutions to the HE PPML challenges. Finally, we propose evaluation metrics that allow for a better and more meaningful comparison of PPML solutions.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "s2:8b4288ff6fbf83d1293ee81a5a671d4f6a0a9a32",
"title": "A privacy preserving federated learning scheme using homomorphic encryption and secret sharing",
"authors": [
"Zhaosen Shi",
"Zeyu Yang",
"Alzubair Hassan",
"Fagen Li",
"Xuyang Ding"
],
"date": "2022-12-08",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/8b4288ff6fbf83d1293ee81a5a671d4f6a0a9a32",
"pdfUrl": "",
"doi": "10.1007/s11235-022-00982-3",
"abstract": "",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "Telecommunications Systems",
"language": "en"
},
{
"id": "s2:ead0a14c96261f996054aeebd6c1164937639dfa",
"title": "An Advanced Semantic Feature-Based Cross-Domain PII Detection, De-Identification, and Re-Identification Model Using Ensemble Learning",
"authors": [
"Poornima Kulkarni",
"C. K",
"Hemavathy R"
],
"date": "2024",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/ead0a14c96261f996054aeebd6c1164937639dfa",
"pdfUrl": "",
"doi": "10.14569/ijacsa.2024.0151277",
"abstract": "— The digital data being core to any system requires communication across peers and human machine interfaces; however, ensuring (data) security and privacy remains a challenge for the industries, especially under the threat of man-in-the-middle attacks, intruders and even ill-intended unauthorized access at warehouses. Almost all digital communication practices embody personally identifiable information (PII) like an individual's address, contact details, identification credentials etc. The unauthorized or ill-intended access to these PII attributes can cause major losses to the individual and therefore it is inevitable to identify and de-identify aforesaid PII elements across digital platforms to preserve privacy. Unfortunately, the diversity of PII attributes across disciplines makes it challenging for state-of-arts to perform PII detection by using a predefined dictionary. The model developed for a specific PII type can’t be universally viable for other disciplines. Moreover, applying multiple dictionaries for the different disciplines can make a solution more exhaustive. To alleviate these challenges, in this paper a robust ensemble of ensemble learning assisted semantic feature driven cross-discipline PII detection and de-identification model (EESD-PII) is proposed. To achieve it, a large set of text queries encompassing diverse PII attributes including personal credentials, healthcare data, finance attributes etc. were considered for training based PII detection and classification. The input texts were processed for the different preprocessing tasks including stopping-word removal, punctuation removal, website-link removal, lower case conversion, lemmatization and tokenization. The tokenized text was processed for Word2Vec driven continuous bag-of-word (CBOW) embedding that not only provided latent feature space for analytics but also enabled de-identification to preserve security aspects. To address class-imbalance problems, synthetic minority over-sampling techniques like SMOTE, SMOTE-BL, SMOTE-ENN were applied. Subsequently, the resampled features were processed for the feature selection by using Wilcoxon Rank Sum Test (WRST) method that in sync with 95% confidence interval retained the most significant features. The selected features were processed for Min-Max Normalization to alleviate over-fitting and convergence problems, while the normalized feature vector was classified by using ensemble of ensemble learning model encompassing Bagging, Boosting, AdaBoost, Random Forest and Extra Tree Classifier as base classifier. The proposed model performed a consensus-based majority voting ensemble to annotate each text-query as PII or Non-PII data. The positively annotated query can later be processed for dictionary-based PII attribute masking to achieve de-identification. Though, the use of semantic embedding serves the purpose towards NLP-based PII detection, de identification and re-identification tasks. The simulation results reveal that the proposed EESD-PII model achieves PII annotation accuracy of 99.77%, precision 99.81%, recall 99.63% and F-Measure of 99.71%.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "International Journal of Advanced Computer Science and Applications",
"language": "en"
},
{
"id": "s2:400f2bb0e4f1f3367b248df05788f9a310c81606",
"title": "Enhancing Security in Geographic Information Systems: Anonymization and Differential Privacy Techniques for Protecting Sensitive Geospatial Data",
"authors": [
"Rahul Marri",
"Sriram Varanasi",
"Satwik Varma Kalidindi Chaitanya",
"Sai Krishna Marri"
],
"date": "2024-10-10",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/400f2bb0e4f1f3367b248df05788f9a310c81606",
"pdfUrl": "https://ojs.boulibrary.com/index.php/JAIGS/article/download/240/186",
"doi": "10.60087/jaigs.v5i1.240",
"abstract": "As Geographic Information Systems (GIS) increasingly facilitate the analysis and sharing of geospatial data, the protection of sensitive information becomes paramount. This research explores the implementation of anonymization and differential privacy techniques to enhance security in GIS. Anonymization methods effectively remove or obscure personally identifiable information from geospatial datasets, while differential privacy introduces a mathematical framework that allows for the sharing of aggregate data without compromising individual privacy. This study evaluates the strengths and weaknesses of these techniques, demonstrating their effectiveness in maintaining the utility of geospatial data while safeguarding sensitive information. Through case studies and comparative analysis, we provide insights into best practices for integrating these privacy-preserving strategies into GIS applications, ensuring compliance with legal regulations and fostering public trust in geospatial technologies.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "Journal of Artificial Intelligence General science (JAIGS) ISSN:3006-4023",
"language": "en"
},
{
"id": "s2:7cbb97f2747d89c40e863f66f74be3d1dc357a91",
"title": "Data anonymization: a novel optimal k-anonymity algorithm for identical generalization hierarchy data in IoT",
"authors": [
"Waranya Mahanan",
"W. Chaovalitwongse",
"J. Natwichai"
],
"date": "2020-02-27",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/7cbb97f2747d89c40e863f66f74be3d1dc357a91",
"pdfUrl": "",
"doi": "10.1007/s11761-020-00287-w",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "Service Oriented Computing and Applications",
"language": "en"
},
{
"id": "s2:0fe600a714634a8ea797af61b18f3df4b4618e24",
"title": "A Comprehensive Review on Face Recognition Methods and Factors Affecting Facial Recognition Accuracy",
"authors": [
"Shahina Anwarul",
"Susheela Dahiya"
],
"date": "2019",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/0fe600a714634a8ea797af61b18f3df4b4618e24",
"pdfUrl": "",
"doi": "10.1007/978-3-030-29407-6_36",
"abstract": "",
"topics": [
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "s2:e5fd0167f7eb6811a3c8eab1d338c028d04a9ade",
"title": "Portugal ∙ Profiling the Portuguese Data Protection Officer in the Context of GDPR",
"authors": [
"J. Pereira",
"A. Cepa",
"P. Carneiro António Pinto",
"P. Pinto"
],
"date": "2022",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/e5fd0167f7eb6811a3c8eab1d338c028d04a9ade",
"pdfUrl": "",
"doi": "10.21552/edpl/2022/4/13",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "European Data Protection Law Review",
"language": "en"
},
{
"id": "s2:4077937bb95bed415452c099269402a24ee91b8b",
"title": "Internet of Things and the Legal Issues related to the Data Protection Law according to the new European General Data Protection Regulation",
"authors": [
"Nicola Fabiano"
],
"date": "2017-06-30",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/4077937bb95bed415452c099269402a24ee91b8b",
"pdfUrl": "https://doi.org/10.30958/ajl.3-3-2",
"doi": "10.30958/AJL.3-3-2",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "s2:a2f16d1e77c8f37859309071abad2beb9d336f5b",
"title": "An Extensive Study on Data Anonymization Algorithms Based on K-Anonymity",
"authors": [
"M. Simi",
"K. S. Nayaki",
"M. Elayidom"
],
"date": "2017-08-01",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/a2f16d1e77c8f37859309071abad2beb9d336f5b",
"pdfUrl": "https://doi.org/10.1088/1757-899x/225/1/012279",
"doi": "10.1088/1757-899X/225/1/012279",
"abstract": "For business and research oriented works engaging Data Analysis and Cloud services needing qualitative data, many organizations release huge microdata. It excludes an individual’s explicit identity marks like name, address and comprises of specific information like DOB, Pin-code, sex, marital status, which can be combined with other public data to recognize a person. This implication attack can be manipulated to acquire any sensitive information from social network platform, thereby putting the privacy of a person in grave danger. To prevent such attacks by modifying microdata, K-anonymization is used. With potentially increasing data, the effective method to anonymize it stands challenging. After series of trails and systematic comparison, in this paper, we propose three best algorithms along with its efficiency and effectiveness. Studies help researchers to identify the relationship between the values of k, degree of anonymization, choosing a quasi-identifier and focus on execution time.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "s2:049edeec748d463cf1935249ce64e48866faff4f",
"title": "Extending l-Diversity for Better Data Anonymization",
"authors": [
"Hongwei Tian",
"Weining Zhang"
],
"date": "2009-04-27",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/049edeec748d463cf1935249ce64e48866faff4f",
"pdfUrl": "",
"doi": "10.1109/ITNG.2009.144",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "2009 Sixth International Conference on Information Technology: New Generations",
"language": "en"
},
{
"id": "https://openalex.org/W2999181345",
"title": "General data protection regulation: opportunities and risks of the implementation of GDPR in tourism",
"authors": [
"Mariusz Kędzior",
"Mirela Sadowska"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "http://doi.org/10.15240/tul/004/2019-3-006",
"pdfUrl": "https://doi.org/10.15240/tul/004/2019-3-006",
"doi": "https://doi.org/10.15240/tul/004/2019-3-006",
"abstract": "The article is an attempt to answer the most frequently asked questions regarding the processing of personal data in the tourism industry. It is an attempt to explain the basic definitions regarding the protection of personal data. It specifies duties that should be fulfilled by organisers, tour operators and hotel and boarding house owners in order to ensure that the processing of data of natural persons is in line with the GDPR. It also specifies risks connected with personal data processing and opportunities to ensure the security of data processed by tourism service providers.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "ACC Journal",
"language": "en"
},
{
"id": "doaj:ed0bc1db6bdb490681cbf96189f34501",
"title": "Identidad, cesión de datos personales y la decisión Privacy Shield tras la STJUE Schrems II",
"authors": [
"Tomás Gabriel García-Micó",
"Ignacio García-Perrote Martínez"
],
"date": "2020",
"platform": "doaj",
"sourceUrl": "https://raco.cat/index.php/InDret/article/view/375259",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"jurisdiction_regulatory"
],
"painPointTracks": [
"Sector Regulations"
],
"relevanceScore": 0.567,
"venue": "InDret",
"language": "en"
},
{
"id": "https://openalex.org/W2799851540",
"title": "Επιχειρησιακές επιπτώσεις του νέου Γενικού Κανονισμού Προστασίας Δεδομένων - General Data Protection Regulation 2016/679 (ΓΚΠΔ/GDPR)",
"authors": [
"Ευάγγελος Θεοδωράκης"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://dione.lib.unipi.gr/xmlui/handle/unipi/11194",
"pdfUrl": "https://dione.lib.unipi.gr/xmlui/handle/unipi/11194",
"doi": "",
"abstract": "Η παρούσα εργασία πραγματοποιήθηκε στο πλαίσιο συγγραφής της διπλωματικής εργασίας του προγράμματος μεταπτυχιακών σπουδών «Τεχνοοικονομική Διοίκηση και Ασφάλεια Ψηφιακών Συστημάτων» του τμήματος Ψηφιακών Συστημάτων του Πανεπιστημίου Πειραιώς. Το θέμα της διπλωματικής είναι: «Επιχειρησιακές επιπτώσεις του νέου Γενικού Κανονισμού Προστασίας Δεδομένων - General Data Protection Regulation 2016/679 (ΓΚΠΔ/GDPR)». Ο Ευρωπαϊκός κανονισμός είναι μια νομική πράξη της Ευρωπαϊκής Ένωσης που είναι δεσμευτική ως προς όλα τα μέρη του και ισχύει σε όλες τις χώρες μέλη της Ευρωπαϊκής Ένωσης. Ο ΓΚΠΔ/GDPR αφορά την προστασία των φυσικών προσώπων έναντι της επεξεργασίας δεδομένων προσωπικού χαρακτήρα και την ελεύθερη κυκλοφορία των δεδομένων αυτών και πρόκειται να αντικαταστήσει την Οδηγία του Ευρωπαϊκού Κοινοβουλίου 95/46/ΕΚ (24/10/1995) «για την προστασία των φυσικών προσώπων έναντι της επεξεργασίας δεδομένων προσωπικού χαρακτήρα και για την ελεύθερη κυκλοφορία των δεδομένων αυτών». Ο ΓΚΠΔ έχει κάποια χαρακτηριστικά Οδηγίας στο μέτρο που επιτρέπει στα κράτη μέλη εθνικές ρυθμίσεις για ορισμένες περιπτώσεις, όπως π.χ. για την ελάχιστη ηλικία συναίνεσης των ανηλίκων (που τίθεται στα 15 χρόνια στο ελληνικό νομοσχέδιο που τέθηκε σε διαβούλευση και στα 13 χρόνια από το αντίστοιχο κυπριακό που θα δημοσιοποιηθεί προσεχώς). Η ψήφιση του ΓΚΠΔ/GDPR έγινε στις 27 Απριλίου 2016 και η εφαρμογή του θα γίνει στις 25 Μαΐου 2018. Οι επιχειρήσεις - οργανισμοί θα πρέπει να συμμορφωθούν μέχρι την ημερομηνία εφαρμογής του κανονισμού. Στην εργασία αυτή μελετήθηκε η δημιουργία πρακτικού οδηγού, βήμα προς βήμα, συμμόρφωσης ενός οργανισμού με το νέο κανονισμό. Μέσα σε αυτήν αναλύεται η μεθοδολογία που ακολουθήθηκε για την δόμηση του οδηγού και η παρουσίαση αυτού. Πιο συγκεκριμένα, στο πρώτο κεφάλαιο, γίνεται συνοπτική αναφορά στο περιεχόμενο του ΓΚΠΔ/GDPR. Δίνεται μια περιγραφή του νομικού πλαισίου που καθορίζει τους κανόνες για όλους τους εμπλεκομένους. Αναλύονται οι αρμοδιότητες, τα δικαιώματα και οι υποχρεώσεις του καθενός. Στη συνέχεια, στο δεύτερο κεφάλαιο, παρουσιάζεται το πρακτικό μέρος της παρούσας εργασίας. Εδώ περιλαμβάνεται η μεθοδολογία δημιουργίας του οδηγού. Αναλύονται τα στάδια που οδήγησαν στην τελική μορφή του οδηγού και τα εργαλεία που δημιουργήθηκαν για αυτόν. Στο επόμενο κεφάλαιο, τρίτο κατά σειρά, παρουσιάζεται ο οδηγός με τα έξι βήματα που οδηγούν έναν οργανισμό - επιχείρηση στη συμμόρφωση με τον κανονισμό. Τα βήματα περιλαμβάνουν τον τρόπο δράσης από την αρχική κατάσταση του οργανισμού μέχρι και τη μέγιστη δυνατή συμμόρφωση. Στο τέταρτο κεφάλαιο προκύπτουν τα συμπεράσματα από την εμπειρία δημιουργίας του οδηγού. Αναφέρονται τα δυνατά και τα αδύνατα του σημεία καθώς και οι προτάσεις για μελλοντική βελτίωση.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Dione (University of Piraeus)",
"language": "el"
},
{
"id": "arxiv:1703.02577",
"title": "SAFETY: Secure gwAs in Federated Environment Through a hYbrid solution with Intel SGX and Homomorphic Encryption",
"authors": [
"Md Nazmus Sadat",
"Md Momin Al Aziz",
"Noman Mohammed",
"Feng Chen",
"Shuang Wang",
"Xiaoqian Jiang"
],
"date": "2017-03-07",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/1703.02577v1",
"pdfUrl": "https://arxiv.org/pdf/1703.02577v1",
"doi": "",
"abstract": "Recent studies demonstrate that effective healthcare can benefit from using the human genomic information. For instance, analysis of tumor genomes has revealed 140 genes whose mutations contribute to cancer. As a result, many institutions are using statistical analysis of genomic data, which are mostly based on genome-wide association studies (GWAS). GWAS analyze genome sequence variations in order to identify genetic risk factors for diseases. These studies often require pooling data from different sources together in order to unravel statistical patterns or relationships between genetic variants and diseases. In this case, the primary challenge is to fulfill one major objective: accessing multiple genomic data repositories for collaborative research in a privacy-preserving manner. Due to the sensitivity and privacy concerns regarding the genomic data, multi-jurisdictional laws and policies of cross-border genomic data sharing are enforced among different regions of the world. In this article, we present SAFETY, a hybrid framework, which can securely perform GWAS on federated genomic datasets using homomorphic encryption and recently introduced secure hardware component of Intel Software Guard Extensions (Intel SGX) to ensure high efficiency and privacy at the same time. Different experimental settings show the efficacy and applicability of such hybrid framework in secure conduction of GWAS. To the best of our knowledge, this hybrid use of homomorphic encryption along with Intel SGX is not proposed or experimented to this date. Our proposed framework, SAFETY is up to 4.82 times faster than the best existing secure computation technique.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2409.06422",
"title": "A Pervasive, Efficient and Private Future: Realizing Privacy-Preserving Machine Learning Through Hybrid Homomorphic Encryption",
"authors": [
"Khoa Nguyen",
"Mindaugas Budzys",
"Eugene Frimpong",
"Tanveer Khan",
"Antonis Michalas"
],
"date": "2024-09-10",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2409.06422v1",
"pdfUrl": "https://arxiv.org/pdf/2409.06422v1",
"doi": "",
"abstract": "Machine Learning (ML) has become one of the most impactful fields of data science in recent years. However, a significant concern with ML is its privacy risks due to rising attacks against ML models. Privacy-Preserving Machine Learning (PPML) methods have been proposed to mitigate the privacy and security risks of ML models. A popular approach to achieving PPML uses Homomorphic Encryption (HE). However, the highly publicized inefficiencies of HE make it unsuitable for highly scalable scenarios with resource-constrained devices. Hence, Hybrid Homomorphic Encryption (HHE) -- a modern encryption scheme that combines symmetric cryptography with HE -- has recently been introduced to overcome these challenges. HHE potentially provides a foundation to build new efficient and privacy-preserving services that transfer expensive HE operations to the cloud. This work introduces HHE to the ML field by proposing resource-friendly PPML protocols for edge devices. More precisely, we utilize HHE as the primary building block of our PPML protocols. We assess the performance of our protocols by first extensively evaluating each party's communication and computational cost on a dummy dataset and show the efficiency of our protocols by comparing them with similar protocols implemented using plain BFV. Subsequently, we demonstrate the real-world applicability of our construction by building an actual PPML application that uses HHE as its foundation to classify heart disease based on sensitive ECG data.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "arxiv:1101.2604",
"title": "On Sampling, Anonymization, and Differential Privacy: Or, k-Anonymization Meets Differential Privacy",
"authors": [
"Ninghui Li",
"Wahbeh Qardaji",
"Dong Su"
],
"date": "2011-01-13",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/1101.2604v2",
"pdfUrl": "https://arxiv.org/pdf/1101.2604v2",
"doi": "",
"abstract": "This paper aims at answering the following two questions in privacy-preserving data analysis and publishing: What formal privacy guarantee (if any) does $k$-anonymization provide? How to benefit from the adversary's uncertainty about the data? We have found that random sampling provides a connection that helps answer these two questions, as sampling can create uncertainty. The main result of the paper is that $k$-anonymization, when done \"safely\", and when preceded with a random sampling step, satisfies $(ε,δ)$-differential privacy with reasonable parameters. This result illustrates that \"hiding in a crowd of $k$\" indeed offers some privacy guarantees. This result also suggests an alternative approach to output perturbation for satisfying differential privacy: namely, adding a random sampling step in the beginning and pruning results that are too sensitive to change of a single tuple. Regarding the second question, we provide both positive and negative results. On the positive side, we show that adding a random-sampling pre-processing step to a differentially-private algorithm can greatly amplify the level of privacy protection. Hence, when given a dataset resulted from sampling, one can utilize a much large privacy budget. On the negative side, any privacy notion that takes advantage of the adversary's uncertainty likely does not compose. We discuss what these results imply in practice.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od______2751::cf73e6bf988511c3117e931f99432222",
"title": "GDPR for Researchers:General Data Protection Regulation",
"authors": [
"Stevner, Lene",
"Sandøe, Peter"
],
"date": "2018-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______2751::cf73e6bf988511c3117e931f99432222",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:usir.salford.ac.uk:60049",
"title": "General Data Protection Regulation (GDPR), Artificial Intelligence (AI) and UK organisations : a year of implementation of GDPR",
"authors": [
"Addis, C",
"Kutar, MS"
],
"date": "2020-04-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:usir.salford.ac.uk:60049",
"pdfUrl": "",
"doi": "",
"abstract": "The General Data Protection Regulation (GDPR) became enforceable in May 2018 and its impact is globally\\ud significant. Meanwhile, a growing number of organisations are increasingly adopting AI technologies. This paper\\ud explores the effects of the GDPR on UK companies adopting or using AI technologies. A survey of AI, Data\\ud Protection and technology experts is presented, the analysis of which provides some early insights into the praxis of\\ud GDPR and AI in operational contexts. Whilst a growing body of research focuses on AI ethics and the impact of\\ud algorithms, this project highlights other important concerns emerging from the introduction and use of AI\\ud technologies. The findings indicate that few organisations are fully compliant with the requirements of the GDPR,\\ud which is not unexpected given the novelty of the regulation and the complexity of the technology. Other elements\\ud which can impact compliance and innovation were less predictable. Therefore, we recommend adopting a holistic\\ud approach to the management of personal data and AI.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|phd_tilb__nl::745373c91097c37452eede3fcfd3f6f3",
"title": "Nothing personal: the concepts of anonymization and pseudonymization in European Data Protection",
"authors": [
"Stoitsev, F.A."
],
"date": "2016-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|phd_tilb__nl::745373c91097c37452eede3fcfd3f6f3",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "openaire:https://ec.europa.eu/research/participants/documents/downloadPublic?documentIds=080166e50aaefdf4",
"title": "Interim report on Data anonymization, de-anonymization and Synthetic data generation techniques, tools and services",
"authors": [],
"date": "",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=https://ec.europa.eu/research/participants/documents/downloadPublic?documentIds=080166e50aaefdf4",
"pdfUrl": "",
"doi": "",
"abstract": "Interim report on Data anonymization, de-anonymization and Synthetic data generation techniques, tools and services",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2899409594",
"title": "The General Data Protection Regulation (GDPR), emerging technologies and UK organisations : awareness, implementation and readiness",
"authors": [
"Maria Chiara Addis",
"Maria Kutar"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://aisel.aisnet.org/ukais2018/29",
"pdfUrl": "https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1028&context=ukais2018",
"doi": "",
"abstract": "The GDPR will be enforceable in May 2018 and its impact is expected to be significant, both in Europe and outside Europe. To date, many UK organisations are still unaware of the new legislation, with most still focused on the first implementation stage. A high number of organisations are expected not to be GDPR compliant, and therefore potentially liable to high sanctions. This paper draws upon research on the GDPR and organisations in the UK, carried out in 2017. The research intended to explore the relation between the GDPR and emerging technologies, and the impact of the new legislations on adopters of emerging technologies. The study aimed to understand knowledge, implementation and impact of the new legislation, its relation to emerging technologies and its future in the UK, particularly considering the impact of Brexit. The research results can help to understand the current state of awareness and implementation of the new data protection legislation in the UK.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Journal of the Association for Information Systems",
"language": "en"
},
{
"id": "dblp:journals/iacr/BakasS26",
"title": "When Only Parts Matter: Efficient Privacy-Preserving Analytics with Fully Homomorphic Encryption.",
"authors": [
"Alexandros Bakas",
"Dimitrios Schoinianakis"
],
"date": "2026",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/journals/iacr/BakasS26",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "IACR Cryptol. ePrint Arch.",
"language": "en"
},
{
"id": "dblp:conf/cesar/Joye22",
"title": "FHE: End-to-End Encryption for Everyone (keynote abstract).",
"authors": [
"Marc Joye"
],
"date": "2022",
"platform": "dblp",
"sourceUrl": "https://dblp.org/rec/conf/cesar/Joye22",
"pdfUrl": "https://ceur-ws.org/Vol-3329/keynote-02.pdf",
"doi": "",
"abstract": "",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "C&ESAR",
"language": "en"
},
{
"id": "hal:5452223",
"title": "The relational impacts following a violation of the General Data Protection Regulation (GDPR)",
"authors": [
"Pauline Roques",
"David Vidal",
"Anne-Sophie Cases"
],
"date": "2025-06-25",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05452223v1",
"pdfUrl": "",
"doi": "",
"abstract": "Although the General Data Protection Regulation is a legal requirement, its implementation by companies remains inconsistent. This study aims to (1) categorize GDPR violations through a qualitative study with digital marketing professionals and (2) assess their impact on customer relationships through an experimental study. Five violation types are identified and classified as intentional/unintentional and active/passive. Results show that unintentional failures (due to error or incapacity) lead to weaker retaliation intentions than omissions or malicious acts. However, ignorance is not considered more acceptable than omissions. Consumers expect companies to stay informed about data regulations, highlighting the need for tools supporting GDPR compliance.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "hal:5104247",
"title": "Certification mechanisms in the General Data Protection Regulation (GDPR)",
"authors": [
"Claire Levallois-Barth"
],
"date": "2019-01-01",
"platform": "hal",
"sourceUrl": "https://shs.hal.science/halshs-05104247v1",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "hal:2554432",
"title": "The Right to Be Forgotten in the European Union: Enforcement in the Court of Justice and Amendment to the Proposed General Data Protection Regulation",
"authors": [
"W. Gregory Voss"
],
"date": "2014-07-01",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02554432v1",
"pdfUrl": "",
"doi": "",
"abstract": "This article analyzes the famous Google Spain case (May 13, 2014) of the Court of Justice of the European Union and its recognition of a form of \"the right to be forgotten\", allowing individuals to request the delisting of their personal data from search engines if certain conditions are met. In doing so, it puts the right to be forgotten into the context of ongoing discussions on reform of the European Union's data protection Framework and amendments in the European Parliament to the Proposed General Data Protection Regulation.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Journal of Internet Law",
"language": "en"
},
{
"id": "eurlex:52016XX0715",
"title": "Executive summary of the opinion of the European Data Protection Supervisor on the EU-US Privacy Shield draft adequacy decision",
"authors": [],
"date": "2016-07-15",
"platform": "eurlex",
"sourceUrl": "https://eur-lex.europa.eu/legal-content/AUTO/?uri=CELEX:52016XX0715(01)",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"jurisdiction_regulatory"
],
"painPointTracks": [
"Sector Regulations"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2966457557",
"title": "Protection of persons in connection with profiling : development in EU law in view of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)",
"authors": [
"Cynthia Maria Duncan"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://www.um.edu.mt/library/oar/handle/123456789/40466",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W3048841412",
"title": "The Effect of the European Union (EU) General Data Protection Regulation (GDPR) on the Gaming Industry",
"authors": [
"Zaniah Jordan"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://scholars.law.unlv.edu/glj/vol10/iss2/6",
"pdfUrl": "https://scholars.law.unlv.edu/cgi/viewcontent.cgi?article=1172&context=glj",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "eYLS (Yale Law School)",
"language": "en"
},
{
"id": "https://openalex.org/W3045350272",
"title": "Binding Effects of the European General Data Protection Regulation (GDPR) on U.S. Companies",
"authors": [
"Manuel Klar"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://repository.uchastings.edu/hastings_science_technology_law_journal/vol11/iss2/2",
"pdfUrl": "https://repository.uchastings.edu/cgi/viewcontent.cgi?article=1095&context=hastings_science_technology_law_journal",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "eYLS (Yale Law School)",
"language": "en"
},
{
"id": "https://openalex.org/W3011394991",
"title": "The EU’s General Data Protection Regulation (GDPR) in a Research Context -- Fundamentals of Clinical Data Science",
"authors": [
"Paul Kubben",
"Michel Dumontier",
"André Dekker"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://www.ncbi.nlm.nih.gov/pubmed/31314241",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2972350286",
"title": "The GDPR Handbook: A Guide to Implementing the EU General Data Protection Regulation",
"authors": [
"Ardi Kolah"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=030137353&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2952157705",
"title": "General Data Protection Regulation (GDPR): Prioritizing Resources",
"authors": [
"Jennifer Dumas"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://digitalcommons.law.seattleu.edu/sulr/vol42/iss3/6",
"pdfUrl": "https://digitalcommons.law.seattleu.edu/cgi/viewcontent.cgi?article=2602&context=sulr",
"doi": "",
"abstract": "This Article will discuss and analyze the years of preparation for the GDPR and provide recommendations for dealing with the GDPR forevermore. It will assess whether the preparation and panic were worth it. In other words, was the time, expense, and distraction my peers and I expended and experienced over the past years proportionate to the requirements and impact of the GDPR? Further, was the high level of preparation and panic many legal departments in countless companies undertook and experienced appropriate now that we have had a chance to see the initial impact of the GDPR?",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Seattle University law review",
"language": "en"
},
{
"id": "https://openalex.org/W3004671530",
"title": "GDPR Compliance: Understanding the General Data Protection Regulation",
"authors": [
"Jan Trzaskowski",
"Max Gersvang Sørensen"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://vbn.aau.dk/da/publications/07924595-515c-4bbd-8294-02667740de51",
"pdfUrl": "",
"doi": "",
"abstract": "The processing of personal data plays an increasingly important role in our modern information society. This book guides the reader through the legal framework—including case law—relating to the processing of personal data in the European Union and provides tools to ensure compliance by businesses.
This revised second edition is up-to-date as of 1 August 2022 and includes the text of the General Data Protection Regulation for easy access and annotation.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "VBN Forskningsportal (Aalborg Universitet)",
"language": "en"
},
{
"id": "https://openalex.org/W3003198897",
"title": "The Global Diffusion of the 'General Data Protection regulation' (GDPR)",
"authors": [
"Ivy Hu"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://thesis.eur.nl/pub/50756/Hu-Ivy.pdf",
"pdfUrl": "",
"doi": "",
"abstract": "On May 25th, 2018, the European Union’s ‘General Data Protection Regulation’ (GDPR) went into effect. The EU regulation placed stricter rules regarding the controlling and processing of individuals’ data. The GDPR made a lot of noise because suddenly all companies, organizations and public bodies holding and processing personal data of European citizens, regardless of geographical location, had to comply with the requirements of the EU law. The extraterritorial impact of the regulation was very much apparent as countries around the globe are increasingly adopting similar standards set by the GDPR into their domestic law. The EU is a powerful economic and political actor and can pressure or coerce non-EU countries to align with the GDPR. On the other hand, the GDPR is currently the most innovative and comprehensive data protection model in the world, and countries might want to associate themselves with having the same high standards.\r\nThe main aim of this research was to examine how the EU created a global data protection standard through the GDPR. The chosen research design is a co-variation analysis. The thesis analyzed the economic, political, cultural and legal factors of why countries beyond the EU would want to adopt\r\nGDPR-like standards. Moreover, whether the diffusion happened through processes of coercion or attraction. Japan and the United States have been selected as case studies to determine why both countries have aligned with principles set by the GDPR. The research findings revealed that the diffusion of the GDPR to Japan and the US occurred through processes of economic coercion rather than attraction. The results indicated that data protection is extremely important, not only for increasing bilateral relations, but also as an instrument to reinforce international trade. Furthermore, the diffusion of the GDPR is part of the global trend, caused by major data scandals, to take the protection of personal data more seriously, as well as pushing companies toward greater accountability when using consumers’ data. The EU effectively used bilateral negotiations and economic incentives to promote the GDPR in Europe and beyond, and in this way created a global standard on data protection.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W3004012823",
"title": "Processing of personal and medical data by judicial institutions in the context of the enforcement of Regulation EU 2016/679 – General Data Protection Regulation (GDPR)",
"authors": [
"Radu Dumitrescu"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doaj.org/article/b87a970bc8ab4a59a83d091c16d7dad4",
"pdfUrl": "https://doaj.org/article/b87a970bc8ab4a59a83d091c16d7dad4",
"doi": "",
"abstract": "The protection of patients’ personal and medical data has always been an important subject for medical practice, with explicit regulations being implemented. Whether we are talking about civil and criminal codes or laws governing the medical profession, they all seek to protect fundamental human rights. The confidentiality of medical data is maintained even after the death of the patient, this aspect being governed since the profiling of the physician profession through the Hippocratic Oath. Discussions on privacy and confidentiality occupy an important place in sociological, medical, legal, ethical and anthropological literature. There are references to the benefits gained by improving accessibility to data as they migrate to computer environments. Along with the technological evolution, all of this data has been transferred to electronic systems. A major concern with the trend towards electronic health records focuses on protecting privacy and patient confidentiality (Vanderminden and Potter, 2016). Data transfer, as well as their processing through many computer systems belonging to different public and private entities, brings new challenges at the individual and social level. Under the protection afforded by the right of individuals to access to information and the current tendency to ease access to information, a number of institutions have created online portals that manage a huge amount of data. The way these data are processed in accordance with the rights of the individual remains an issue that is not fully resolved. On the occasion of a doctoral research on medical malpractice, I conducted the interrogation of the portal of Romanian courts (http://portal.just.ro). A huge amount of data can be obtained easily in a short time. In the context of the expected impact of the implementation of the GDPR (General Data Protection Regulation) in relation to the functioning of the public institutions, I conducted a qualitative research looking at how medical data and personal data are managed by the courts. Decisions of the courts published in the jurisprudence section have been analyzed. The paper analyzes the compliance of the judicial public institutions with the data protection legislation considered in the paradigm of institutional logic. We can assume that the individualistic principle exercised by the professional institution (the medical profession) can conflict and require a balancing with the utilitarian, collective principle, which can explain some of the state institution’s actions (courts of justice). GDPR aims to reinforce existing legal provisions. GDPR does not seem to bring about changes in the substance of laws or doctrines on data confidentiality, but appears to be a form of supra-state control. The way in which GDPR will influence policies and practices regarding the processing of personal and medical data will be analyzed with the passage of time.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "SHILAP Revista de lepidopterología",
"language": "en"
},
{
"id": "https://openalex.org/W2915655425",
"title": "The new EU General Data Protection Regulation (GDPR) in medical data and clinical research",
"authors": [
"Maria Vretta"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://repository.ihu.edu.gr/xmlui/handle/11544/29234",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2625024068",
"title": "Implementation of General Data Protection Regulation (GDPR) in Enterprises",
"authors": [
"Samant Khajuria",
"Lene Tolstrup Sørensen",
"Knud Erik Skouby"
],
"date": "2017",
"platform": "OpenAlex",
"sourceUrl": "https://vbn.aau.dk/da/publications/3a20141e-3a18-4870-a804-d739ddfe5231",
"pdfUrl": "",
"doi": "",
"abstract": "It is impossible to keep the data secure and private when one can’t keep track of what they have, where it is and what its value is. After twenty years, Data protection Directive 95/46/EC (DPD) is finally phased out and replaced by General Data Protection Regulation (GDPR). This is a step towards the ongoing recognition of the value and importance of personal data. However, given the complexity and limited time frame for the implementation of the regulation brings many enterprises upside down and inside out as they implement change to bring themselves up to the standard required by the regulations. The purpose of this paper is to discuss new initiatives taken under new EU privacy regulation and to provide guidelines that will comply with GDPR.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "VBN Forskningsportal (Aalborg Universitet)",
"language": "en"
},
{
"id": "s2:a531e7b82a8a3262440dff4dc5f10b0f2ddd8798",
"title": "Practical Privacy-Preserving Machine Learning using Fully Homomorphic Encryption",
"authors": [
"M. Brand",
"Gaëtan Pradel"
],
"date": "2023",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/a531e7b82a8a3262440dff4dc5f10b0f2ddd8798",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.567,
"venue": "IACR Cryptology ePrint Archive",
"language": "en"
},
{
"id": "s2:9ee27109c1b379ec3df0f5d50e6308d16029049e",
"title": "Anonymous Data v. Personal Data — A False Debate: An EU Perspective on Anonymization, Pseudonymization and Personal Data",
"authors": [
"Sophie Stalla-Bourdillon",
"Alison Knight"
],
"date": "2017-03-06",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/9ee27109c1b379ec3df0f5d50e6308d16029049e",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "s2:b8540a592e3e6c368810344d7c3b8b37c5e65652",
"title": "„Persoana vizată”, titularul dreptului la protecţia datelor personale: anonimizarea şi pseudoanonimizarea (The Data Subject, Titulaire of the Right to Data Protection: The Case of Anonymization and Pseudonymization)",
"authors": [
"Gabriela Zanfir"
],
"date": "2013-04-03",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/b8540a592e3e6c368810344d7c3b8b37c5e65652",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "s2:0d8f732d1f1e51a10a2d3ecfca0deeebe96b2756",
"title": "Research Challenges for Re-identification Risk Assessments and De-identification",
"authors": [
"Kazuhiro Minami",
"Koji Chida"
],
"date": "2016",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/0d8f732d1f1e51a10a2d3ecfca0deeebe96b2756",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "s2:0fed0217f993ea18046352c36f26ce91f4c5d469",
"title": "( k , \" , ı )-Anonymization: privacy-preserving data release based on k -anonymity and differential privacy",
"authors": [
"Yao-Tung Tsou",
"M. Naser",
"Li-Sheng Chen",
"Yu-Hsiang Chang",
"Yung-Li Hu",
"Yennun Huang",
"Chia-Mu Yu",
"Pei-Yuan Tsai"
],
"date": "2021",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/0fed0217f993ea18046352c36f26ce91f4c5d469",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "s2:5b3c7e7a01e65c5f3b9929b3ab8aca5e96c17a1e",
"title": "Context-Aware Document Redaction: A Purpose-Driven Framework for Selective Information Preservation Anonymization and Content-Specific Redaction: Balancing Privacy and Utility",
"authors": [],
"date": "",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/5b3c7e7a01e65c5f3b9929b3ab8aca5e96c17a1e",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "s2:b7743ede3b006118e26fe1a9fdd3dc87c828782f",
"title": "Resurrecting Trust in Facial Recognition: Mitigating Backdoor Attacks in Face Recognition to Prevent Potential Privacy Breaches",
"authors": [
"Reena Zelenkova",
"J. Swallow",
"Pathum Chamikara Mahawaga Arachchige",
"Dongxi Liu",
"Mohan Baruwal Chhetri",
"Seyit Ahmet Camtepe",
"M. Grobler",
"Mahathir Almashor"
],
"date": "2022-02-18",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/b7743ede3b006118e26fe1a9fdd3dc87c828782f",
"pdfUrl": "",
"doi": "",
"abstract": "Biometric data, such as face images, are often associated with sensitive information (e.g medical, financial, personal government records). Hence, a data breach in a system storing such information can have devastating consequences. Deep learning is widely utilized for face recognition (FR); however, such models are vulnerable to backdoor attacks executed by malicious parties. Backdoor attacks cause a model to misclassify a particular class as a target class during recognition. This vulnerability can allow adversaries to gain access to highly sensitive data protected by biometric authentication measures or allow the malicious party to masquerade as an individual with higher system permissions. Such breaches pose a serious privacy threat. Previous methods integrate noise addition mechanisms into face recognition models to mitigate this issue and improve the robustness of classification against backdoor attacks. However, this can drastically affect model accuracy. We propose a novel and generalizable approach (named BA-BAM: Biometric Authentication - Backdoor Attack Mitigation), that aims to prevent backdoor attacks on face authentication deep learning models through transfer learning and selective image perturbation. The empirical evidence shows that BA-BAM is highly robust and incurs a maximal accuracy drop of 2.4%, while reducing the attack success rate to a maximum of 20%. Comparisons with existing approaches show that BA-BAM provides a more practical backdoor mitigation approach for face recognition.",
"topics": [
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII"
],
"relevanceScore": 0.567,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "s2:ec80086292d546cc193e016fdafa3e38fc6a3143",
"title": "GDPR –Impact of General Data Protection Regulation on Digital Marketing",
"authors": [
"Natalija Parlov",
"Željko Sičaja",
"Tihomir Katulić"
],
"date": "2018-12-14",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/ec80086292d546cc193e016fdafa3e38fc6a3143",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "hal:3045464",
"title": "Schrems II et invalidation du Privacy Shield, un goût de « déjà vu »",
"authors": [
"Céline Castets-Renard"
],
"date": "2020-12-10",
"platform": "hal",
"sourceUrl": "https://shs.hal.science/halshs-03045464v1",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"jurisdiction_regulatory"
],
"painPointTracks": [
"Sector Regulations"
],
"relevanceScore": 0.567,
"venue": "Recueil Dalloz",
"language": "fr"
},
{
"id": "https://openalex.org/W2980365421",
"title": "Le Règlement Général sur la Protection des Données (RGPD/GDPR): analyse approfondie",
"authors": [
"Cécile de Terwangne",
"Karen Rosier"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://researchportal.unamur.be/en/publications/9a512753-6738-4259-809a-12d2dacab053",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "Repository of the University of Namur",
"language": "fr"
},
{
"id": "https://openalex.org/W3030203287",
"title": "FQ Règlement général sur la protection des données RGPD / Data Protection Officer DPO - Module Secteur Santé Social",
"authors": [
"system-user admin population"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "http://odf.u-paris.fr/fr/offre-de-formation/formation-qualifiante-SPCFQ/droit-economie-gestion-DEG/fq-reglement-general-sur-la-protection-des-donnees-rgpd-data-protection-officer-dpo-module-secteur-public-JOYGATLA.html",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "",
"language": "fr"
},
{
"id": "s2:40a9a3f7c1c9a75c8332ea20b082f620f4bcd817",
"title": "Linked Data Sanitization with Differential Privacy. (Anonymisation de données liées en utilisant la confidentialité différentielle)",
"authors": [
"Sara Taki"
],
"date": "2023",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/40a9a3f7c1c9a75c8332ea20b082f620f4bcd817",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W7120850231",
"title": "Operator: action for anonymization and pseudonymization of personal data as security measures",
"authors": [
"Brenda Carolina Vicentini Mugnol"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://repositorio.uel.br/handle/123456789/18503",
"pdfUrl": "https://repositorio.uel.br/bitstreams/8a7a4269-2cc5-4bc4-b10e-130a6ec66eed/download",
"doi": "",
"abstract": "A proteção de dados pessoais tem se consolidado como um tema de extrema relevância, especialmente diante do aumento de incidentes de segurança envolvendo os vazamentos de informações. As normativas que regulam essa proteção evoluíram significativamente ao longo dos anos, com destaque para a atuação dos agentes de tratamento de dados, particularmente do operador de dados pessoais, que desempenha um papel central nos processos de proteção e mitigação de riscos associados à segurança. Este estudo enfoca o uso de técnicas de anonimização e pseudonimização como ferramentas que podem ser utilizadas como medidas de segurança para proteger dados sensíveis e minimizar os impactos negativos em caso de incidentes. Ambas as técnicas são essenciais para garantir a privacidade dos titulares, especialmente em contextos de tratamento de dados com finalidades específicas, como pesquisas acadêmicas, estudos sociais e bases de dados relacionadas à saúde pública. Para entender o papel do operador de dados nesses processos, foi realizada uma pesquisa bibliográfica, explorando a legislação vigente, posicionamentos doutrinários sobre o tema, definições relativas à tecnologia da informação e as melhores práticas de segurança de dados. A análise identificou que a anonimização, ao tornar os dados irreversivelmente não identificáveis, e a pseudonimização, ao permitir que identificadores sejam mantidos separados e seguros, não são apenas ferramentas cruciais para proteção, mas também estratégias para mitigar danos em situações de vazamento. O estudo concluiu que o operador de dados, em conjunto com o controlador, possui responsabilidades específicas na implementação e manutenção dessas técnicas. Ele deve garantir conformidade com os parâmetros legais e a aplicação de práticas adequadas de segurança para proteger os titulares. Por fim, a pesquisa reforça que a adoção de processos de anonimização e pseudonimização não apenas cumpre requisitos legais, mas também representa uma abordagem proativa para reduzir riscos de segurança, apesar de, por vezes, possuir custos elevados. Em síntese, a pseudonimização e a anonimização não garantem uma proteção absoluta, mas representam pilares fundamentais na construção de um ambiente digital mais seguro. A análise sistemática e contínua desses métodos contribui para um ambiente de maior confiança e proteção no tratamento de dados pessoais, especialmente em um cenário tecnológico e regulatório em constante evolução.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.567,
"venue": "LA Referencia (Red Federada de Repositorios Institucionales de Publicaciones Científicas)",
"language": "pt"
},
{
"id": "https://openalex.org/W3015552654",
"title": "GDPR - The General Data Protection Regulation : Hur medvetna är människor i Skövde kommun i ålder 18-65 om GDPR och de rättigheter som medför?",
"authors": [
"Lollo Ghasem"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-17295",
"pdfUrl": "http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-17295",
"doi": "",
"abstract": "GDPR (The General Data Protection Regulation) är ett nytt EU-direktiv som träde i kraft 25 maj 2018. EU-direktivet gäller i hela Europa och har i syfte att styra hur och vem som får hantera personuppgifter. All form av behandling av information som direkt eller indirekt kan knytas till en person styrs av GDPR. För alla myndigheter, företag och organisationer innebär detta en stor förändring. GDPR stärker privatpersoners rättigheter och hjälper de att ha kontroll över hur deras personuppgifter behandlas och används. Som privatperson delar vi med oss av våra personuppgifter mer än vad vi tror. Några av de sätt på vilka personlig information samlas in är via användning av bilar, smarta telefoner, program, bärbara datorer och webbplatser. Enligt en undersökning som har genomförts av Europakommissionen angående ”Data Protection”, det vill säga dataskydd visar resultatet att det är endast 13% av svenska befolkningen som upplever att de har full kontroll över all data som de lämnar ut online (Commission, 2015). De här 13 % av svenska befolkningen är även medvetna om att de har tillgång till att rätta, ändra och radera data som finns lagrad om dem. Denna studie fokuserar på att undersöka hur medvetna människor i Skövde kommun i ålder 18–65 är om GDPR och de rättigheter som medförs. För att genomföra studien har en enkätundersökning tillämpats som datainsamlingsmetod. Resultatet av studien visar att majoriteten av människorna är medvetna om GDPR och vad det innebär i generella drag och de känner även till de tre rättigheterna rätt till information, rätt till rättelse och rätt till radering. Människorna i Skövde kommun anser att det är viktigt att veta hur personuppgifterna hanteras och behandlas för att obehöriga personer inte ska få tillgång till de. Slutsatser som går att dra från studien är att människorna är måna om sina personuppgifter. De vill gärna ha kontroll över personuppgifterna och veta hur de hanteras, behandlas samt om en olycka inträffar som leder till att personuppgifterna blir stulna eller förstörda vill de gärna bli informerade om det.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "University Library of Skövde (University of Skövde)",
"language": "sv"
},
{
"id": "https://openalex.org/W7112692725",
"title": "GDPR - The General Data Protection Regulation : How aware are people in Skövde municipality in age 18-65 about GDPR and the rights involved?",
"authors": [
"Ghasem, Lollo"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-17295",
"pdfUrl": "http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-17295",
"doi": "",
"abstract": "GDPR (The General Data Protection Regulation) är ett nytt EU-direktiv som träde i kraft 25 maj 2018. EU-direktivet gäller i hela Europa och har i syfte att styra hur och vem som får hantera personuppgifter. All form av behandling av information som direkt eller indirekt kan knytas till en person styrs av GDPR. För alla myndigheter, företag och organisationer innebär detta en stor förändring. GDPR stärker privatpersoners rättigheter och hjälper de att ha kontroll över hur deras personuppgifter behandlas och används. Som privatperson delar vi med oss av våra personuppgifter mer än vad vi tror. Några av de sätt på vilka personlig information samlas in är via användning av bilar, smarta telefoner, program, bärbara datorer och webbplatser. Enligt en undersökning som har genomförts av Europakommissionen angående ”Data Protection”, det vill säga dataskydd visar resultatet att det är endast 13% av svenska befolkningen som upplever att de har full kontroll över all data som de lämnar ut online (Commission, 2015). De här 13 % av svenska befolkningen är även medvetna om att de har tillgång till att rätta, ändra och radera data som finns lagrad om dem. Denna studie fokuserar på att undersöka hur medvetna människor i Skövde kommun i ålder 18–65 är om GDPR och de rättigheter som medförs. För att genomföra studien har en enkätundersökning tillämpats som datainsamlingsmetod. Resultatet av studien visar att majoriteten av människorna är medvetna om GDPR och vad det innebär i generella drag och de känner även till de tre rättigheterna rätt till information, rätt till rättelse och rätt till radering. Människorna i Skövde kommun anser att det är viktigt att veta hur personuppgifterna hanteras och behandlas för att obehöriga personer inte ska få tillgång till de. Slutsatser som går att dra från studien är att människorna är måna om sina personuppgifter. De vill gärna ha kontroll över personuppgifterna och veta hur de hanteras, behandlas samt om en olycka inträffar som leder till att personuppgifterna blir stulna eller förstörda vill de gärna bli informerade om det.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.567,
"venue": "University Library of Skövde (University of Skövde)",
"language": "sv"
},
{
"id": "doaj:06011d8eeec0455fb8755e852218b748",
"title": "Algorithmic Justice and Human Rights: Structural Risks and Emerging Regulatory Frameworks",
"authors": [
"Geofredo Angulo López"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://revistaselectronicas.ujaen.es/index.php/TAHRJ/article/view/9985",
"pdfUrl": "",
"doi": "10.17561/tahrj.v26.9985",
"abstract": "The incorporation of artificial intelligence (AI), particularly large language models (LLMs), into judicial processes poses unprecedented challenges for the protection of human rights, especially regarding privacy, informational self-determination, and algorithmic transparency. This article introduces the concept of the “Hermes judge” as a normative and interpretative model capable of articulating the technical rationality of automated systems with the principles of the constitutional rule of law. Through a critical analysis of international regulatory frameworks—such as the GDPR, the European Union’s AI Act, and the FAIR principles—regulatory gaps, structural biases, and decision-making opacity are identified. In light of these risks, ethical and regulatory guidelines are proposed to ensure that AI functions as a cognitive aid, supporting tasks such as argument generation, precedent identification, and case summarization, without replacing hermeneutic judgment or compromising human dignity. From a functional perspective, Judge Hermes critically mediates between automated decision-making and fundamental principles of law, safeguarding judicial deliberation and the human dimension of justice.",
"topics": [
"power_knowledge_asymmetry",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.562,
"venue": "Age of Human Rights Journal",
"language": "en"
},
{
"id": "doaj:b47cfd2cf12f427788c173e8208eacfc",
"title": "Privacy-Preserving Clinical Decision Support for Emergency Triage Using LLMs: System Architecture and Real-World Evaluation",
"authors": [
"Alper Karamanlıoğlu",
"Berkan Demirel",
"Onur Tural",
"Osman Tufan Doğan",
"Ferda Nur Alpaslan"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2076-3417/15/15/8412",
"pdfUrl": "",
"doi": "10.3390/app15158412",
"abstract": "This study presents a next-generation clinical decision-support architecture for Clinical Decision Support Systems (CDSS) focused on emergency triage. By integrating Large Language Models (LLMs), Federated Learning (FL), and low-latency streaming analytics within a modular, privacy-preserving framework, the system addresses key deployment challenges in high-stakes clinical settings. Unlike traditional models, the architecture processes both structured (vitals, labs) and unstructured (clinical notes) data to enable context-aware reasoning with clinically acceptable latency at the point of care. It leverages big data infrastructure for large-scale EHR management and incorporates digital twin concepts for live patient monitoring. Federated training allows institutions to collaboratively improve models without sharing raw data, ensuring compliance with GDPR/HIPAA, and FAIR principles. Privacy is further protected through differential privacy, secure aggregation, and inference isolation. We evaluate the system through two studies: (1) a benchmark of 750+ USMLE-style questions validating the medical reasoning of fine-tuned LLMs; and (2) a real-world case study (n = 132, 75.8% first-pass agreement) using de-identified MIMIC-III data to assess triage accuracy and responsiveness. The system demonstrated clinically acceptable latency and promising alignment with expert judgment on reviewed cases. The infectious disease triage case demonstrates low-latency recognition of sepsis-like presentations in the ED. This work offers a scalable, audit-compliant, and clinician-validated blueprint for CDSS, enabling low-latency triage and extensibility across specialties.",
"topics": [
"data_anonymization",
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "doaj:7046301861b14aa7bffe69120b0dc133",
"title": "Balancing Bias Mitigation and Data Protection in AI-Driven Healthcare",
"authors": [
"Fatma Sümeyra Doğan"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://viennalawreview.com/index.php/vlr/article/view/9847",
"pdfUrl": "",
"doi": "10.25365/vlr-2025-9-3-99",
"abstract": "This paper examines the regulatory tensions between algorithmic bias mitigation and data protection in AI-driven healthcare within the European Union’s legal framework. Through analysis of the European Health Data Space Regulation, AI Act, and General Data Protection Regulation, the study reveals a fundamental paradox: while the EHDS promotes data anonymization for secondary use, effective bias detection in high-risk AI systems often requires access to the very demographic data that anonymization obscures. The research highlights documented cases of algorithmic bias in healthcare, including racial disparities in skin cancer diagnosis and gender biases in heart attack prediction systems, demonstrating the practical importance of this regulatory challenge. The findings illustrate how the EHDS’s opt-out mechanism may disproportionately exclude vulnerable populations from datasets, further compromising representativeness. This study contributes to the discourse by identifying an “identification paradox” where data protection measures may inadvertently perpetuate algorithmic discrimination. The paper concludes by proposing potential regulatory and technical approaches to reconcile privacy protection with algorithmic fairness, ensuring healthcare AI systems can deliver equitable outcomes while respecting fundamental rights to data protection.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.562,
"venue": "University of Vienna Law Review",
"language": "en"
},
{
"id": "europepmc:PPR1150946",
"title": "Federated Learning with Smartphone Apps for Privacy-Preserving Chronic Disease Management and Cognitive Decline Detection in Seniors",
"authors": [
"Sindhuja A."
],
"date": "2026-02-04",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202602.0219.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202602.0219.v1",
"doi": "10.20944/preprints202602.0219.v1",
"abstract": "The rapid aging of global populations has intensified the burden of chronic diseases such as diabetes, hypertension, and cardiovascular conditions, alongside the growing prevalence of cognitive decline including mild cognitive impairment and Alzheimer's disease among seniors. Traditional healthcare monitoring systems rely on centralized data collection, which raises serious privacy concerns due to the sensitive nature of personal health information and potential breaches under regulations like GDPR and HIPAA. This paper proposes a novel federated learning (FL) framework seamlessly integrated with everyday smartphone applications to enable privacy-preserving chronic disease management and early cognitive decline detection in elderly users. The system leverages multi-modal data streams from smartphone sensors including accelerometers for gait analysis, microphones for speech pattern evaluation, cameras for facial expression monitoring, and usage logs for behavioural insights while performing all model training locally on user devices. A central server aggregates only encrypted model updates using algorithms like FedAvg, enhanced by differential privacy noise injection and secure multi-party computation to ensure raw data never leaves the phone. This decentralized paradigm addresses non-independent and identically distributed (non-IID) data challenges inherent in senior cohorts through personalized adaptation layers and communication-efficient techniques such as gradient quantization. Comprehensive experiments on synthetic datasets modelled after real-world benchmarks like UK Biobank and ADNI reveal the framework achieves 92% accuracy in chronic disease classification and 87% sensitivity in cognitive decline detection, outperforming centralized baselines by 15% in privacy-utility trade-offs while reducing data transmission by over 99%. Real-world deployment considerations, including battery optimization and user-centric interfaces with voice commands and large fonts, m",
"topics": [
"privacy_engineering",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "",
"language": "de"
},
{
"id": "openaire:10.5213/inj.2550274.137",
"title": "Privacy-by-Design Framework for Large Language Model Chatbots in Urology",
"authors": [
"Eun Joung Kim",
"JungYoon Kim"
],
"date": "2025-11-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5213/inj.2550274.137",
"pdfUrl": "http://einj.org/upload/pdf/inj-2550274-137.pdf",
"doi": "10.5213/inj.2550274.137",
"abstract": "This review presents a privacy-by-design–based technical and governance framework for the safe clinical deployment of large language model (LLM) chatbots in urology. Given the high sensitivity of urological data involving urinary, sexual, and reproductive health, the proposed approach integrates on-site algorithmic deidentification, federated learning with differential privacy and secure aggregation, and secure retrieval-augmented generation with source citation and audit logging. Collectively, these components establish a federated, explainable, and auditable pipeline that preserves data sovereignty while improving clinical reliability and regulatory compliance. Urology thus serves as a critical test bed for validating the safety, governance, and accountability standards required for broader adoption of LLM-based medical chatbots across clinical domains.",
"topics": [
"data_anonymization",
"privacy_engineering",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market",
"User Behavior / PII Communities"
],
"relevanceScore": 0.562,
"venue": "International Neurourology Journal",
"language": "en"
},
{
"id": "europepmc:PPR1140486",
"title": "ppAIsec: Privacy-Preserving Artificial Intelligence Models in Healthcare Security—A Synthesis of AI Frameworks",
"authors": [
"Sultana T",
"Sunna AA",
"Uddin MM",
"Kshetri N."
],
"date": "2026-01-05",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202601.0250.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202601.0250.v1",
"doi": "10.20944/preprints202601.0250.v1",
"abstract": "As artificial intelligence (AI) technologies, particularly generative and collaborative learning models— are increasingly integrated into healthcare and other sensitive domains, data privacy, security, and fairness concerns have grown significantly. This paper focuses on a thorough examination of current privacy-preserving AI models, including federated learning (FL), differential privacy (DP), homomorphic encryption, and generative adversarial networks (GANs). Key contributions are reviewed across recent works that explore privacy-preserving mechanisms within domains such as clinical diagnostics, drug discovery, Internet of Medical Things (IoMT), and virtual health systems. Dynamic federated models (e.g., DynamicFL) that adjust model architecture based on computational heterogeneity and encryption-augmented FL architectures are presented to maintain data locality while ensuring equitable performance. GAN-based synthetic data generators (e.g., medGAN, CorGAN) offer alternative solutions to share healthcare data without compromising patient identity and introducing new threats if misused. Across these models, a multi-phase life cycle of threats is identified—spanning data collection, model training, inference, and system integration—highlighting the importance of proactive governance. Information compliance frameworks such as the EU AI Act and the U.S. AI Bill of Rights are counting for standardizing technological implementation in healthcare data management. This research work will cover explaining existing AI models and trying to identify the best one worked for ensuring data privacy and shareability with ethical responsibility for proposing a layered privacy-preservation paradigm essential for safely deploying AI in sensitive environments.",
"topics": [
"privacy_engineering",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "",
"language": "de"
},
{
"id": "europepmc:40596404",
"title": "Mamba-fusion for privacy-preserving disease prediction.",
"authors": [
"Jabbar MK",
"Jianjun H",
"Jabbar A",
"Bilal A."
],
"date": "2025-07-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1038/s41598-025-06306-0",
"pdfUrl": "https://europepmc.org/articles/PMC12215979?pdf=render",
"doi": "10.1038/s41598-025-06306-0",
"abstract": "Accurate disease prediction is essential for improving patient outcomes. Privacy regulations like GDPR and HIPAA limit data sharing, hindering the development of robust predictive models across institutions. FL and multi-modal fusion frameworks counter these problems but are restricted in scalability, inter-client communication, and heterogeneity of data modalities. Techniques which provide privacy on data have an issue whereby they cause a reduction in performance or are computationally costly. This paper presents Mamba-Fusion for Disease prediction, a privacy-preserving framework for multi-modal data. It uses a hierarchical FL architecture to minimize the communication costs and improve the architecture's scalability solution and a Mixture of Experts (MoE) with LSTM based layers for dynamic temporal integration. The latest techniques like, differential privacy, secure aggregation protect both the data and its accuracy of the data as well. Experimental results on multi-modal clinical measurements, ECG, EEG, clinical notes, and demographic data support the applied framework. We have then used Mamba-Fusion to achieve 92:4% accuracy, 0:91 F-Score, and 0:96 AUC-ROC by keeping the privacy leakage at 0:02 and communication costs to 12:5 MB, which make it superior to conventional FL techniques. These results affirm Mamba-Fusion as an applications that are secure enough to support collaborative healthcare analytics on a large scale.",
"topics": [
"data_anonymization",
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "Scientific reports",
"language": "de"
},
{
"id": "europepmc:41565967",
"title": "Bridging the performance gap: systematic optimization of local LLMs for Japanese medical PHI extraction.",
"authors": [
"Wada A",
"Nishizawa M",
"Yamamoto A",
"Akashi T",
"Hagiwara A",
"Irie R",
"Hayakawa Y",
"Kikuta J",
"Shimoji K",
"Sano K",
"Nakanishi A",
"Kamagata K",
"Aoki S."
],
"date": "2026-01-21",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1038/s41598-026-36904-5",
"pdfUrl": "https://europepmc.org/articles/PMC12894992?pdf=render",
"doi": "10.1038/s41598-026-36904-5",
"abstract": "Cloud-based Large Language Models (LLMs) excel at medical text processing, but privacy regulations impose significant constraints on transmitting Protected Health Information (PHI) to external services, creating barriers to AI adoption for many healthcare institutions. While contractual agreements (e.g., Business Associate Agreements under HIPAA) may permit such transmission under specific conditions, many institutions prefer or require complete data sovereignty. Local LLMs address this need but have historically underperformed. This study introduces a five-phase optimization framework to bridge this performance gap. Using 160 synthetic Japanese radiology reports, we benchmarked 14 local LLMs against cloud leaders. Our key finding is a notable performance pattern: models with baseline scores below 87-88 points gained an average of + 6.92 points (p < 0.001), while higher-scoring models did not, suggesting a potential threshold effect for targeted optimization that warrants further investigation. The optimized Mistral-Small-3.2 with Self-Refine achieved 91.54 points-97.8% of GPT-4.1's performance-with perfect rule adherence and a clinically acceptable processing time of 24.6 s per report for batch workflows. Our work demonstrates that systematically optimized local LLMs can approach cloud-leader performance. Importantly, it provides a strategic framework guiding institutions on when and where to apply advanced optimization, enabling efficient and trustworthy AI deployment while ensuring patient privacy.",
"topics": [
"sector_healthcare",
"power_knowledge_asymmetry",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"Health & Genomic PII",
"User Behavior / PII Communities"
],
"relevanceScore": 0.562,
"venue": "",
"language": "de"
},
{
"id": "doaj:2708c0b4ea2748d294b6ac774fada744",
"title": "The ethics of data mining in healthcare: challenges, frameworks, and future directions",
"authors": [
"Mohamed Mustaf Ahmed",
"Olalekan John Okesanya",
"Majd Oweidat",
"Zhinya Kawa Othman",
"Shuaibu Saidu Musa",
"Don Eliseo Lucero-Prisno III"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1186/s13040-025-00461-w",
"pdfUrl": "https://europepmc.org/articles/PMC12255135?pdf=render",
"doi": "10.1186/s13040-025-00461-w",
"abstract": "Abstract Data mining in healthcare offers transformative insights yet surfaces multilayered ethical and governance challenges that extend beyond privacy alone. Privacy and consent concerns remain paramount when handling sensitive medical data, particularly as healthcare organizations increasingly share patient information with large digital platforms. The risks of data breaches and unauthorized access are stark: 725 reportable incidents in 2023 alone exposed more than 133 million patient records, and hacking-related breaches surged by 239% since 2018. Algorithmic bias further threatens equity; models trained on historically prejudiced data can reinforce health disparities across protected groups. Therefore, transparency must span three levels–dataset documentation, model interpretability, and post-deployment audit logging–to make algorithmic reasoning and failures traceable. Security vulnerabilities in the Internet of Medical Things (IoMT) and cloud-based health platforms amplify these risks, while corporate data-sharing deals complicate questions of data ownership and patient autonomy. A comprehensive response requires (i) dataset-level artifacts such as “datasheets,” (ii) model-cards that disclose fairness metrics, and (iii) continuous logging of predictions and LIME/SHAP explanations for independent audits. Technical safeguards must blend differential privacy (with empirically validated noise budgets), homomorphic encryption for high-value queries, and federated learning to maintain the locality of raw data. Governance frameworks must also mandate routine bias and robust audits and harmonized penalties for non-compliance. Regular reassessments, thorough documentation, and active engagement with clinicians, patients, and regulators are critical to accountability. This paper synthesizes current evidence, from a 2019 European re-identification study demonstrating 99.98% uniqueness with 15 quasi-identifiers to recent clinical audits that trimmed false-negative rates via threshold recalibration, and proposes an integrated set of fairness, privacy, and security controls aligned with SPIRIT-AI, CONSORT-AI, and emerging PROBAST-AI guidelines. Implementing these solutions will help healthcare systems harness the benefits of data mining while safeguarding patient rights and sustaining public trust.",
"topics": [
"privacy_engineering",
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "BioData Mining",
"language": "en"
},
{
"id": "crossref:10.21203/rs.3.rs-4792047/v1",
"title": "Evaluating Privacy Compliance in Commercial Large Language Models - ChatGPT, Claude, and Gemini",
"authors": [
"Oliver Cartwright",
"Harriet Dunbar",
"Theo Radcliffe"
],
"date": "2024-07-26",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-4792047/v1",
"pdfUrl": "https://www.researchsquare.com/article/rs-4792047/v1",
"doi": "10.21203/rs.3.rs-4792047/v1",
"abstract": "Abstract\n The integration of artificial intelligence systems into various domains has raised significant privacy concerns, necessitating stringent regulatory measures to protect user data. Evaluating the privacy compliance of commercial large language models (LLMs) such as ChatGPT-4o, Claude Sonet, and Gemini Flash under the EU AI Act presents a novel approach, providing critical insights into their adherence to privacy standards. The study utilized hypothetical case studies to assess the privacy practices of these LLMs, focusing on data collection, storage, and sharing mechanisms. Findings revealed that ChatGPT-4o exhibited significant issues with data minimization and access control, while Claude Sonet demonstrated robust compliance with data minimization and effective data security measures. However, Gemini Flash showed inconsistencies in data collection and a higher incidence of anonymization failures. The comparative analysis underscored the importance of tailored privacy strategies and continuous monitoring to ensure regulatory compliance. These results provide valuable insights for developers and policymakers, emphasizing the necessity of a multifaceted approach to privacy compliance in the deployment of LLMs.
",
"topics": [
"gdpr_compliance",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1093/oxfordhb/9780198940272.013.0003",
"title": "Responsible Data Practices and Generative AI",
"authors": [
"Rumman Chowdhury"
],
"date": "2025-10-22",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1093/oxfordhb/9780198940272.013.0003",
"pdfUrl": "",
"doi": "10.1093/oxfordhb/9780198940272.013.0003",
"abstract": "Abstract Generative AI presents transformative potential across industries while introducing significant challenges in responsible data governance. This chapter explores the organizational, legal, and technical dimensions of implementing responsible data practices in the era of generative AI. Key considerations include ethical principles like fairness, privacy, and accountability; compliance with evolving regulations such as the EU’s General Data Protection Regulation and the EU AI Act; and the technical strategies necessary for addressing challenges like bias, transparency, and security. Methods for improving explainability, privacy preservation, and robustness are discussed, alongside governance frameworks such as ethical audits and data lineage tracking. The chapter analyzes legal precedents to highlight the tensions between innovation and regulation and emphasizes the need for ethical AI governance by design.",
"topics": [
"gdpr_compliance",
"ai_governance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::044ef3c1b515551e187060e569c81a4c",
"title": "EVALUATING AI INNOVATIONS AND THEIR LEGAL IMPLICATIONS FOR DATA PRIVACY",
"authors": [
"Tunde, Adeyemi Ogunleye"
],
"date": "2024-10-17",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.13946236",
"pdfUrl": "",
"doi": "10.5281/zenodo.13946236",
"abstract": "This paper examined the dual objectives of fostering innovation through AI while ensuring robust data privacy. The paper adopted the doctrinal method of research by relying on both primary and secondary sources of information or data. Primarily, it utilises a legal approach using data such as the European Union Artificial Intelligence Act, the General Data Protection Regulation, the California Consumer Protection Act and the Nigeria Data Protection Act. The secondary sources of data used include textbooks, online articles in learned journals, relevant materials from the internet, magazines, newspapers, other periodicals, dictionaries and reports. The study found that a multi-faceted approach is necessary to navigate the intersection of AI and data privacy, ensuring that technological progress does not compromise individual rights and trust in AI systems and finally make recommendations which include technical solutions such as differential privacy, federated learning, and homomorphic encryption which aim to balance data utility and privacy",
"topics": [
"gdpr_compliance",
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.46941/2024.2.5",
"title": "Legal regulation on the use of artificial intelligence for national security purposes in Europe",
"authors": [
"Jurić, Marko"
],
"date": "2024-12-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.46941/2024.2.5",
"pdfUrl": "",
"doi": "10.46941/2024.2.5",
"abstract": "This paper analyses the regulation of the use of AI for national security purposes in Europe. After a brief mapping of most relevant uses of AI for national security purposes, applicable legal framework is analysed. Both the EU AI Act and the Council of Europe's AI Convention provide for broad exceptions regarding the use of AI for national security purposes. This covers activities of both public and private entities acting in the national security domain. In such circumstances, personal data protection law is seen as possessing the most direct impact on the use of AI for national security purposes. In this context, the notion of personal data is explained, emphasizing that any information relating to an identified or identifiable person qualifies as personal data under both the GDPR and Convention 108. The processing of this data, which is broadly defined, can be subject to data protection laws even in national security contexts, provided it meets certain criteria. The research shows that while there is a lot of uncertainty when it comes to the application of personal data rules to national security situations, existing case-law indicates that application of those rules is not fully excluded. On the contrary, it is to be expected that at least when private entities are involved in data processing operations, personal data protection law might prove to be very effective. Also, it is to be anticipated that the ECHR will play a major role in ensuring that uses of AI for national security purposes remain in line with requirements of democratic society.",
"topics": [
"data_anonymization",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1098/rsta.2016.0119",
"title": "Data science ethics in government",
"authors": [
"Cat Drew"
],
"date": "2016-12-28",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1098/rsta.2016.0119",
"pdfUrl": "",
"doi": "10.1098/rsta.2016.0119",
"abstract": "Data science can offer huge opportunities for government. With the ability to process larger and more complex datasets than ever before, it can provide better insights for policymakers and make services more tailored and efficient. As with all new technologies, there is a risk that we do not take up its opportunities and miss out on its enormous potential. We want people to feel confident to innovate with data. So, over the past 18 months, the Government Data Science Partnership has taken an open, evidence-based and user-centred approach to creating an ethical framework. It is a practical document that brings all the legal guidance together in one place, and is written in the context of new data science capabilities. As part of its development, we ran a public dialogue on data science ethics, including deliberative workshops, an experimental conjoint survey and an online engagement tool. The research supported the principles set out in the framework as well as provided useful insight into how we need to communicate about data science. It found that people had a low awareness of the term ‘data science’, but that showing data science examples can increase broad support for government exploring innovative uses of data. But people's support is highly context driven. People consider acceptability on a case-by-case basis, first thinking about the overall policy goals and likely intended outcome, and then weighing up privacy and unintended consequences. The ethical framework is a crucial start, but it does not solve all the challenges it highlights, particularly as technology is creating new challenges and opportunities every day. Continued research is needed into data minimization and anonymization, robust data models, algorithmic accountability, and transparency and data security. It also has revealed the need to set out a renewed deal between the citizen and state on data, to maintain and solidify trust in how we use people's data for social good. ",
"topics": [
"power_knowledge_asymmetry",
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "s2:94c987833058fed9db43d6177c360202d17b153d",
"title": "Safe Fakes: Evaluating Face Anonymizers for Face Detectors",
"authors": [
"Sander Robert Klomp",
"M. V. Rijn",
"R. Wijnhoven",
"Cees G. M. Snoek",
"Peter H.N. de With Eindhoven University of Technology",
"ViNotion B.V.",
"U. Amsterdam"
],
"date": "2021-04-23",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/94c987833058fed9db43d6177c360202d17b153d",
"pdfUrl": "",
"doi": "10.1109/FG52635.2021.9666936",
"abstract": "Since the introduction of the GDPR and CCPA privacy legislation, both public and private facial image datasets are increasingly scrutinized. Several datasets have been taken offline completely and some have been anonymized. However, it is unclear how anonymization impacts face detection performance. To our knowledge, this paper presents the first empirical study on the effect of image anonymization on supervised training of face detectors. We compare conventional face anonymiz-ers with three state-of-the-art Generative Adversarial Network-based (GAN) methods, by training an off-the-shelf face detector on anonymized data. Our experiments investigate the suitability of anonymization methods for maintaining face detector performance, the effect of detectors overtraining on anonymization artefacts, dataset size for training an anonymizer, and the effect of training time of anonymization GANs. A final experiment investigates the correlation between common GAN evaluation metrics and the performance of a trained face detector. Although all tested anonymization methods lower the performance of trained face detectors, faces anonymized using GANs cause far smaller performance degradation than conventional methods. As the most important finding, the best-performing GAN, DeepPrivacy, removes identifiable faces for a face detector trained on anonymized data, resulting in a modest decrease from 91.0 to 88.3 mAP. In the last few years, there have been rapid improvements in realism of GAN-generated faces. We expect that further progression in GAN research will allow the use of Deep Fake technology for privacy-preserving Safe Fakes, without any performance degradation for training face detectors.",
"topics": [
"document_anonymization",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.562,
"venue": "IEEE International Conference on Automatic Face & Gesture Recognition",
"language": "en"
},
{
"id": "europepmc:39049027",
"title": "A pseudonymized corpus of occupational health narratives for clinical entity recognition in Spanish.",
"authors": [
"Dunstan J",
"Vakili T",
"Miranda L",
"Villena F",
"Aracena C",
"Quiroga T",
"Vera P",
"Viteri Valenzuela S",
"Rocco V."
],
"date": "2024-07-24",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1186/s12911-024-02609-w",
"pdfUrl": "https://europepmc.org/articles/PMC11267746?pdf=render",
"doi": "10.1186/s12911-024-02609-w",
"abstract": "Despite the high creation cost, annotated corpora are indispensable for robust natural language processing systems. In the clinical field, in addition to annotating medical entities, corpus creators must also remove personally identifiable information (PII). This has become increasingly important in the era of large language models where unwanted memorization can occur. This paper presents a corpus annotated to anonymize personally identifiable information in 1,787 anamneses of work-related accidents and diseases in Spanish. Additionally, we applied a previously released model for Named Entity Recognition (NER) trained on referrals from primary care physicians to identify diseases, body parts, and medications in this work-related text. We analyzed the differences between the models and the gold standard curated by a physician in detail. Moreover, we compared the performance of the NER model on the original narratives, in narratives where personal information has been masked, and in texts where the personal data is replaced by another similar surrogate value (pseudonymization). Within this publication, we share the annotation guidelines and the annotated corpus.",
"topics": [
"pii_entity_types",
"data_anonymization",
"nlp_ner_tools"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "europepmc:40517175",
"title": "Privacy in consumer wearable technologies: a living systematic analysis of data policies across leading manufacturers.",
"authors": [
"Doherty C",
"Baldwin M",
"Lambe R",
"Altini M",
"Caulfield B."
],
"date": "2025-06-14",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1038/s41746-025-01757-1",
"pdfUrl": "https://europepmc.org/articles/PMC12167361?pdf=render",
"doi": "10.1038/s41746-025-01757-1",
"abstract": "The widespread adoption of consumer wearable devices has enabled continuous biometric data collection at an unprecedented scale, raising important questions about data privacy, security, and user rights. In this study, we systematically evaluated the privacy policies of 17 leading wearable technology manufacturers using a novel rubric comprising 24 criteria across seven dimensions: transparency, data collection purposes, data minimization, user control and rights, third-party data sharing, data security, and breach notification. High Risk ratings were most frequent for transparency reporting (76%) and vulnerability disclosure (65%), while Low Risk ratings were common for identity policy (94%) and data access (71%). Xiaomi, Wyze, and Huawei had the highest cumulative risk scores, whereas Google, Apple, and Polar ranked lowest. Our findings highlight inconsistencies in data governance across the industry and underscore the need for stronger, sector-specific privacy standards. This living review will track ongoing policy changes and promote accountability in this rapidly evolving domain.",
"topics": [
"enterprise_privacy_ops",
"data_breach_incident",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "europepmc:40599875",
"title": "Privacy, ethics, transparency, and accountability in AI systems for wearable devices.",
"authors": [
"Radanliev P."
],
"date": "2025-06-17",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3389/fdgth.2025.1431246",
"pdfUrl": "https://europepmc.org/articles/PMC12209263?pdf=render",
"doi": "10.3389/fdgth.2025.1431246",
"abstract": "The integration of artificial intelligence (AI) and machine learning (ML) into wearable sensor technologies has substantially advanced health data science, enabling continuous monitoring, personalised interventions, and predictive analytics. However, the fast advancement of these technologies has raised critical ethical and regulatory concerns, particularly around data privacy, algorithmic bias, informed consent, and the opacity of automated decision-making. This study undertakes a systematic examination of these challenges, highlighting the risks posed by unregulated data aggregation, biased model training, and inadequate transparency in AI-powered health applications. Through an analysis of current privacy frameworks and empirical assessment of publicly available datasets, the study identifies significant disparities in model performance across demographic groups and exposes vulnerabilities in both technical design and ethical governance. To address these issues, this article introduces a data-driven methodological framework that embeds transparency, accountability, and regulatory alignment across all stages of AI development. The framework operationalises ethical principles through concrete mechanisms, including explainable AI, bias mitigation techniques, and consent-aware data processing pipelines, while aligning with legal standards such as the GDPR, the UK Data Protection Act, and the EU AI Act. By incorporating transparency as a structural and procedural requirement, the framework presented in this article offers a replicable model for the responsible development of AI systems in wearable healthcare. In doing so, the study advocates for a regulatory paradigm that balances technological innovation with the protection of individual rights, fostering fair, secure, and trustworthy AI-driven health monitoring.",
"topics": [
"ai_governance",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.562,
"venue": "Frontiers in digital health",
"language": "en"
},
{
"id": "pubmed:34703612",
"title": "Demystifying",
"authors": [
"Liss, Joseph",
"Peloquin, David",
"Barnes, Mark",
"Bierer, Barbara E"
],
"date": "2021-10-23",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1093/jlb/lsab032",
"pdfUrl": "",
"doi": "10.1093/jlb/lsab032",
"abstract": "The Courts of Justice of the European Union (CJEU) held in its July 2020 Schrems II decision that, in order for entities in other countries to import personal data from the European Economic Area (EEA), the importer must be able to provide data protections 'essentially equivalent' to those the EEA offers under its General Data Protection Regulation. The CJEU expressed particular concern that United States' national security intelligence gathering laws prevent U.S.-based entities from providing such protections. This decision has sharply limited the sharing of clinical research data from the EEA to the United States. After describing the pertinent aspects of the Schrems II decision, this article evaluates U.S. national security intelligence gathering frameworks, including Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333. The article then leverages recent draft guidance from the European Data Protection Board to explain how entities may be able to adopt widely used contractual and technical measures, such as data pseudonymization, to provide 'essentially equivalent' protections in the clinical research context.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.562,
"venue": "Journal of law and the biosciences",
"language": "en"
},
{
"id": "pubmed:32210501",
"title": "The Integrated Holistic Security and Privacy Framework Deployed in CrowdHEALTH Project.",
"authors": [
"Malliaros, Stefanos",
"Xenakis, Christos",
"Moldovan, George",
"Mantas, John",
"Magdalinou, Andriana",
"Montandon, Lydia"
],
"date": "2019-12",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1142/S0218488502001648",
"pdfUrl": "",
"doi": "10.1142/S0218488502001648",
"abstract": "INTRODUCTION: Individuals and healthcare providers need to trust that the EHRs are protected and that the confidentiality of their personal information is not at stake. AIM: Within CrowdHEALTH project, a security and privacy framework that ensures confidentiality, integrity, and availability of the data was developed. METHODS: The CrowdHEALTH Security and Privacy framework includes Privacy Enhancing Technologies (PETs) in order to comply with the GDPR EU laws of data protection. CrowdHEALTH deploys OpenID Connect, an authentication protocol to provide flexibility, scalability, and lightweight user authentication as well as the attribute-base access control (ABAC) mechanism which supports creating efficient access control policies. RESULTS: CrowdHEALTH integrates ABAC with OpenID Connect to build an effective and scalable base for end-users' authorization. CrowdHEALTH's security and privacy framework interacts with other CrowdHEALTH's components, for instance the Big Data Platform, that depends on user authentication and authorization. CrowdHEALTH users are able to access the CrowdHEALTH's database based on the result of an ABAC request. Moreover, due to the fact that the CrowdHEALTH system requires proofs during the interactions with data producers of low trust or low reputation level, the requirements for the Trust and Reputation Model have been identified. CONCLUSION: The CrowdHEALTH Integrated Holistic Security and Privacy framework meets the security criteria for an e-health cross-border system, due to the adoption of security mechanisms, such as user authentication, user authorization, access control, data anonymization, trust management and reputation modelling. The implemented framework remains to be tested to ensure its robustness and to evaluate its performance. The holistic security and privacy framework might be adapted during the project's life circle according to new legislations.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "Acta informatica medica : AIM : journal of the Society for Medical Informatics of Bosnia & Herzegovina : casopis Drustva za medicinsku informatiku BiH",
"language": "en"
},
{
"id": "pubmed:30010584",
"title": "MedCo: Enabling Secure and Privacy-Preserving Exploration of Distributed Clinical and Genomic Data.",
"authors": [
"Raisaro, Jean Louis",
"Troncoso-Pastoriza, Juan Ramon",
"Misbach, Mickael",
"Sousa, Joao Sa",
"Pradervand, Sylvain",
"Missiaglia, Edoardo",
"Michielin, Olivier",
"Ford, Bryan",
"Hubaux, Jean-Pierre"
],
"date": "2018-07-13",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1109/TCBB.2018.2854776",
"pdfUrl": "",
"doi": "10.1109/TCBB.2018.2854776",
"abstract": "The increasing number of health-data breaches is creating a complicated environment for medical-data sharing and, consequently, for medical progress. Therefore, the development of new solutions that can reassure clinical sites by enabling privacy-preserving sharing of sensitive medical data in compliance with stringent regulations (e.g., HIPAA, GDPR) is now more urgent than ever. In this work, we introduce MedCo, the first operational system that enables a group of clinical sites to federate and collectively protect their data in order to share them with external investigators without worrying about security and privacy concerns. MedCo uses (a) collective homomorphic encryption to provide trust decentralization and end-to-end confidentiality protection, and (b) obfuscation techniques to achieve formal notions of privacy, such as differential privacy. A critical feature of MedCo is that it is fully integrated within the i2b2 (Informatics for Integrating Biology and the Bedside) framework, currently used in more than 300 hospitals worldwide. Therefore, it is easily adoptable by clinical sites. We demonstrate MedCo's practicality by testing it on data from The Cancer Genome Atlas in a simulated network of three institutions. Its performance is comparable to the ones of SHRINE (networked i2b2), which, in contrast, does not provide any data protection guarantee.",
"topics": [
"privacy_engineering",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "IEEE/ACM transactions on computational biology and bioinformatics",
"language": "en"
},
{
"id": "doaj:1782958148914133a72a308522fd00f1",
"title": "Challenges in Security and Privacy posed by Blockchain Technology",
"authors": [
"Tahira Tariq"
],
"date": "2022",
"platform": "doaj",
"sourceUrl": "https://jisrc.szabist.edu.pk/ojs/index.php/jisrc/article/view/21",
"pdfUrl": "",
"doi": "10.31645/jisrc.22.20.2.1",
"abstract": "The advancement of information technology may greatly benefit from the use of blockchain technology. Blockchain technology presents a promising future for protecting personal data. However, it does pose challenges concerning data security and risk that need to be overcome. This paper focused on examining the challenges posed by blockchain technology in terms of security and risk relating to the aspect of privacy. Furthermore, the regulation of the protection of personal data posed by blockchain technology has been taken into consideration. We focus on presenting security enhancement methods that regulators can take into account when drafting regulations on personal data protection guidelines. We also concentrate on the current methods for blockchain privacy protection as well as the future areas for study. The security and privacy-related challenges derived from its progressive maturity, complexity, lack of standardization, and diversity of protocols are superimposed on the demands of a vibrant, competitive environment. It is difficult to align it with the GDPR concerning privacy. There is an urgent need to develop multidisciplinary teams that must ensure its participation from the beginning of the legal/regulatory area, cybersecurity, and company information systems.",
"topics": [
"data_anonymization",
"sector_finance",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Financial & Payment PII"
],
"relevanceScore": 0.562,
"venue": "JISR on Computing",
"language": "en"
},
{
"id": "hal:5060945",
"title": "Ethical Integration of Artificial Intelligence in the African Banking Sector and Its Impact on the Evolution of Skills and Professional Roles - Case of Morocco",
"authors": [
"Rachid Maghniwi",
"Mustapha Oukassi"
],
"date": "2025-04-04",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05060945v1",
"pdfUrl": "https://hal.science/hal-05060945/document",
"doi": "10.5281/zenodo.15367536",
"abstract": "This study examines the ethical integration of artificial intelligence (AI) in the Moroccan banking sector and itsimpact on the evolution of skills and professional roles, providing insight into the challenges and opportunities forthe African banking sector as a whole. In a context of rapid digital transformation, Morocco positions itself as aregional leader in the adoption of financial technologies, making it a relevant case study for understanding thedynamics at work across the continent. The main objective of this research is threefold: to analyze the modalitiesof ethical AI integration in Moroccan banks, to assess its impact on skills and professional roles, and to examinethe broader implications for financial inclusion and the country's economic development.The adopted methodology combines quantitative and qualitative approaches. Preliminary results indicate rapid AIadoption in the Moroccan banking sector, with a 60% increase in AI investments between 2018 and 2023. Thisadoption has led to a significant transformation of required skills, with 72% of surveyed banking professionalsreporting major changes in their roles. The study reveals the emergence of new positions such as \"Banking AIEthicist\" and \"AI Customer Experience Manager\", reflecting a growing awareness of ethical issues.In terms of financial inclusion, AI has enabled the extension of banking services to 30% new customers in ruralareas, through alternative credit scoring solutions and interfaces in Moroccan dialect. However, ethical challengespersist, particularly in terms of personal data protection and algorithmic transparency, with only 35% of the studiedbanks having established AI ethics committees. The implications of this research are manifold for Morocco andAfrica. It provides concrete recommendations for ethical and inclusive integration of AI in the banking sector,emphasizing the importance of a balanced approach between technological innovation and preservation of localcultural values",
"topics": [
"data_anonymization",
"power_knowledge_asymmetry",
"ai_governance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.562,
"venue": "International Journal of Innovative Science, Engineering & Technology",
"language": "en"
},
{
"id": "openaire:50|datacite____::9ca923e99245b2e93d3ee9df86142980",
"title": "Awareness Raising Session Ethics of AI and Data within Practices: Learners and Future Academic Teachers' Perspective. Case Report: Germany",
"authors": [
"Sander, Ina",
"Hartong, Sigrid",
"Meinert, Saskia"
],
"date": "2025-08-28",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.16980631",
"pdfUrl": "",
"doi": "10.5281/zenodo.16980631",
"abstract": "This document reports on one so-called “Awareness Raising Session” that was conducted as part of the Erasmus+ project “Anchoring Ethical Technology (AI and Data) usage in the Education Practice (ETH-TECH)” and aimed at gathering university students’ perspectives on AI and technology usage in higher education as well as on the EU guidelines for AI and data in education. The report describes an in-person session with 17 students enrolled in a Bachelor’s program Education Science at a medium-sized university in Northern Germany. The session was part of a seminar on the societal implications of AI and aimed to encourage critical engagement with AI and ethics in education through interactive methods, including emotion-based reflection, small-group case work, and discussion of the EU guidelines on trustworthy AI. The students engaged actively with real-life scenarios and demonstrated both enthusiasm and concern regarding AI in education, highlighting key ethical tensions such as surveillance, data transparency, fairness, and accountability. Data collection follows GDPR standards, with informed consent, anonymization, and secure storage. This report is integrated with this Additional Educational Materials adopted in the session: EU Ethical Guidelines [DE]: German version of a lay language summary of the EU ethical guidelines for using AI and data in education, developed by Raffaghelli, Negru-Subtirica & Crudele (2025) as part of the ETH-TECH project. Ice-Breaker ARS [DE]: Outline of the initial icebreaker activity with specific materials (in German). Case Studies [DE]: Fictional cases to reflect on and discuss the EU ethical guidelines for using AI and data in education - developed by the ETH-TECH project team (originally created by J. Raffaghelli - UNIPD team, and translated and minorly revised by I. Sander - HSU team) (German version). Template for group work – HSU [DE]: Poster to guide in-class case study analysis on the ethical perspectives of AI use in higher",
"topics": [
"ai_governance",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:S0167739X25005114",
"title": "Design and evaluation of a privacy-preserving multi-level federated learning architecture for airport biometric check-in",
"authors": [
"Campanile, Lelio",
"Stella De Biase, Maria",
"Marulli, Fiammetta"
],
"date": "2026-03-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1016/j.future.2025.108217",
"pdfUrl": "",
"doi": "10.1016/j.future.2025.108217",
"abstract": "The rapid adoption of automated airport check-in systems using facial recognition raises significant privacy concerns due to their reliance on centralized deep learning models that store and transmit biometric data from edge devices. While Federated Learning (FL) is a promising approach for privacy preservation, its effectiveness in biometric identification remains underexplored, particularly in real-world environments like airports. This study assesses the privacy implications of FL in facial recognition by comparing three architectures. A first centralized system, where biometric data is sent to a central server for model training and inference, posing significant privacy risks. The second is a one-level FL architecture, where biometric data remains on local devices, and only model updates are shared with a central aggregator. The third is a two-level FL architecture, introducing an additional aggregation layer among airlines to enhance model generalization while preserving privacy. To ensure a rigorous privacy preservation evaluation, we integrate both quantitative and qualitative metrics. For the quantitative assessment, we leverage the Privacy Meter Tool, which enables simulations of Membership Inference Attacks and the application of Differential Privacy as a mitigation technique. For the qualitative evaluation, we conduct a Data Protection Impact Assessment to analyze potential privacy risks from a regulatory perspective. Additionally, we assess model accuracy, computational efficiency, and communication overhead to determine FL’s feasibility in large-scale airport environments. Our results show that while FL significantly reduces privacy risks, the two-level FL approach introduces new vulnerabilities, such as model poisoning risks and privacy-utility trade-offs, requiring further mitigation strategies like DP",
"topics": [
"gdpr_compliance",
"data_anonymization",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/tifs.2021.3096024",
"title": "Privacy–Enhancing Face Biometrics: A Comprehensive Survey",
"authors": [
"Blaz Meden",
"Peter Rot",
"Philipp Terhorst",
"Naser Damer",
"Arjan Kuijper",
"Walter J. Scheirer",
"Arun Ross",
"Peter Peer",
"Vitomir Struc"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/tifs.2021.3096024",
"pdfUrl": "",
"doi": "10.1109/tifs.2021.3096024",
"abstract": "Biometric recognition technology has made significant advances over the last decade and is now used across a number of services and applications. However, this widespread deployment has also resulted in privacy concerns and evolving societal expectations about the appropriate use of the technology. For example, the ability to automatically extract age, gender, race, and health cues from biometric data has heightened concerns about privacy leakage. Face recognition technology, in particular, has been in the spotlight, and is now seen by many as posing a considerable risk to personal privacy. In response to these and similar concerns, researchers have intensified efforts towards developing techniques and computational models capable of ensuring privacy to individuals, while still facilitating the utility of face recognition technology in several application scenarios. These efforts have resulted in a multitude of privacy–enhancing techniques that aim at addressing privacy risks originating from biometric systems and providing technological solutions for legislative requirements set forth in privacy laws and regulations, such as GDPR. The goal of this overview paper is to provide a comprehensive introduction into privacy–related research in the area of biometrics and review existing work on Biometric Privacy–Enhancing Techniques (B–PETs) applied to face biometrics. To make this work useful for as wide of an audience as possible, several key topics are covered as well, including evaluation strategies used with B–PETs, existing datasets, relevant standards, and regulations and critical open issues that will have to be addressed in the future.",
"topics": [
"biometric_surveillance",
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.54660/ijjl.2025.4.4.86-91",
"title": "Environmental Criminal Action on Forest and Land Burning in Pontianak City",
"authors": [
"I Gusti Ayu Nadya Candra Pramitha",
"Dr. I Nyoman Bagiastra S.H., M.H."
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.54660/ijjl.2025.4.4.86-91",
"pdfUrl": "",
"doi": "10.54660/ijjl.2025.4.4.86-91",
"abstract": "The rapid development of photo applications based on artificial intelligence (AI) raises urgent legal questions related to user privacy, data protection, and digital consent. FotoYu, an Indonesia-based platform that enables users to purchase candid public photos of themselves through facial recognition technology, serves as a unique case study to evaluate compliance with the national legal framework. This article analyzes FotoYu’s operational model based on Law Number 11 of 2008 concerning Electronic Information and Transactions (EIT Law) and Law Number 27 of 2022 concerning Personal Data Protection (PDP Law). The main legal issues raised include the classification of biometric data, the legal basis for data processing, and the limitations of using implied consent in public spaces. Using a normative-juridical approach, this study critiques FotoYu’s reliance on facial recognition technology (through AI RoboYu) in the absence of a clear and explicit consent mechanism. A comparative perspective from the GDPR and the practice of facial recognition use in European Union jurisdictions provides normative insights for regulating similar technologies. This analysis concludes that although FotoYu’s operations fall within a legal grey area, stricter law enforcement and clearer regulatory guidelines are required to protect user rights and prevent misuse. Recommendations include stricter obligations for data controllers, explicit consent protocols, and specific sectoral regulations for AI-based platforms.",
"topics": [
"data_anonymization",
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.562,
"venue": "International Journal of Judicial Law",
"language": "en"
},
{
"id": "hal:5308670",
"title": "Data Beyond Control",
"authors": [
"Loïc Pantano",
"Karima Boudaoud",
"Emmy Holveck",
"Elena Ecerf",
"Alicia Matingou",
"Jean-Sylvestre Bergé"
],
"date": "2025-06-21",
"platform": "hal",
"sourceUrl": "https://univ-evry.hal.science/hal-05308663v1",
"pdfUrl": "https://univ-evry.hal.science/hal-05308663/document",
"doi": "10.48545/advance2025-shortpapers-4_1",
"abstract": "In a context of increasing digitalization, controlling data flows constitutes a major challenge for organizations, particularly when it comes to sensitive data. This study examines the technical and legal challenges related to secure data flow management, based on the concrete case of the medical analysis laboratory MedLab and its facial recognition system implementation project. The study proposes an integrated approach combining Zero-Trust architecture, multi-factor authentication mechanisms, and advanced encryption solutions, while ensuring compliance with GDPR and other applicable regulations. Special attention is paid to subcontractor management and international data transfers. The results demonstrate that a holistic approach, combining innovative technical solutions and robust governance, can effectively meet security and compliance requirements. The study also emphasizes the importance of continuous adaptation to technological and regulatory developments, offering concrete recommendations for organizations wishing to strengthen control of their data flows.",
"topics": [
"biometric_surveillance",
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.63471/ilprom240005",
"title": "Ethical Considerations in AI and Information Technology Privacy and Bias",
"authors": [
"Md Alamgir Miah",
"Md Faruque",
"Salma Akter",
"Ishrat Jahan"
],
"date": "2024-08-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.63471/ilprom240005",
"pdfUrl": "",
"doi": "10.63471/ilprom240005",
"abstract": "Concerns about prejudice and privacy have become crucial ethical issues as information technology (IT) and artificial intelligence (AI) are increasingly integrated into society. Large volumes of demographic data are processed by AI systems, which frequently pose privacy problems and reinforce prejudices, especially those related to age and gender. This paper explores these ethical issues, concentrating on the effects of biased AI-driven decision-making on facial recognition, healthcare, and employment. This study uses a mixed-methods approach, combining quantitative data from 60 respondents with qualitative literature analysis. The results show a strong relationship between ethical concerns, privacy issues, and biased data gathering. Disenfranchised groups continue to be disadvantaged by AI models based on historically skewed datasets, which exacerbate discrimination and restrict justice in digital decisionmaking. Even though laws like the CCPA and GDPR offer some control, they are not enough to handle the growing ethical issues surrounding AI. Reducing discrimination and guaranteeing accountability requires using bias detection techniques, fairnessaware machine learning, and transparent AI governance. Giving ethical issues a top priority as AI develops will be essential to creating technology that upholds individual liberties and promotes inclusivity. To guarantee a fair and just technological environment for all users, future developments in AI must concentrate on creating equitable systems that protect privacy. ",
"topics": [
"biometric_surveillance",
"ai_governance",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.562,
"venue": "International Law Policy Review Organizational Management",
"language": "en"
},
{
"id": "https://openalex.org/W4402386266",
"title": "Preserving Privacy in Large Language Models: A Survey on Current Threats and Solutions",
"authors": [
"Michele Miranda",
"Elena Sofia Ruzzetti",
"Andrea Santilli",
"Fabio Massimo Zanzotto",
"Sébastien Bratières",
"Emanuele Rodolà"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "http://arxiv.org/abs/2408.05212",
"pdfUrl": "https://arxiv.org/pdf/2408.05212",
"doi": "https://doi.org/10.48550/arxiv.2408.05212",
"abstract": "Large Language Models (LLMs) represent a significant advancement in artificial intelligence, finding applications across various domains. However, their reliance on massive internet-sourced datasets for training brings notable privacy issues, which are exacerbated in critical domains (e.g., healthcare). Moreover, certain application-specific scenarios may require fine-tuning these models on private data. This survey critically examines the privacy threats associated with LLMs, emphasizing the potential for these models to memorize and inadvertently reveal sensitive information. We explore current threats by reviewing privacy attacks on LLMs and propose comprehensive solutions for integrating privacy mechanisms throughout the entire learning pipeline. These solutions range from anonymizing training datasets to implementing differential privacy during training or inference and machine unlearning after training. Our comprehensive review of existing literature highlights ongoing challenges, available tools, and future directions for preserving privacy in LLMs. This work aims to guide the development of more secure and trustworthy AI systems by providing a thorough understanding of privacy preservation methods and their effectiveness in mitigating risks.",
"topics": [
"data_anonymization",
"llm_privacy_attacks",
"ai_governance"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII",
"Enforcement"
],
"relevanceScore": 0.562,
"venue": "arXiv (Cornell University)",
"language": "en"
},
{
"id": "https://openalex.org/W4383895105",
"title": "Privacy and Data Protection in ChatGPT and Other AI Chatbots",
"authors": [
"Glorin Sebastian"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.4018/ijsppc.325475",
"pdfUrl": "https://www.igi-global.com/ViewTitle.aspx?TitleId=325475&isxn=9781668480397",
"doi": "https://doi.org/10.4018/ijsppc.325475",
"abstract": "The evolution of artificial intelligence (AI) and machine learning (ML) has led to the development of sophisticated large language models (LLMs) that are used extensively in applications such as chatbots. This research investigates the critical issues of data protection and privacy enhancement in the context of LLM-based chatbots, with a focus on OpenAI's ChatGPT. It explores the dual challenges of safeguarding sensitive user information while ensuring the efficiency of machine learning models. It assesses existing privacy-enhancing technologies (PETs) and proposes innovative methods, such as differential privacy, federated learning, and data minimization techniques. The study also includes a survey of Chatbot users to measure their concerns related to data privacy with the use of these LLM-based applications. This study is meant to serve as a comprehensive guide for developers, policymakers, and researchers, contributing to the discourse on data protection in artificial intelligence.",
"topics": [
"data_anonymization",
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "International Journal of Security and Privacy in Pervasive Computing",
"language": "en"
},
{
"id": "s2:4949fae2e8dcb1000462098aa15fe922067932af",
"title": "Efficient Acronymization of Sensitive Data Using Generative Models Fine-Tuned on LLM-Augmented Data",
"authors": [
"Kristién Sopkovič",
"Eva Kupcova",
"D. Hládek",
"Matus Pleva"
],
"date": "2025-05-12",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/4949fae2e8dcb1000462098aa15fe922067932af",
"pdfUrl": "",
"doi": "10.1109/RADIOELEKTRONIKA65656.2025.11008388",
"abstract": "Data privacy is crucial today, especially with regulations such as GDPR. Data anonymization is key, but common methods often reduce data value. This paper explores the acronymization process, which replaces sensitive data with abbreviations, as a way to balance protection and data usability. We propose a new approach: using large language models (LLMs) to create training data for a T5 model, which we then fine-tune for acronymizing sensitive data. The results show that this method, especially when using LLMs like Gemma-9B-IT to augment the data, achieves promising results and outperforms existing Named Entity Recognition (NER) models in the specific task of acronymization. This offers a more efficient and scalable solution for anonymizing text data, contributing to both privacy protection and preserving the utility of data for analysis and research.",
"topics": [
"pii_entity_types",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.562,
"venue": "International Conference Radioelektronika",
"language": "en"
},
{
"id": "s2:7a55abf2c9c7d4e45592b3ba0ba0d7fb554ecabc",
"title": "EdgeCare: Privacy-Preserving Medical Advising System on Mobile Devices",
"authors": [
"T. Weerasekara",
"Chinthani Chandeepa",
"Oshan Amarasooriya",
"C. Hettiarachchi"
],
"date": "2025-08-14",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/7a55abf2c9c7d4e45592b3ba0ba0d7fb554ecabc",
"pdfUrl": "",
"doi": "10.1109/MERCon67903.2025.11217132",
"abstract": "Ensuring the confidentiality of information and accuracy especially related to medical data is a critical challenge in the development of digital health applications. This paper presents a novel approach for a medical chat application that is intended to preserve user privacy while ensuring the accuracy of responses. On-device privacy-preserving techniques and contextaware medical report retrieval mechanisms are engaged on Android mobile phones with cloud-based retrieval-augmented generation (RAG) in this system. A lightweight, transformerbased language model is leveraged for the anonymization of protected health information (PHI) directly on the user's mobile device with a medical report storage and a retriever ensuring private and sensitive information never leaves the device in its raw form. The cloud-based subsystem acts as the backend and is responsible for processing the anonymized requests, retrieving relevant medical knowledge, and generating accurate, contextaware responses using a large language model (LLM).",
"topics": [
"sector_healthcare",
"offline_local_processing",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "Moratuwa Engineering Research Conference",
"language": "en"
},
{
"id": "s2:6d4833e4a4fa744d9ff6842d10707555635eab82",
"title": "How does Generative AI Affect Patients' Rights?",
"authors": [
"Sofia Capella"
],
"date": "2025-09-28",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/6d4833e4a4fa744d9ff6842d10707555635eab82",
"pdfUrl": "",
"doi": "10.52214/vib.v11i.14212",
"abstract": "Photo by Igor Omilaev on Unsplash\nAbstract\nHealthcare systems are facing constant changes due to demographic modifications (a rapidly aging population), technological developments, global pandemics, and shifts in social paradigms. These changes are increasingly being analysed through the lens of patients’ rights, which are central in ethical and legal discussions in healthcare. A significant change in healthcare today is the growing use of generative artificial intelligence (AI) in clinical practice. This research analyses the potential risks of the use of generative AI systems to fundamental patients’ rights. With a mixed methodology combining literature review and semi-structured interviews with experts and stakeholders, the study identifies three main areas of risk, each one associated with fundamental values: the right to medical data protection (privacy), the right to equal access to healthcare (justice), and the right to informed consent (autonomy). The report concludes with a discussion of the findings and presents legal and ethical recommendations to promote the benefits of generative AI in healthcare.\n1. Introduction\nThe increasing digitalization of healthcare is reshaping how healthcare professionals deal with clinical tasks and patient interactions. This technological shift is accelerated by systemic pressures that healthcare is facing today due to a double aging population and workforce shortages. Generative artificial intelligence (GenAI) has the capacity to help healthcare providers with clinical documentation, decision-making, and patient communication through automated processes. At the same time, the fast integration of GenAI models in healthcare raises ethical and legal concerns. For example, general-purpose AI models are already being used in clinical practice without being subject to high-risk regulatory requirements. This produces regulatory gaps that challenge the protection of fundamental patients’ rights in real-world clinical settings.\nThis report focuses on three main patients’ rights: the right to privacy, the right to equitable access, and the right to informed consent. These rights are represented in bioethical and legal frameworks for the protection of patients. The question guiding this study is the following: How does the use of generative AI in healthcare impact patients’ rights, particularly regarding privacy, justice, and autonomy? While the analysis is framed within the EU context, the concepts and findings remain relevant for broader global discussions. By identifying key risks, such as unauthorized access to health data, limitations of anonymization techniques, algorithmic bias, and digital informed consent, this study contributes to the growing body of research on AI in healthcare and the protection of patients’ rights.\n2. Context\n 2.1. What is Generative AI?\nGenerative artificial intelligence (GenAI) is a broad category of AI that, in addition to recognizing and predicting patterns, can also generate new content such as text, images, and sound, based on input and training data.[1] GenAI differs from traditional AI in two key ways: dynamic context and scale of use. While traditional AI is typically designed for specific contexts and predefined tasks, GenAI has a sort of “flexibility” and “creativity” that allows the model to learn new capabilities that it had never been explicitly trained for, allowing it to adapt to different contexts and uses.[2] In this sense, GenAI is one single tool with multiple uses and applications.[3]\nBecause of this high adaptability, it is harder to interpret the complex learning algorithms of GenAI, which leads to less transparency of the system. Ultimately, when asking a GenAI model to create an outcome, if asked the same thing twice, it will provide inconsistent outcomes due to its probabilistic nature.\nA specific category of GenAI is large language models (LLMs), which are designed to generate human-like text. These models pertain to the class of natural language processing (NLP), the technology that allows computers to understand and process human language (an example would be Google Translate). LLMs are trained on enormous text datasets that allow the model to self-learn and create text on its own.[4]\nGenAI has gained significant attention since the release of ChatGPT, a chatbot made publicly available by the American organization OpenAI in 2019. Its ease and free accessibility reached widespread adoption[5] also in healthcare settings.[6]\n 2.2. Generative AI in Healthcare\nIn healthcare, traditional AI systems are used in several areas. For example, in radiology, they automate the detection and classification of medical images.[7] In emergency departments and intensive care units (ICUs), AI is used as a decision support system. For example, the Pacmed Critical model at Leiden University Medical Centre (UMC) (Netherlands) is a machine learning model that predicts readmission or death after ICU discharge.[8] AI is also used in patient monitoring to track physiological changes and provide predictive analytics: MS Sherpa is an application for multiple sclerosis that uses digital biomarkers to monitor symptom progression and disease activity.[9]\nGenAI offers new possibilities, mainly aimed at reducing administrative burdens, for instance, through automatically creating clinical documents like discharge letters, referral letters, and clinical notes.[10] For example, the UMC Utrecht (Netherlands) has developed an application that uses General Pre-training Transformer (GPT) to generate draft discharge letters.[11] GenAI is also being used to transcribe and summarize conversations between doctor and patient. “Autoscriber,” at Leiden UMC research department (Netherlands), is a digital scribe system that automatically records, transcribes, and summarizes the clinical encounter.[12] Besides administrative tasks, GenAI can assist with clinical decision-making by creating diagnosis and treatment recommendations based on patient data.[13] It also supports medical research activities like assisting in systematic reviews.[14] GenAI is also used to automatically answer patients’ questions related to their care. For example, at the Elizabeth-Twee Steden Hospital (Netherlands), a chatbot called “Eliza” answers patients’ medical questions.[15]\n 2.3. Current Use of Generative AI in Healthcare\nThe use of GenAI in healthcare is rapidly increasing, which is changing how healthcare providers manage clinical tasks and patient interactions. Recent empirical studies reveal that more than half of healthcare providers use ChatGPT, or similar general-purpose LLMs, to assist with clinical documentation, patient communication, clinical decision-making, research, and more.[16] These studies also show that despite this widespread use of GenAI, most healthcare providers lack the required knowledge and awareness of the risks of using this tool in general, and specifically for clinical tasks.[17] This lack of comprehension is probably because GenAI has only become popular and widespread recently, which makes it difficult to fully understand and assess the risks and scale of these technologies to society.\nThis gap in understanding GenAI’s risks is reflected in healthcare institutions. For example, a survey on AI use in Dutch hospitals found that GenAI was used in 57 percent of hospitals, with applications such as automatic transcriptions, document summarisation, and text generation.[18] The same study showed critical issues: in only 29 percent of hospitals, it was clear on what frequency AI models are retested, trained, and calibrated to errors such as hallucinations[19] and data drifting.[20] In more than half of the hospitals (52 percent), it is unknown whether, and if so, in what frequency, such practices occur at all, and in 11 percent, AI models are never retrained. Moreover, only 30 percent of hospitals reported having an AI policy describing the frameworks, standards, and guidelines for the use of AI.[21]\nAnother survey found that 76 percent of physicians reported using general-purpose LLMs, like ChatGPT, for clinical decision-making.[22] More than 60 percent of primary care doctors reported using them to check drug interactions; while more than half use them for diagnosis support, nearly half for clinical documentation, and more than 40 percent for treatment planning. Additionally, 70 percent use general-purpose LLMs for patient education and literature search.\nThese findings show a mismatch between the growing use of GenAI in clinical practices and the governance needed to ensure its responsible use. While GenAI has the potential to enhance efficiency and accuracy in clinical tasks, if it is integrated without the necessary knowledge, governance, legal, and ethical oversight, it can lead to harmful consequences to patients, such as data protection violations, automation bias, unclear accountability, healthcare inequality, incorrect clinical decisions, and the spread of misinformation.[23]\n 2.4. Regulatory Landscape\nAt the European Union (EU) level, efforts to regulate the safe use of AI in healthcare are currently fragmented. This means there is not one regulatory framework solely dedicated to governing the use of AI in healthcare. Instead, different laws cover different parts of the issue, including the European Union AI Act,[24] the General Data Protection Regulation,[25] and the Medical Devices Regulation.[26]\n 2.4.1. The European Union AI Act\nIn August 2024, the Artificial Intelligence (AI) Act entered into force. The AI Act is an EU regulation that sets rules for the development, introduction to the market, and deployment of AI systems. It adopts a risk-based approach: depending on the application and use of the system, it will fall under low, middle, high, or impermissible risk. The higher the risk, the stricter the regulatory requirements (e.g., risk management, data governance, human oversight).[27]\nMedical devices like AI diagnostic",
"topics": [
"gdpr_compliance",
"data_anonymization",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.562,
"venue": "Voices in Bioethics",
"language": "en"
},
{
"id": "https://openalex.org/W1981138049",
"title": "Hacia un nuevo sistema europeo de protección de datos: las claves de la reforma",
"authors": [
"Artemi Rallo Lombarte"
],
"date": "2012",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.5944/rdp.85.2012.10244",
"pdfUrl": "http://revistas.uned.es/index.php/derechopolitico/article/download/10244/9782",
"doi": "https://doi.org/10.5944/rdp.85.2012.10244",
"abstract": "La Comisión Europea ha presentado sendas iniciativas legislativas dirigidas a reformar el sistema europeo de protección de datos: un proyecto de Reglamento General de Protección de Datos y un proyecto de Directiva en el ámbito de la Policía y la Justicia Penal. Estas propuestas suponen una revisión global del sistema europeo de protección de datos pues se sustentan sobre la base de un diferente instrumento normativo frente a la anterior Directiva 95/46 y abordan nuevas problemáticas que no estaban siendo satisfactoriamente resueltas por la normativa vigente (por ejemplo, el impacto de las nuevas tecnologías y de Internet). Estas iniciativas están llamadas a revolucionar el marco global europeo de la protección de datos y a provocar un extraordinario impacto en el sistema español al resultar de directa e inmediata aplicación el reglamento europeo y al proporcionar nuevos derechos a los ciudadanos. Esta nueva normativa europea de protección de datos está marcada por una inequívoca tendencia a la centralización comunitaria como se evidencia con el reforzamiento de los poderes de la Comisión Europea a través del recurso a los actos de delegación y de ejecución, con el establecimiento de un régimen sancionador común que fortalece la política represiva, con el otorgamiento de nuevos poderes a instituciones y organismos emergentes como el Consejo Europeo de Protección de Datos y el Supervisor Europeo de Protección de Datos y con la previsión de nuevos procedimientos europeos de cooperación y coherencia para garantizar la asistencia mutua, las investigaciones conjuntas y, en definitiva, la efectiva armonización europea. Además, este nuevo marco europeo busca hacer frente a la revolución tecnológica de nuestro tiempo otorgando más protección a los derechos de los ciudadanos —en particular, a los menores de edad— mediante la información y la transparencia, nuevos derechos como el olvido y la portabilidad y nuevas reglas procesales y jurisdiccionales. Por último, la nueva normativa busca reforzar una estrategia preventiva eficaz que contemple la protección de la privacidad desde el diseño y por defecto, mediante evaluaciones de impacto, con la existencia de delegados de protección de datos y, ante las transferencias internacionales, reconociendo jurídicamente el valor de las normas corporativas vinculantes.The European Commission has presented legislative initiatives aimed at reforming the European legal system for data protection: a draft General Data Protection Regulation and a draft Directive in the area of Police and Criminal Justice. These proposals represent a comprehensive European data protection legal system review because they support on the basis of a different standard-setting instrument versus the previous Directive 95/46 and addresses new issues which were not being satisfactorily resolved by current rules (for example, the impact of new technologies and the Internet). These initiatives are called to revolutionize the global European data protection framework and make a special impact in the Spanish legal system because of the direct and immediate application of European Regulation and providing new rights to citizens. This new European data protection regulation is marked by a clear trend towards European centralization as evidenced with the strengthening of the powers of the European Commission through the use of the delegated and implementing acts, with the laying down of a common system of penalties which strengthens the repressive policy, with the recognizing of new powers to current institutions and organizations as the European Data Protection Board and the Data Protection European Supervisor and with the forecast of new European procedures for cooperation and consistency to ensure mutual assistance, joint investigations and, ultimately, effective European harmonisation. In addition, this new European framework seeks to address the technological revolution of our time giving more protection to the rights of citizens —in particular, minors— through information and transparency, new rights as to be forgotten and portability and new procedural and jurisdictional rules. Finally, the new legislation seeks to enhance an effective preventive strategy that takes into account the privacy by design and by default, through impact assessments, with the existence of data protection officers and, related to international transfers, legally recognizing the value of binding corporate rules.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "Revista de Derecho Político",
"language": "es"
},
{
"id": "gdprhub:6092",
"title": "IMY (Sweden) - DI-2020-11373",
"authors": [],
"date": "2023-12-06",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=IMY_(Sweden)_-_DI-2020-11373",
"pdfUrl": "",
"doi": "",
"abstract": "Tool enable IP anonymization, which means that IP addresses are truncated and contributes to data minimization. If the IP anonymization service is fully",
"topics": [
"enterprise_privacy_ops",
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "",
"language": "cs"
},
{
"id": "openaire:oai:norma.ncirl.ie:7037",
"title": "Personal Identifiable Information (PII) Detection and Identification for Fintech with AI and Text Analytics",
"authors": [
"Velishetty, Nagaraju"
],
"date": "2023-08-14",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:norma.ncirl.ie:7037",
"pdfUrl": "",
"doi": "",
"abstract": "The detection of Personally Identifiable Information (PII) in text datasets is a critical task to safeguard privacy and ensure data protection. This abstract provides an overview of the application of Named Entity Recognition (NER) algorithms, particularly the BERT NER model, for PII detection on Unstructured text dataset. It introduces an innovative approach that combines deep learning techniques with rule-based methods to identify PII in unstructured text. The experiments conducted in this study demonstrate the effectiveness of the proposed model in accurately detecting PII entities. By integrating deep learning algorithms with rule-based methods, the model exhibits high accuracy in identifying PII, contributing to enhanced privacy and data security. It proposes a hybrid model for PII detection, which combines a deep learning-based NER model with rule-based patterns. Through evaluation, we demonstrate that the model achieves high precision and recall when detecting PII in text datasets. This hybrid approach capitalizes on the strengths of both deep learning and rule-based methods, providing a robust solution for PII detection. Moreover, one of the discussed resources focuses on practical techniques for PII detection. It emphasizes the utilization of pre-trained language models, such as BERT, and the importance of fine-tuning these models using domain-specific datasets. It highlights the significance of understanding the contextual nuances and specific types of PII relevant to the targeted domain. By leveraging pre-trained language models and finetuning them, the accuracy of PII detection can be significantly improved. This paper emphasizes the importance of PII detection in text datasets and explores various approaches to address this task. The combination of deep learning techniques with rule-based methods, as well as the utilization of pre-trained language models and fine-tuning, are presented as effective strategies for accurately identifying PII entities and e",
"topics": [
"pii_entity_types",
"data_anonymization",
"nlp_ner_tools"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "europepmc:40502247",
"title": "Not Fully Synthetic: LLM-based Hybrid Approaches Towards Privacy-Preserving Clinical Note Sharing.",
"authors": [
"Rahman Sarkar A",
"Chuang YS",
"Jiang X",
"Mohammed N."
],
"date": "2025-06-10",
"platform": "europe_pmc",
"sourceUrl": "https://europepmc.org/article/MED/40502247",
"pdfUrl": "https://europepmc.org/articles/PMC12150723?pdf=render",
"doi": "",
"abstract": "The publication and sharing of clinical notes are crucial for healthcare research and innovation. However, privacy regulations such as HIPAA and GDPR pose significant challenges. While de-identification techniques aim to remove protected health information, they often fall short of achieving complete privacy protection. Similarly, the current state of synthetic clinical note generation can lack nuance and content coverage. To address these limitations, we propose an approach that combines de-identification, filtration, and synthetic clinical note generation. Variations of this approach currently retain 36%-61% of the original note's content and fill the remaining gaps using an LLM, ensuring high information coverage. We also evaluated the de-identification performance of the hybrid notes, demonstrating that they surpass or at least match the standalone de-identification methods. Our results show that hybrid notes can maintain patient privacy while preserving the richness of clinical data. This approach offers a promising solution for safe and effective data sharing, encouraging further research.",
"topics": [
"sector_healthcare",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Health & Genomic PII"
],
"relevanceScore": 0.562,
"venue": "AMIA Joint Summits on Translational Science proceedings. AMIA Joint Summits on Translational Science",
"language": "en"
},
{
"id": "openaire:oai:invenio.nusl.cz:357619",
"title": "Obchodování s osobními údaji získanými online",
"authors": [
"Povejšil, Tomáš"
],
"date": "2017-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:invenio.nusl.cz:357619",
"pdfUrl": "",
"doi": "",
"abstract": "In today's world of new media and big data, our personal data is a valuable commodity. This Master's thesis presents a little-known industry of personal data brokers. Databases of US data brokers contain surprisingly detailed and sensitive information of millions of Americans. The thesis also contains an analysis of risks related to insufficient protection of personal information in digital economy along with possibilities how to enhance our digital privacy in connection with data brokers. The core of the thesis is a comparative analysis of data broker legislation in the US, Canada and the European Union. The analysis shows that in the US there is no unified regulation of personal data protection from activities of data brokers but several laws partially regulating some aspects of personal data protection; this system allows trade in personal data even without the acknowledgement of the persons. On the other hand, regulation in the EU and Canada favours protection of personal data and privacy. In the EU each member state has its legal act on personal data protection based on the EU directive. In April 2018 this directive will be replaced by General Data Protection Regulation which will be directly applicable in all member states. Both current and future legislation, however, make the data broker...",
"topics": [
"gdpr_compliance",
"data_anonymization",
"linkability_tracking",
"data_broker_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Data Brokers",
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:repozitorij.uni-lj.si:IzpisGradiva.php?id=144727",
"title": "Privacy–enhancing face biometrics",
"authors": [
"Meden, Blaž",
"Rot, Peter",
"Terhörst, Philipp",
"Damer, Naser",
"Kuijper, Arjan",
"Scheirer, Walter J.",
"Ross, Arun Abraham",
"Peer, Peter",
"Štruc, Vitomir"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:repozitorij.uni-lj.si:IzpisGradiva.php?id=144727",
"pdfUrl": "",
"doi": "",
"abstract": "Biometric recognition technology has made significant advances over the last decade and is now used across a number of services and applications. However, this widespread deployment has also resulted in privacy concerns and evolving societal expectations about the appropriate use of the technology. For example, the ability to automatically extract age, gender, race, and health cues from biometric data has heightened concerns about privacy leakage. Face recognition technology, in particular, has been in the spotlight, and is now seen by many as posing a considerable risk to personal privacy. In response to these and similar concerns, researchers have intensified efforts towards developing techniques and computational models capable of ensuring privacy to individuals, while still facilitating the utility of face recognition technology in several application scenarios. These efforts have resulted in a multitude of privacy–enhancing techniques that aim at addressing privacy risks originating from biometric systems and providing technological solutions for legislative requirements set forth in privacy laws and regulations, such as GDPR. The goal of this overview paper is to provide a comprehensive introduction into privacy–related research in the area of biometrics and review existing work on Biometric Privacy–Enhancing Techniques (B–PETs) applied to face biometrics. To make this work useful for as wide of an audience as possible, several key topics are covered as well, including evaluation strategies used with B–PETs, existing datasets, relevant standards, and regulations and critical open issues that will have to be addressed in the future.",
"topics": [
"biometric_surveillance",
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:invenio.nusl.cz:509892",
"title": "Možnosti využití technologie rozpoznávání obličejů v kontextu ochrany osobních údajů v EU",
"authors": [
"Soukupová, Jana"
],
"date": "2022-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:invenio.nusl.cz:509892",
"pdfUrl": "",
"doi": "",
"abstract": "The Possibilities of the Use of Facial Recognition Technology in the Context of Personal Data Protection in the EU Abstract This thesis focuses on the data protection connected to the use of facial recognition technology in the EU. In particular, the purpose of the thesis is to assess under which circumstances and conditions the use of this technology complies with the GDPR. Marginally, the thesis addresses the risks and benefits of facial recognition technology. The thesis is divided into three parts. The first part examines the general data protection framework in the EU, with an emphasis on the protection of biometric data. The aim of this part is to outline the main legal background regarding the protection of biometric data and the general principles of data processing. In particular, the author criticizes the legal definition of biometric data, which does not correspond to the technological reality, and which may be problematic in the case of the application of Article 9 of the GDPR. The second part of the thesis is devoted to facial recognition technology itself, its different types, and applications. An understanding of the technology itself is crucial within this thesis for the correct application of the legal framework. The author also finds it necessary to examine the reasons why this technology...",
"topics": [
"data_anonymization",
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:iris.unicampania.it:11591/559494",
"title": "La regolamentazione della tecnologia di riconoscimento facciale tra privacy e tutela dei diritti fondamentali",
"authors": [
"Emilia Morra"
],
"date": "2024-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:iris.unicampania.it:11591/559494",
"pdfUrl": "",
"doi": "",
"abstract": "Il presente articolo si propone di analizzare la disciplina europea in materia di Facial Recognition Technology, e i rischi che essa comporta per la tutela dei diritti fondamentali, primo fra tutti quello alla protezione dei dati personali. Partendo dalle disposizioni del GDPR, la riflessione giunge sino agli ultimi interventi normativi e giurisprudenziali, soffermandosi sul testo definitivo dell’AI Act e sul caso Glukhin c. Russia dinanzi alla Corte europea dei diritti dell’uomo.",
"topics": [
"biometric_surveillance",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od_____10594::eee3a5806f67bc6001daaefadf495477",
"title": "Riconoscimento facciale biometrico e libertà di manifestazione del pensiero: tecnologia e diritti in conflitto",
"authors": [
"COSTINITI, GABRIELE#idabnull"
],
"date": "",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od_____10594::eee3a5806f67bc6001daaefadf495477",
"pdfUrl": "",
"doi": "",
"abstract": "Nell’elaborato vengono esplorati i profili giuridici connessi all’utilizzo delle tecnologie di riconoscimento facciale biometrico, riservando attenzione alle implicazioni sulla libertà di manifestazione del pensiero e sulla partecipazione democratica. Nella prima parte i sistemi sono analizzati dal punto di vista tecnico e delle criticità, tra cui l’accuratezza, i bias e la trasparenza. Si passa poi all’esame dei quadri normativi di riferimento: il GDPR, il White Paper on AI e il recente Regolamento UE 2024/1689 (AI Act). Viene successivamente dedicato spazio ai rischi derivanti dall’impiego di tali tecnologie nelle proteste e manifestazioni pubbliche, come nel caso Glukhin c. Russia e nel caso del Pride di Budapest del 2025, per comprendere l’importanza dell’effetto dissuasivo (chilling effect). Infine si propongono soluzioni normative e tecniche per un uso costituzionalmente compatibile delle TRF, come l’obbligo di valutazione d’impatto e l’adozione del principio di privacy by design.",
"topics": [
"privacy_engineering",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "hal:4026883",
"title": "Meaningful Human Control to Detect Algorithmic Errors",
"authors": [
"Winston Maxwell"
],
"date": "2023",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04026883v1",
"pdfUrl": "",
"doi": "",
"abstract": "Is human control an effective way to detect algorithmic errors? For the CJEU, the systematic verification of algorithmic results by a human is an important safeguard to reduce the number of false positives, i.e. the number of people wrongly targeted by an algorithm designed to detect terrorism risks. But are we sure that human controls can actually detect these errors? And what kind of errors are we talking about? How should we organize human controls in order to best detect errors? In addition to the October 6, 2020 ruling of the CJEU, many other statutes and court decisions require human control over algorithmic decisions: the EU’s proposed AI Act, the GDPR, the Council of Europe’s Convention 108+, the State of Washington’s law on facial recognition, the EU’s PNR directive, international humanitarian law on lethal autonomous weapon systems, the CJEU’s 26 July 2017 opinion on PNR passenger data, and the EU regulation on online terrorist content, among others. From the standpoint of protecting individual rights, human control has two functions: first, it helps reduce the number of algorithmic errors, the objective referred to by the CJEU in its 6 October 2020 decision. Second, it helps guarantee a procedure that is respectful of individual rights. For the first function, the value of human control is linked solely to its success in reducing errors; it has a purely instrumental value. For the second function, human control has an intrinsic value of its own, related to the quality of the decision process for humans: process values. Having a human decision maker in the loop makes the decision process fairer, more respectful of human values, regardless of whether the human intervention reduces errors. This article focuses on the first function of human control, i.e. the correction of algorithmic errors. I will not discuss in this article the other objectives linked to human control, including its role in allocating liability and in demonstrating compliance in an accountability framework.",
"topics": [
"biometric_surveillance",
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.562,
"venue": "",
"language": "en"
},
{
"id": "doaj:03f4c2c4017d4bdda5c40ec073e0c908",
"title": "Novel Synthetic Dataset Generation Method with Privacy-Preserving for Intrusion Detection System",
"authors": [
"JaeCheol Kim",
"Seungun Park",
"Jaesik Cha",
"Eunyeong Son",
"Yunsik Son"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2076-3417/15/19/10609",
"pdfUrl": "",
"doi": "10.3390/app151910609",
"abstract": "The expansion of Internet of Things (IoT) networks has enabled real-time data collection and automation across smart cities, healthcare, and agriculture, delivering greater convenience and efficiency; however, exposure to diverse threats has also increased. Machine learning-based Intrusion Detection Systems (IDSs) provide an effective means of defense, yet they require large volumes of data, and the use of raw IoT network data containing sensitive information introduces new privacy risks. This study proposes a novel privacy-preserving synthetic data generation model based on a tabular diffusion framework that incorporates Differential Privacy (DP). Among the three diffusion models (TabDDPM, TabSyn, and TabDiff), TabDiff with Utility-Preserving DP (UP-DP) achieved the best Synthetic Data Vault (SDV) Fidelity (0.98) and higher values on multiple statistical metrics, indicating improved utility. Furthermore, by employing the DisclosureProtection and attribute inference to infer and compare sensitive attributes on both real and synthetic datasets, we show that the proposed approach reduces privacy risk of the synthetic data. Additionally, a Membership Inference Attack (MIA) was also used for demonstration on models trained with both real and synthetic data. This approach decreases the risk of leaking patterns related to sensitive information, thereby enabling secure dataset sharing and analysis.",
"topics": [
"data_anonymization",
"llm_privacy_attacks"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII"
],
"relevanceScore": 0.55,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "doaj:16c0c90d68fe43fca8837db475f7f2e6",
"title": "Ethical concerns of open government data",
"authors": [
"Fredrick Ishengoma",
"Deo Shao"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.emerald.com/jeet/article-pdf/5/2/206/10320105/jeet-06-2025-0035en.pdf",
"pdfUrl": "https://www.emerald.com/jeet/article-pdf/5/2/206/10320105/jeet-06-2025-0035en.pdf",
"doi": "10.1108/jeet-06-2025-0035",
"abstract": "PurposeThis study aims to investigate the ethical challenges associated with open government data (OGD) initiatives.Design/methodology/approachA systematic literature review (SLR) based on the Preferred Reporting Items for Systematic Review and Meta-Analysis Protocols (PRISMA-P) 2015 protocol was adopted to synthesize peer-reviewed and grey literature on ethical issues in OGD. The SLR is augmented by an illustrative analysis of real-world examples drawn from the synthesized literature, serving to demonstrate practical manifestations of ethical dilemmas.FindingsThe study identifies four primary ethical domains in OGD ecosystems: privacy risks, data misuse, digital inequality and environmental sustainability. It reveals that technical safeguards like anonymization are often insufficient against re-identification threats. Real-world examples highlight how public–private data synergies contribute to surveillance and systemic bias, particularly in predictive policing and healthcare systems. In addition, unequal access to data resources exacerbates the digital divide, and environmental impacts of data-intensive technologies such as blockchain and artificial intelligence training are emphasized.Practical implicationsThe study proposes a set of policy and practical interventions including differential privacy mandates, algorithmic accountability frameworks, community-centered data literacy programs and energy-efficient data infrastructure guidelines.Originality/valueThis study contributes to the literature by developing a comprehensive ethical taxonomy for OGD by integrating normative ethical theories.",
"topics": [
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "Journal of Ethics in Entrepreneurship and Technology",
"language": "en"
},
{
"id": "openaire:jcp4030024",
"title": "Data Privacy and Ethical Considerations in Database Management",
"authors": [
"Eduardo Pina",
"José Ramos",
"Henrique Jorge",
"Paulo Váz",
"José Silva",
"Cristina Wanzeller",
"Maryam Abbasi",
"Pedro Martins"
],
"date": "2024-07-29",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3390/jcp4030024",
"pdfUrl": "https://www.mdpi.com/2624-800X/4/3/24/pdf?version=1722250116",
"doi": "10.3390/jcp4030024",
"abstract": "Data privacy and ethical considerations ensure the security of databases by respecting individual rights while upholding ethical considerations when collecting, managing, and using information. Nowadays, despite having regulations that help to protect citizens and organizations, we have been presented with thousands of instances of data breaches, unauthorized access, and misuse of data related to such individuals and organizations. In this paper, we propose ethical considerations and best practices associated with critical data and the role of the database administrator who helps protect data. First, we suggest best practices for database administrators regarding data minimization, anonymization, pseudonymization and encryption, access controls, data retention guidelines, and stakeholder communication. Then, we present a case study that illustrates the application of these ethical implementations and best practices in a real-world scenario, showing the approach in action and the benefits of privacy. Finally, the study highlights the importance of a comprehensive approach to deal with data protection challenges and provides valuable insights for future research and developments in this field.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Journal of Cybersecurity and Privacy",
"language": "en"
},
{
"id": "openaire:info13020087",
"title": "A Privacy-Preserving and Standard-Based Architecture for Secondary Use of Clinical Data",
"authors": [
"Mario Ciampi",
"Mario Sicuranza",
"Stefano Silvestri"
],
"date": "2022-02-13",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3390/info13020087",
"pdfUrl": "https://www.mdpi.com/2078-2489/13/2/87/pdf?version=1645152798",
"doi": "10.3390/info13020087",
"abstract": "The heterogeneity of the formats and standards of clinical data, which includes both structured, semi-structured, and unstructured data, in addition to the sensitive information contained in them, require the definition of specific approaches that are able to implement methodologies that can permit the extraction of valuable information buried under such data. Although many challenges and issues that have not been fully addressed still exist when this information must be processed and used for further purposes, the most recent techniques based on machine learning and big data analytics can support the information extraction process for the secondary use of clinical data. In particular, these techniques can facilitate the transformation of heterogeneous data into a common standard format. Moreover, they can also be exploited to define anonymization or pseudonymization approaches, respecting the privacy requirements stated in the General Data Protection Regulation, Health Insurance Portability and Accountability Act and other national and regional laws. In fact, compliance with these laws requires that only de-identified clinical and personal data can be processed for secondary analyses, in particular when data is shared or exchanged across different institutions. This work proposes a modular architecture capable of collecting clinical data from heterogeneous sources and transforming them into useful data for secondary uses, such as research, governance, and medical education purposes. The proposed architecture is able to exploit appropriate modules and algorithms, carry out transformations (pseudonymization and standardization) required to use data for the second purposes, as well as provide efficient tools to facilitate the retrieval and analysis processes. Preliminary experimental tests show good accuracy in terms of quantitative evaluations.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Information",
"language": "en"
},
{
"id": "doaj:2269b52b27ca4043b4e1039bebe8b554",
"title": "PETchain: A Blockchain-Based Privacy Enhancing Technology",
"authors": [
"Ibrahim Tariq Javed",
"Fares Alharbi",
"Tiziana Margaria",
"Noel Crespi",
"Kashif Naseer Qureshi"
],
"date": "2021",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/9373373/",
"pdfUrl": "",
"doi": "10.1109/access.2021.3064896",
"abstract": "With the increasing use of smart devices and sensors, enormous amounts of data are being generated continuously. The data is commonly stored in centralized cloud platforms and consumed by different services. The data is indeed a valuable resource for many service providers who provide advanced features and utilities to their subscribers. However, user data include personal and sensitive information which can be misused in many ways. There is no way for a subscriber to confirm that their service provider is compliant with data privacy regulations. The existing privacy enhancing techniques such as anonymization and differential privacy substantially reduce data usability while ensuring privacy. Therefore, it remains essential to provide a feasible solution that allows service providers to take advantage of user data while guaranteeing their privacy. In this paper, we present PETchain: a novel privacy enhancing technology using blockchain and smartcontract. In PETchain, data is stored securely in a distributed manner and processed in a user-selected trusted execution environment. Users deploy the smartcontract that allows them to decide whether and how their data can be exploited by service providers. The feasibility and performance of PETchain are presented by implementing PETchain over a consortium Ethereum blockchain.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "doaj:007985b3d70546cda2df17260b176852",
"title": "How the First Medical Imaging Cancer Atlas EUCAIM Was Populated: The Experience of a Reference Hospital. [version 3; peer review: 2 approved, 1 approved with reservations]",
"authors": [
"Carina Soler Pons",
"Ana de Marco García",
"Ricard Martínez",
"Irene Marín Radoszynski",
"Ignacio Blanquer",
"Damián Segrelles-Quilis",
"Luis Martí-Bonmatí",
"Leonor Cerdá Alberich",
"Ana Penadés Blasco"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://open-research-europe.ec.europa.eu/articles/5-310/v3",
"pdfUrl": "https://doi.org/10.12688/openreseurope.21016.1",
"doi": "10.12688/openreseurope.21016.3",
"abstract": "The fragmentation and decentralization of medical data, including radiological imaging, continue to challenge large-scale observational research across Europe. Artificial Intelligence (AI) applied to big datasets is transforming diagnosis and treatments towards precision medicine across many diseases, yet the lack of findable, accessible, and interoperable datasets still limits model development, validation, and final clinical translation. The European Federation for Cancer Images (EUCAIM) project was launched in 2023 to address these challenges by establishing a secure centralized and federated infrastructure for the secondary use of large-scale oncological imaging and related clinical data. By consolidating fragmented datasets, EUCAIM lays the groundwork for harmonized data governance and trusted cross-border sharing. Implementing a robust documentation framework is essential to ensure regulatory compliance, safeguard data integrity, and support secure data flows across institutional and national boundaries, fully aligned with European regulations and ethical standards. EUCAIM builds on the AI for Health Imaging (AI4HI) initiative (Predictive In-silico Multiscale Analytics to support cancer personalized diagnosis and prognosis, empowered by imaging biomarkers - PRIMAGE, Accelerating the lab to market transition of AI tools for cancer management - CHAIMELEON, Novel pan-European imaging platform for artificial intelligence advances in oncology - EuCanImage, An AI Platform integrating imaging data and models, supporting precision care through prostate cancer’s continuum - ProCancer-I, A multimodal AI-based toolbox and an interoperable health imaging repository for the empowerment of imaging analysis related to the diagnosis, prediction and follow-up of cancer - INCISIVE and integrates over 94 partners and more than 180 stakeholders spanning medical imaging, high performance computing, data standardization, innovation, and legal compliance. This large collaborative ecosystem reinforces EUCAIM’s role as a reference for General Data Protection Regulation (GDPR) and European Health Data Space Regulation (EHDSR) adherence. This publication presents the real-world experience of integrating imaging and clinical data from a reference university hospital into the EUCAIM infrastructure. It outlines the procedural, ethical, and legal challenges encountered, and details the strategies implemented to ensure compliance with data protection regulations, including privacy, security, and ethical standards. These insights offer a practical framework for future large-scale oncological imaging datasets harmonization and AI development, contributing to scalable, reproducible, and legally compliant research that strengthens Europe’s capacity for trustworthy AI-driven oncology solutions.",
"topics": [
"gdpr_compliance",
"ai_governance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Open Research Europe",
"language": "en"
},
{
"id": "doaj:02dfa5f67d594ed9b69ae3ef89d74031",
"title": "A Novel Homomorphic Approach for Preserving Privacy of Patient Data in Telemedicine",
"authors": [
"Yasir Iqbal",
"Shahzaib Tahir",
"Hasan Tahir",
"Fawad Khan",
"Saqib Saeed",
"Abdullah M. Almuhaideb",
"Adeel M. Syed"
],
"date": "2022",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/1424-8220/22/12/4432",
"pdfUrl": "",
"doi": "10.3390/s22124432",
"abstract": "Globally, the surge in disease and urgency in maintaining social distancing has reawakened the use of telemedicine/telehealth. Amid the global health crisis, the world adopted the culture of online consultancy. Thus, there is a need to revamp the conventional model of the telemedicine system as per the current challenges and requirements. Security and privacy of data are main aspects to be considered in this era. Data-driven organizations also require compliance with regulatory bodies, such as HIPAA, PHI, and GDPR. These regulatory compliance bodies must ensure user data privacy by implementing necessary security measures. Patients and doctors are now connected to the cloud to access medical records, e.g., voice recordings of clinical sessions. Voice data reside in the cloud and can be compromised. While searching voice data, a patient’s critical data can be leaked, exposed to cloud service providers, and spoofed by hackers. Secure, searchable encryption is a requirement for telemedicine systems for secure voice and phoneme searching. This research proposes the secure searching of phonemes from audio recordings using fully homomorphic encryption over the cloud. It utilizes IBM’s homomorphic encryption library (HElib) and achieves indistinguishability. Testing and implementation were done on audio datasets of different sizes while varying the security parameters. The analysis includes a thorough security analysis along with leakage profiling. The proposed scheme achieved higher levels of security and privacy, especially when the security parameters increased. However, in use cases where higher levels of security were not desirous, one may rely on a reduction in the security parameters.",
"topics": [
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Sensors",
"language": "en"
},
{
"id": "doaj:097e349a7d19410ebe55dc572b26560f",
"title": "Transitioning to a Hyperledger Fabric Quantum-Resistant Classical Hybrid Public Key Infrastructure",
"authors": [
"Robert Campbell"
],
"date": "2019",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.31585/jbba-2-2-(4)2019",
"pdfUrl": "",
"doi": "10.31585/jbba-2-2-(4)2019",
"abstract": "This research has two parts; the first is to identify enterprise Hyperledger Fabric (HLF) blockchain cybersecurity vulnerabilities, threats, and legal obligations in a Post-Quantum Cryptography (PQC) world. HLF is a permissioned blockchain designed by IBM and uses Public Key Infrastructure (PKI), for digital signatures, and digital identities (X.509 certificates), which are critical to the operational security of its network. On 24 January 2019, Aetna, Anthem, Health Care Service Corporation, PNC Bank, and IBM announced collaboration to establish a blockchain-based ecosystem for the healthcare industry [1]. Quantum computing poses a devasting impact on PKI and estimates of its large-scale commercial arrival should not be underestimated and cannot be predicted. The HIPAA (Health Insurance Portability and Accountability Act) and General Data Protection Regulation (GDPR), requires “reasonable” measures to be taken to protect Protected Health Information (PHI), and Personally Identifiable Information (PII). However, HLF’s ecosystem is not post-quantum resistant, and all data that is transmitted over its network is vulnerable to immediate or later decryption by large scale quantum computers. The second part of this research is the independent evaluation and testing of National Institute of Standards and Technology (NIST), based Second Round Candidate PQC, lattice-based digital signature scheme, qTESLA. It’s, second-round submission is much improved, however; its algorithm characteristics and parameters are such that it is unlikely to be a quantum-resistant “as is,” simple “plug-and-play” function and replacement for HLF’s PKI. This work also proposes qTESLA’s public keys be used to create a quantum-resistant\\classical hybrid PKI near-term replacement.",
"topics": [
"gdpr_compliance",
"sector_healthcare"
],
"painPointTracks": [
"Enforcement",
"Health & Genomic PII"
],
"relevanceScore": 0.55,
"venue": "The Journal of The British Blockchain Association",
"language": "en"
},
{
"id": "doaj:0df586580a16470f8ed431f235e2c6c1",
"title": "Learners' perception of data privacy when using AI language models: Reflective diary analysis of undergraduates in China",
"authors": [
"XiaoShu Xu",
"Jia Liu",
"Rong Zheng",
"Vivian Ngan-Lin Lei",
"Qin An"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "http://www.sciencedirect.com/science/article/pii/S0001691825008042",
"pdfUrl": "",
"doi": "10.1016/j.actpsy.2025.105491",
"abstract": "The rapid advancement of AI language models in education—exemplified by tools such as ChatGPT—has highlighted their transformative potential alongside pressing ethical concerns, particularly regarding data privacy. This study explores undergraduate’ perceptions of data privacy at a comprehensive university in China, using reflective diaries based on five open-ended prompts derived from a literature review. Grounded in Lazarus's Cognitive and Affective Processing Theory and Kahneman's Dual-Process Theory, thematic analysis reveals that students have significant concerns about data leakage, unethical data exploitation through big data analytics, and algorithmic bias that may undermine fairness in academic evaluation and reinforce existing inequalities. Findings call for enforceable data governance in schools—compliance with child-data laws (e.g., GDPR, COPPA), clear school–vendor roles, purpose limitation/minimisation/retention controls, and age-appropriate notices with consent/assent where required. This study contributes to the discourse on AI ethics in education, offering actionable insights for educators and policymakers aiming to ensure the responsible, secure, and equitable integration of AI technologies in learning environments.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "Acta Psychologica",
"language": "en"
},
{
"id": "doaj:1245506d16194fa884dc5bddfadf44e8",
"title": "Health data privacy through homomorphic encryption and distributed ledger computing: an ethical-legal qualitative expert assessment study",
"authors": [
"James Scheibner",
"Marcello Ienca",
"Effy Vayena"
],
"date": "2022",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1186/s12910-022-00852-2",
"pdfUrl": "https://bmcmedethics.biomedcentral.com/counter/pdf/10.1186/s12910-022-00852-2",
"doi": "10.1186/s12910-022-00852-2",
"abstract": "Abstract Background Increasingly, hospitals and research institutes are developing technical solutions for sharing patient data in a privacy preserving manner. Two of these technical solutions are homomorphic encryption and distributed ledger technology. Homomorphic encryption allows computations to be performed on data without this data ever being decrypted. Therefore, homomorphic encryption represents a potential solution for conducting feasibility studies on cohorts of sensitive patient data stored in distributed locations. Distributed ledger technology provides a permanent record on all transfers and processing of patient data, allowing data custodians to audit access. A significant portion of the current literature has examined how these technologies might comply with data protection and research ethics frameworks. In the Swiss context, these instruments include the Federal Act on Data Protection and the Human Research Act. There are also institutional frameworks that govern the processing of health related and genetic data at different universities and hospitals. Given Switzerland’s geographical proximity to European Union (EU) member states, the General Data Protection Regulation (GDPR) may impose additional obligations. Methods To conduct this assessment, we carried out a series of qualitative interviews with key stakeholders at Swiss hospitals and research institutions. These included legal and clinical data management staff, as well as clinical and research ethics experts. These interviews were carried out with two series of vignettes that focused on data discovery using homomorphic encryption and data erasure from a distributed ledger platform. Results For our first set of vignettes, interviewees were prepared to allow data discovery requests if patients had provided general consent or ethics committee approval, depending on the types of data made available. Our interviewees highlighted the importance of protecting against the risk of reidentification given different types of data. For our second set, there was disagreement amongst interviewees on whether they would delete patient data locally, or delete data linked to a ledger with cryptographic hashes. Our interviewees were also willing to delete data locally or on the ledger, subject to local legislation. Conclusion Our findings can help guide the deployment of these technologies, as well as determine ethics and legal requirements for such technologies.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "BMC Medical Ethics",
"language": "en"
},
{
"id": "doaj:02494a17aee54a549ae0e989c23c732f",
"title": "Design of an improved model using federated learning and LSTM autoencoders for secure and transparent blockchain network transactions",
"authors": [
"R. Vijay Anand",
"G. Magesh",
"I. Alagiri",
"Madala Guru Brahmam",
"Balamurugan Balusamy",
"Chithirai Pon Selvan",
"Haya Mesfer Alshahrani",
"Masresha Getahun",
"Ben Othman Soufiene"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1038/s41598-024-83564-4",
"pdfUrl": "https://europepmc.org/articles/PMC11724004?pdf=render",
"doi": "10.1038/s41598-024-83564-4",
"abstract": "Abstract With the advancement of this digital era and the emergence of DApps and Blockchain, secure, robust and transparent network transaction has become invaluable today. These traditional methods of securing the transactions and maintaining transparency have encountered many challenges. It includes some such issues as follows: data privacy, centralized vulnerability, inefficiency in fraud detection and much more. To that effect, and to address such limitations, this paper provides a blockchain technology framework that is driven by advanced machine learning techniques, which will enhance security and transparency throughout the network of transactions. We begin with a design framework based on Federated Learning for Blockchain Integration where distributed datasets across blockchain nodes contribute to a global machine learning model but do not share raw data samples. Different nodes learn their own models. After that, these local models are aggregated towards a common, global model using secure aggregation methods, which makes sure that there is nozza of data privacy and hence, in the process making sure that more accurate models can be obtained due to diversified data sets. With LSTMs Autoencoders, more excellent security protocols are created for anomaly detection and fraud. So, by training the autoencoder on normal transaction data, the system can alert transactions with high reconstruction errors, meaning real-time anomalies. This proactive detection of anomalies reduces fraudulent activities significantly as most of the threats are recognized early. To this end, this paper proposes Smart Contract-based Model Management for machine learning models in a decentralized environment. Smart contracts are responsible for the submission, validation, and execution of the locally updated models in a decentralized fashion such that the management process is transparent and tamper resistant. Integrity and authenticity requirements are fulfilled by enforcing consensus mechanisms. Privacy in Machine Learning is guaranteed through Differential Privacy and Homomorphic Encryption. Differential privacy techniques, so as to ensure individual transaction data privacy in the updates of the local model before aggregation. In homomorphic encryption, computations are made in the encrypted form so when forming privacy preserving global model, privacy is preserved. The Real-time analysis of the transactions can be done with CNNs to detect fraud. Streaming transaction data is analyzed by CNNs leveraging the privacy-preserving global model and producing immediate alerts and actions for detected fraud. This real timing makes the network even more reliable and trustworthy. Our proposed framework is effective according to the interim outcomes where the aggregation of local models occurred without data leakage, detected anomalies very efficiently, managed models very transparently, with privacy of data at a very high level, and easily detected fraudulent transactions. The work presented here provides a great boost to send secure and very easily transparent transactions across the network, and thus resulted in enhanced network trust and decentralization.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Scientific Reports",
"language": "en"
},
{
"id": "doaj:23e4b65e8a8d4ccba471ac5823953265",
"title": "BRON: A blockchained framework for privacy information retrieval in human resource management",
"authors": [
"Gulshan Kumar",
"Rahul Saha",
"Manish Gupta",
"Tai Hoon Kim"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "http://www.sciencedirect.com/science/article/pii/S2405844024094246",
"pdfUrl": "",
"doi": "10.1016/j.heliyon.2024.e33393",
"abstract": "The correctness and the true validated data in Human Resource Management (HRM) are important for organizations as the data plays an impactful role in recruiting, developing, and retaining a skilled workforce. On one hand, the validated data in an organization helps in recruiting legitimate skillful employees; on the other hand, keeping the employee's data safe and maintaining privacy laws such as compliance with the General Data Protection Regulation (GDPR) is also an organization's responsibility. Besides, transparency in human resource management operations is crucial because it promotes trust and fairness within an organization. The present HRM systems are centralized in nature and their verifiable credential system is ineffective; this leads to the intentions of internal data sabotage or internal threats. Besides, the organizations' biases also become more prominent.In this paper, we address the above-mentioned problems with a blockchain framework for HRM to utilize the privacy of data access through a Privacy Information Retrieval (PIR) process. To be specific, our proposed framework called Blockchained piR of resOurces as humaN (BRON), is the first blockchain framework to show an effective mechanism to access data from organizations globally without hampering privacy. BRON uses a generalized user registration process to use the services of data access and in the background, it uses Zero-Knowledge Proofs (ZKPs) for global verification and PIR for privacy-based data retrieval. More specifically, credential verification and ZKP-based PIR are the highlights of our proposed BRON. Another interesting aspect of BRON is the use of Proof-of-Authority (PoA) to validate the anonymity and unlinkability of any HR operation. Finally, BRON has also contributed with a smart contract to incentivize the employees. BRON is very generic and easily be customizable as per the HR requirements. We run a set of experiments on BRON and observe that it is successful in providing privacy-assured data access and decentralized human resource data management. Overall, BRON provides 30% reduced latency and 35% better throughput as compared to the existing blockchain solutions in the direction of HRM.",
"topics": [
"gdpr_compliance",
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Heliyon",
"language": "en"
},
{
"id": "doaj:7d920e13c4ce409bb74fb615ffb15c59",
"title": "Privacy Preservation in e-Healthcare Environments: State of the Art and Future Directions",
"authors": [
"Muneeb Ahmed Sahi",
"Haider Abbas",
"Kashif Saleem",
"Xiaodong Yang",
"Abdelouahid Derhab",
"Mehmet A. Orgun",
"Waseem Iqbal",
"Imran Rashid",
"Asif Yaseen"
],
"date": "2018",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/8089328/",
"pdfUrl": "",
"doi": "10.1109/access.2017.2767561",
"abstract": "e-Healthcare promises to be the next big wave in healthcare. It offers all the advantages and benefits imaginable by both the patient and the user. However, current e-Healthcare systems are not yet fully developed and mature, and thus lack the degree of confidentiality, integrity, privacy, and user trust necessary to be widely implemented. Two primary aspects of any operational healthcare enterprise are the quality of healthcare services and patient trust over the healthcare enterprise. Trust is intertwined with issues like confidentiality, integrity, accountability, authenticity, identity, and data management, to name a few. Privacy remains one of the biggest obstacles to ensuring the success of e-Healthcare solutions in winning patient trust as it indirectly covers most security concerns. Addressing privacy concerns requires addressing security issues like access control, authentication, non-repudiation, and accountability, without which end-to-end privacy cannot be ensured. Achieving privacy from the point of data collection in wireless sensor networks, to incorporating the Internet of Things, to communication links, and to data storage and access, is a huge undertaking and requires extensive work. Privacy requirements are further compounded by the fact that the data handled in an enterprise are of an extremely personal and private nature, and its mismanagement, either intentionally or unintentionally, could seriously hurt both the patient and future prospects of an e-Healthcare enterprise. Research carried out in order to address privacy concerns is not homogenous in nature. It focuses on the failure of certain parts of the e-Healthcare enterprise to fully address all aspects of privacy. In the middle of this ongoing research and implementation, a gradual shift has occurred, moving e-Healthcare enterprise controls away from an organizational level toward the level of patients. This is intended to give patients more control and authority over decision making regarding their protected health information/electronic health record. A lot of works and efforts are necessary in order to better assess the feasibility of this major shift in e-Healthcare enterprises. Existing research can be naturally divided on the basis of techniques used. These include data anonymization/pseudonymization and access control mechanisms primarily for stored data privacy. This, however, results in giving a back seat to certain privacy requirements (accountability, integrity, non-repudiation, and identity management). This paper reviews research carried out in this regard and explores whether this research offers any possible solutions to either patient privacy requirements for e-Healthcare or possibilities for addressing the (technical as well as psychological) privacy concerns of the users.",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.55,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "doaj:18a3404ad6b64467aff932d551782fec",
"title": "A decentralized privacy-preserving XR system for 3D medical data visualization using hybrid biometric cryptosystem",
"authors": [
"Shreyansh Sharma",
"Debasis Das",
"Santanu Chaudhury"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1038/s41598-025-08784-8",
"pdfUrl": "https://europepmc.org/articles/PMC12325659?pdf=render",
"doi": "10.1038/s41598-025-08784-8",
"abstract": "Abstract In the era of digital healthcare, accurate and secure 3D visualization of medical data is critical for collaborative surgical planning. Traditional centralized systems suffer from security vulnerabilities and lack of depth cues necessary for accurate visualization of complex anatomy. We present a decentralized Extended Reality (XR)-based framework integrating a Hybrid Biometric Cryptosystem (HBC), hierarchical redactable blockchain, and InterPlanetary File System (IPFS)-based storage to address these limitations. The HBC combines leveled Homomorphic Encryption (HE) and Fuzzy Vault (FV) schemes for privacy-preserving multimodal biometric authentication. A hierarchical blockchain ensures tamper-resistance, consensus-based redactions, and secure access control. Photorealistic, spatially registered 3D models of brain MRI data are rendered in Augmented Reality (AR) and Mixed Reality (MR), enabling intuitive surgical planning. Edge caching accelerates data retrieval, enabling real-time interaction. Real-world deployment on Android and HoloLens 2 platforms demonstrates the clinical utility and robustness of the proposed framework. Security analysis confirms resistance to security threats such as replay, spoofing, etc, and unauthorized redactions. We achieve Equal Error Rates (EER) of 0.53% in AR and 0.68% in MR environments, with average authentication latency under 530 ms. A structured user study involving 40 clinicians confirms the system’s clinical utility, usability, and compliance with GDPR (General Data Protection Regulation) and HIPAA (Health Insurance Portability and Accountability Act) regulations. Therefore, the proposed framework offers a scalable, secure, and immersive platform for collaborative medical data visualization in digital healthcare.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Scientific Reports",
"language": "en"
},
{
"id": "doaj:1bb47cb6f00542a6acca3d07b0739495",
"title": "From cybersecurity to digital health: an AI-based eGuide framework for Oman's healthcare centers",
"authors": [
"Akbar Khanan",
"Yasir Abdelgadir Mohamed",
"Mohamed Bashir",
"Dil Nawaz Hakro",
"Dil Nawaz Hakro",
"Danish Garg"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://www.frontiersin.org/articles/10.3389/fcomp.2026.1719783/full",
"pdfUrl": "",
"doi": "10.3389/fcomp.2026.1719783",
"abstract": "The AI-based eGuide platform for healthcare centers in Oman represents a cornerstone of the Sultanate's critical national health infrastructure, underpinning both patient care and national resilience. This paper develops a comprehensive cybersecurity and governance framework to secure the eGuide system against an increasingly complex threat landscape characterized by phishing campaigns, ransomware incidents, and data leakage risks. Building upon global best practices, the study advances a transition from legacy perimeter security models toward a Zero Trust Architecture, ensuring continuous authentication, dynamic authorization, and micro segmentation of services. The framework is reinforced by the adoption of ISO/IEC 27000 aligned governance, demonstrable compliance with Oman's Personal Data Protection Law (PDPL), the General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA). Further contribution is the integration of mathematically verified security primitives, including multi-factor authentication, hybrid RBAC cum ABAC access models, and blockchain-enabled audit trails, providing rigorous assurances of privacy, integrity, and accountability. The methodology also incorporates continuous evaluation cycles and penetration testing strategies, enabling proactive detection and mitigation of vulnerabilities. By embedding resilience through architectural scalability, high-availability patterns, and disaster recovery mechanisms, this research positions the eGuide platform as a secure, reliable, and future-ready foundation for Oman's digital health ecosystem.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Frontiers in Computer Science",
"language": "en"
},
{
"id": "doaj:28f1f414520e4c4ebb25336c3341fca9",
"title": "Data Security and Privacy in GPT Models: Techniques and Challenges",
"authors": [
"David Ghiurău",
"Daniela Elena Popescu"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2076-3417/16/4/1900",
"pdfUrl": "",
"doi": "10.3390/app16041900",
"abstract": "The rapid advancement of Generative Pre-trained Transformer (GPT) models has led to their widespread adoption across applied domains such as healthcare, finance, education, and enterprise software engineering. However, the large-scale data requirements and generative capabilities of these models introduce significant challenges related to data security, privacy preservation, and regulatory compliance. This paper presents a systematic literature review conducted in accordance with the PRISMA 2020 guidelines, analyzing 60 peer-reviewed empirical studies published between 2020 and 2025 in Q1 and Q2 journals indexed in the Web of Science Core Collection. The review examines the evolution of GPT architectures and evaluates state-of-the-art security and privacy techniques, including encryption, differential privacy, federated learning, data anonymization, model distillation, and secure deployment mechanisms. Key challenges identified include unintended memorization of sensitive data, adversarial prompt-based attacks, and performance degradation resulting from privacy-preserving constraints, with reported accuracy reductions ranging from 5% to 20% depending on the applied technique. Additionally, the analysis highlights increased computational overhead, in some cases exceeding 30–40% training or inference cost when advanced cryptographic methods are employed. Regulatory and ethical implications are assessed in relation to frameworks such as GDPR, CCPA, HIPAA, and the proposed EU Artificial Intelligence Act. The findings emphasize the need for privacy-by-design approaches and scalable governance strategies to support secure and trustworthy deployment of GPT models in applied real-world environments.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "doaj:8ca461563dfb423e9f1f04ade8ff58f6",
"title": "Privacy preserving strategies for electronic health records in the era of large language models",
"authors": [
"Jitendra Jonnagaddala",
"Zoie Shui-Yee Wong"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1038/s41746-025-01429-0",
"pdfUrl": "",
"doi": "10.1038/s41746-025-01429-0",
"abstract": "Electronic health records (EHRs) secondary usage with large language models (LLMs) raise privacy challenges. National regulations like GDPR and HIPAA offer protection frameworks, but specific strategies are needed to mitigate risk in generative AI. Risks can be reduced by using strategies like privacy-preserving locally deployed LLMs, synthetic data generation, differential privacy, and deidentification. Depending on the task, strategies should be employed to increase compliance with patient privacy regulatory frameworks.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "npj Digital Medicine",
"language": "en"
},
{
"id": "doaj:dcfde2cfd0304377bb4d4d58ee5f4831",
"title": "A Comprehensive Survey of Cybersecurity Threats and Data Privacy Issues in Healthcare Systems",
"authors": [
"Ramsha Qureshi",
"Insoo Koo"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2076-3417/16/3/1511",
"pdfUrl": "",
"doi": "10.3390/app16031511",
"abstract": "The rapid digital transformation of healthcare has improved clinical efficiency, patient engagement, and data accessibility, but it has also introduced significant cyber security and data privacy challenges. Healthcare IT systems increasingly rely on interconnected networks, electronic health records (EHRs), tele-medicine platforms, cloud infrastructures, and Internet of Medical Things (IoMT) devices, which collectively expand the attack surface for cyber threats. This scoping review maps and synthesizes recent evidence on cyber security risks in healthcare, including ransomware, data breaches, insider threats, and vulnerabilities in legacy systems, and examines key data privacy concerns related to patient confidentiality, regulatory compliance, and secure data governance. We also review contemporary security strategies, including encryption, multi-factor authentication, zero-trust architecture, blockchain-based approaches, AI-enabled threat detection, and compliance frameworks such as HIPAA and GDPR. Persistent challenges include integrating robust security with clinical usability, protecting resource-limited hospital environments, and managing human factors such as staff awareness and policy adherence. Overall, the findings suggest that effective healthcare cyber security requires a multi-layered defense combining technical controls, continuous monitoring, governance and regulatory alignment, and sustained organizational commitment to security culture. Future research should prioritize adaptive security models, improved standardization, and privacy-preserving analytics to protect patient data in increasingly complex healthcare ecosystems.",
"topics": [
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "doaj:f593dcb53c0c44ffabaf9c7ced233cf7",
"title": "Federated Security for Privacy Preservation of Healthcare Data in Edge-Cloud Environments",
"authors": [
"Rasanga Jayaweera",
"Himanshu Agrawal",
"Nickson M. Karie"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/1424-8220/25/16/5108",
"pdfUrl": "",
"doi": "10.3390/s25165108",
"abstract": "Digital transformation in healthcare has introduced data privacy challenges, as hospitals struggle to protect patient information while adopting digital technologies such as AI, IoT, and cloud more rapidly than ever before. The adoption of powerful third-party Machine Learning as a Service (MLaaS) solutions for disease prediction has become a common practice. However, these solutions offer significant privacy risks when sensitive healthcare data are shared externally to a third-party server. This raises compliance concerns under regulations like HIPAA, GDPR, and Australia’s Privacy Act. To address these challenges, this paper explores a decentralized, privacy-preserving approach to train the models among multiple healthcare stakeholders, integrating Federated Learning (FL) with Homomorphic Encryption (HE), ensuring model parameters remain protected throughout the learning process. This paper proposes a novel Homomorphic Encryption-based Adaptive Tuning for Federated Learning (HEAT-FL) framework to select encryption parameters based on model layer sensitivity. The proposed framework leverages the CKKS scheme to encrypt model parameters on the client side before sharing. This enables secure aggregation at the central server without requiring decryption, providing an additional layer of security through model-layer-wise parameter management. The proposed adaptive encryption approach significantly improves runtime efficiency while maintaining a balanced level of security. Compared to the existing frameworks (non-adaptive) using 256-bit security settings, the proposed framework offers a 56.5% reduction in encryption time for 10 clients and 54.6% for four clients per epoch.",
"topics": [
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Sensors",
"language": "en"
},
{
"id": "doaj:ae1cd06aa76a47179c3b2a7343860011",
"title": "A comprehensive tool for creating and evaluating privacy-preserving biomedical prediction models",
"authors": [
"Johanna Eicher",
"Raffael Bild",
"Helmut Spengler",
"Klaus A. Kuhn",
"Fabian Prasser"
],
"date": "2020",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1186/s12911-020-1041-3",
"pdfUrl": "",
"doi": "10.1186/s12911-020-1041-3",
"abstract": "Abstract Background Modern data driven medical research promises to provide new insights into the development and course of disease and to enable novel methods of clinical decision support. To realize this, machine learning models can be trained to make predictions from clinical, paraclinical and biomolecular data. In this process, privacy protection and regulatory requirements need careful consideration, as the resulting models may leak sensitive personal information. To counter this threat, a wide range of methods for integrating machine learning with formal methods of privacy protection have been proposed. However, there is a significant lack of practical tools to create and evaluate such privacy-preserving models. In this software article, we report on our ongoing efforts to bridge this gap. Results We have extended the well-known ARX anonymization tool for biomedical data with machine learning techniques to support the creation of privacy-preserving prediction models. Our methods are particularly well suited for applications in biomedicine, as they preserve the truthfulness of data (e.g. no noise is added) and they are intuitive and relatively easy to explain to non-experts. Moreover, our implementation is highly versatile, as it supports binomial and multinomial target variables, different types of prediction models and a wide range of privacy protection techniques. All methods have been integrated into a sound framework that supports the creation, evaluation and refinement of models through intuitive graphical user interfaces. To demonstrate the broad applicability of our solution, we present three case studies in which we created and evaluated different types of privacy-preserving prediction models for breast cancer diagnosis, diagnosis of acute inflammation of the urinary system and prediction of the contraceptive method used by women. In this process, we also used a wide range of different privacy models (k-anonymity, differential privacy and a game-theoretic approach) as well as different data transformation techniques. Conclusions With the tool presented in this article, accurate prediction models can be created that preserve the privacy of individuals represented in the training set in a variety of threat scenarios. Our implementation is available as open source software.",
"topics": [
"data_anonymization",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "BMC Medical Informatics and Decision Making",
"language": "en"
},
{
"id": "pubmed:37205164",
"title": "Anonymization of whole slide images in histopathology for research and education.",
"authors": [
"Bisson, Tom",
"Franz, Michael",
"Dogan O, Isil",
"Romberg, Daniel",
"Jansen, Christoph",
"Hufnagl, Peter",
"Zerbe, Norman"
],
"date": "2023-05-09",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1101/2022.04.06.22273523v2",
"pdfUrl": "",
"doi": "10.1101/2022.04.06.22273523v2",
"abstract": "OBJECTIVE: The exchange of health-related data is subject to regional laws and regulations, such as the General Data Protection Regulation (GDPR) in the EU or the Health Insurance Portability and Accountability Act (HIPAA) in the United States, resulting in non-trivial challenges for researchers and educators when working with these data. In pathology, the digitization of diagnostic tissue samples inevitably generates identifying data that can consist of sensitive but also acquisition-related information stored in vendor-specific file formats. Distribution and off-clinical use of these Whole Slide Images (WSIs) are usually done in these formats, as an industry-wide standardization such as DICOM is yet only tentatively adopted and slide scanner vendors currently do not provide anonymization functionality. METHODS: We developed a guideline for the proper handling of histopathological image data particularly for research and education with regard to the GDPR. In this context, we evaluated existing anonymization methods and examined proprietary format specifications to identify all sensitive information for the most common WSI formats. This work results in a software library that enables GDPR-compliant anonymization of WSIs while preserving the native formats. RESULTS: Based on the analysis of proprietary formats, all occurrences of sensitive information were identified for file formats frequently used in clinical routine, and finally, an open-source programming library with an executable CLI tool and wrappers for different programming languages was developed. CONCLUSIONS: Our analysis showed that there is no straightforward software solution to anonymize WSIs in a GDPR-compliant way while maintaining the data format. We closed this gap with our extensible open-source library that works instantaneously and offline.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Digital health",
"language": "en"
},
{
"id": "doaj:6b833ff3c5064232bfc185f6f9c32741",
"title": "The Concept and Examples of Personal Data",
"authors": [
"Abbas Mirshekari",
"hamed abbasnia",
"Darya safari"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://mtlj.usc.ac.ir/article_225569_1ce3fcd53ec0e2fcd91db81b3e35d00d.pdf?lang=en",
"pdfUrl": "",
"doi": "10.22133/mtlj.2025.452918.1321",
"abstract": "In our time, the use of virtual space has become inevitable. Legislation and protection of users' rights is also a necessity of virtual life. In the meantime, the definition of personal data as a standard for data subject to data protection laws has a great importance. As long as the data is not related to a specific person, it is as if privacy has not been violated and there is no need for protection. Now the question is, what data is considered personal? Can specific instances of personal data be specified? In response, it can be said that a case-by-case investigation must be done to determine personal data and cannot be satisfied with a general rule. Whether data is personal or anonymous varies depending on factors such as facilities, time, nature of data, cost of identification, technological developments and the purpose of data processing. In the case of definite cases, although there is no definite determination of a specific type of data as personal data; But some examples, such as surnames in addition to other identifiers and pseudonymous data, are highly possibility to be considered personal data in the legal systems of the European Union and the United States. In this article, the laws and judicial procedure of the European Union and the United States of America as effective and leading legal systems in the field of data protection have been examined in order to determine a standard for identifying personal data and its examples.1. Introduction\r\nIn the rapidly transitioning 'onlife' world, where technology integrates with all aspects of daily life, all phenomena are increasingly transformed into data. This data plays a critical role in power dynamics, enabling those who control it to influence markets, predict behavior, and potentially manipulate individuals.\r\n Given this reality, the preservation, management, and protection of data have become critical concerns, prompting the global enactment of data protection laws. These regulations naturally raise a fundamental question: What type of data should be protected?\r\nAcross various legal systems, the key criterion for data protection is whether the data in question is classified as personal. Data not considered personal typically falls outside the scope of protection, exempting it from the legal rights and obligations associated with privacy laws. However, this distinction is not new. Early legal scholars, including Warren and Brandeis (1890), emphasized that privacy protections apply only to identifiable individuals. From this perspective, if data is not linked to a specific individual, privacy concerns do not arise, and thus, no legal protection is required.\r\nThe accepted definition of personal data serves as the gateway to data protection law. Understanding this definition is essential for determining legal obligations and the extent of data protection measures. However, defining personal data is complex due to its multifaceted nature. These developments raise fundamental questions about the scope of personal data. Specifically, what level of connection must exist between information and an individual for it to be considered personal? Who must have access to the data for it to retain its classification? To what extent does data anonymization remove information from legal protection?\r\nA balanced definition of personal data is necessary. If it is too narrow, privacy protections become ineffective. Conversely, if defined too broadly, excessive compliance burdens may render enforcement impractical and disrupt normal digital activities. Scholars in Iran have recognized the importance of personal data (and have provided definitions. However, previous studies have largely neglected specific examples of personal data and how U.S. law classifies them. To address these gaps, this article examines criteria for distinguishing personal from anonymous data and identifies specific examples based on legal standards in the European Union and the United States.\r\n \r\n2. Methodology\r\nThis study employs a comparative legal approach, analyzing the definitions of personal data, the criteria for anonymization, and the legal treatment of sensitive data under the GDPR, the CCPA, and relevant case law.\r\nThe research relies on laws, judicial decisions, regulatory guidelines, and academic literature. A qualitative methodology is applied, emphasizing legal interpretation, case analysis, and comparative evaluation.\r\nBy identifying ambiguities and inconsistencies in defining personal data, this study aims to contribute to a clearer and more effective regulatory framework for data protection. The first section analyzes the definitions and key elements of personal data under EU and U.S. regulations. The second section explores definitive and controversial examples of personal data. The final section discusses sensitive personal data as a distinct category requiring special protection.\r\n \r\n3. Results and Discussion\r\nPersonal data is the cornerstone of data protection laws. Many legal systems define personal data flexibly, classifying any information that can directly or indirectly identify an individual as personal. However, defining personal data requires a contextual approach rather than rigid classifications. The classification of certain data types—such as IP addresses, pseudonymous data, and anonymized data—remains a subject of legal debate.\r\nA key observation is that the classification of data depends on contextual factors. Data that is personal under one set of circumstances may be considered anonymous under another. This makes it challenging to create exhaustive lists of personal data. Despite this, there is general consensus that certain data types, such as surnames combined with unique identifiers and pseudonymized data, are classified as personal data under EU and U.S. laws. In contrast, anonymized data and certain forms of metadata continue to spark legal controversy.\r\nFurthermore, personal data varies in sensitivity. Some categories require stricter protections due to the potential harm associated with their exposure. However, the classification of sensitive data is also subject to legal interpretation and depends on specific factual contexts. Within the Iranian legal system, forthcoming legislation should adopt a careful and nuanced approach to defining personal data. Given the rapid advancement of re-identification techniques, definitions should be broad enough to account for evolving technological capabilities. The GDPR and other leading frameworks emphasize expansive definitions to ensure robust data protection.\r\nAdditionally, certain categories of information—such as court decisions and judicial opinions—necessitate regulated anonymization. A dedicated legal framework should be established to determine when data is truly anonymous. This framework should distinguish between anonymized and encrypted data, ensuring appropriate legal protections for each category. Clear guidelines will help service providers understand their obligations and reduce legal ambiguities.\r\n \r\n4. Conclusions and Future Research\r\nThe definition of personal data is fundamental to data protection laws, yet it remains a flexible and evolving concept. Most legal frameworks classify any data capable of identifying an individual as personal, necessitating a contextual rather than rigid approach.\r\nWhile there is consensus on some identifiers, debates persist regarding elements such as IP addresses, metadata, and anonymized data. Certain personal data types require heightened protection due to their sensitivity, but their classification depends on legal interpretation and contextual analysis.\r\nFor Iran, future data protection laws should adopt an analytical approach aligned with GDPR principles. Broad interpretations should be encouraged to address technological advancements. Additionally, clear anonymization guidelines should be established, particularly for public disclosures such as court rulings. A structured legal framework should differentiate anonymized data from encrypted data to prevent misinterpretation.\r\nSensitive personal data necessitates stricter safeguards. Future legal frameworks should impose more rigorous processing regulations, moving beyond predefined lists to a more dynamic classification system. Future research should focus on methodologies for determining personal data based on evolving technologies and regulatory developments. Comparative studies across different jurisdictions could refine global best practices and provide clearer guidance for policymakers and organizations handling sensitive personal information.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "حقوق فناوریهای نوین",
"language": "en"
},
{
"id": "doaj:e00a8c66cec54003bb2d87fe7347797b",
"title": "Architecture of solution for panoramic image blurring in GIS project application",
"authors": [
"D. Vasić",
"M. Davidović",
"I. Radosavljević",
"Đ. Obradović"
],
"date": "2021",
"platform": "doaj",
"sourceUrl": "https://gi.copernicus.org/articles/10/287/2021/gi-10-287-2021.pdf",
"pdfUrl": "https://gi.copernicus.org/articles/10/287/2021/gi-10-287-2021.pdf",
"doi": "10.5194/gi-10-287-2021",
"abstract": "Panoramic images captured using laser scanning technologies, which principally produce point clouds, are readily applicable in colorization of point\ncloud, detailed visual inspection, road defect detection, spatial entities extraction, diverse map creation, etc. This paper underlines the\nimportance of images in modern surveying technologies and different GIS projects at the same time having regard to their anonymization in accordance\nwith law. The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal\ninformation from individuals who live in the European Union (EU). Namely, it is a legislative requirement that faces of persons and license plates\nof vehicles in the collected data are blurred. The objective of this paper is to present a novel architecture of the solution for a particular\nobject blurring. The architecture is designed as a pipeline of object detection algorithms that progressively narrows the search space until it\ndetects the objects to be blurred. The methodology was tested on four data sets counting 5000, 10 000, 15 000 and 20 000 panoramic images. The percentage of accuracy, i.e., successfully detected and blurred objects of interest, was higher than 97 % for each data\nset. Additionally, our aim was to achieve efficiency and broad use.
",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Geoscientific Instrumentation, Methods and Data Systems",
"language": "en"
},
{
"id": "doaj:27d6c253f6604cfbabc152fb549694d3",
"title": "Dynamic Sensitivity Differential Privacy: A Versatile Framework for Enhancing Privacy Across Diverse Data Scenarios",
"authors": [
"Reshma C. R.",
"Arun Kumar Banavara Ramaswamy",
"Shreyas Arun Kumar",
"Mahadeshwara Prasad"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "http://dx.doi.org/10.1155/jcnc/2972993",
"pdfUrl": "",
"doi": "10.1155/jcnc/2972993",
"abstract": "Data privacy is a major concern in the present data-driven era when sensitive information is being increasingly shared and analyzed across distributed systems. The existing mechanisms for privacy preservation, such as differential privacy (DP), local differential privacy (LDP), homomorphic encryption, and secure multiparty computing (SMPC), often face challenges in maintaining a balance between utility and privacy, especially in dynamic and heterogeneous environments. This paper introduces partial DP as a flexible framework for addressing the above challenges across a variety of data settings, such as federated learning, decentralized systems (blockchain and IoT), graph data, and streaming analytics. Dynamic sensitivity differential privacy (DSDP) employs adaptive noise mechanism and dynamically adjusts the data sensitivity by ensuring the robust privacy without compromising data utility. The experimental evaluations on real-world datasets prove the superiority of DSDP over traditional approaches with minimal utility loss and high privacy guarantees at efficiency. DSDP is a promising solution in the evolving computer paradigms for data privacy protection. The proposed methods are carried out to evaluate the parameters such as execution time, utility loss, and privacy level. From the experimental results, DSDP achieves up to 15% higher utility than DP in federated learning, 30% reduced latency in decentralized systems, and 25% better structural integrity for graph data for privacy-preserving guarantees.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Journal of Computer Networks and Communications",
"language": "en"
},
{
"id": "doaj:1797c1b85f8f48d2a2c6a27c9afdf671",
"title": "Protecting Our Mosts Valuable Personal Data: A Comparison Of Transborder Data Flow Laws In The European Union, United Kingdom, And Indonesia",
"authors": [
"Budi Agus Riswandi",
"Alif Muhammad Gultom"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://journal.uii.ac.id/JPLR/article/view/31640",
"pdfUrl": "",
"doi": "10.20885/plr.vol5.iss2.art3",
"abstract": "Information technology and its relationship with data protection is a crucial area that needs to be addressed, especially for data flows among different countries. In the majority of jurisdictions, international data transfers are restricted unless specific requirements stipulated by data protection laws are met. However, in the European Union (EU) and the United Kingdom (UK) there are three exceptions, adequacy, appropriate safeguards, and derogations. This paper conducts a comparative legal analysis of the regulations governing the cross-border transfer of personal data in the EU, UK, and Indonesia. The research method is normative, while the approaches employed are statutory and conceptual with an analytical and descriptive research design. The study focuses on the legal framework and the various mechanisms to protect personal data during transborder flows. The research identified both commonalities and disparities in data protection regulations in Indonesia, the EU, and the UK. Notably, differences appeared in the application of appropriate safeguards and the use of criminal sanctions in Indonesia. Finally, the study concludes by providing recommendations for future developments in the legal frameworks for cross-border data transfer in the EU, UK, and Indonesia.\nKeywords: Adequacy decision, Cross-border data transfer, Derogations, Personal Data Protection Law.\n\n\nMelindungi Data Pribadi Kita yang Paling Berharga: Perbandingan Hukum Aliran Data Lintas Batas Di Uni Eropa, Inggris, dan Indonesia\n\n\nAbstrak\nTeknologi informasi dan hubungannya dengan perlindungan data merupakan bidang penting yang perlu ditangani, terutama untuk aliran data antar negara. Di sebagian besar yurisdiksi, transfer data internasional dibatasi kecuali persyaratan khusus yang ditetapkan oleh undang-undang perlindungan data dipenuhi. Namun, di Uni Eropa (UE) dan Inggris (UK) terdapat tiga pengecualian, yaitu kecukupan, pengamanan yang sesuai, dan pengurangan. Tulisan ini melakukan analisis hukum komparatif terhadap peraturan yang mengatur transfer data pribadi lintas batas negara di UE, Inggris, dan Indonesia. Metode penelitian yang digunakan adalah normatif, sedangkan pendekatan yang digunakan bersifat perundang-undangan dan konseptual dengan desain penelitian analitis dan deskriptif. Studi ini berfokus pada kerangka hukum dan berbagai mekanisme untuk melindungi data pribadi selama arus lintas batas. Penelitian ini mengidentifikasi kesamaan dan kesenjangan dalam peraturan perlindungan data di Indonesia, UE, dan Inggris. Perbedaan yang terlihat jelas adalah penerapan safeguards yang tepat dan penggunaan sanksi pidana di Indonesia. Terakhir, studi ini menyimpulkan dengan memberikan rekomendasi untuk perkembangan masa depan dalam kerangka hukum transfer data lintas batas di UE, Inggris, dan Indonesia.\nKata Kunci: Keputusan kecukupan, Transfer data lintas batas, Derogasi, Undang-Undang Perlindungan Data Pribadi.",
"topics": [
"jurisdiction_regulatory",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Prophetic Law Review",
"language": "en"
},
{
"id": "doaj:d9ef00db44a94d7ca681e4ea8902115d",
"title": "Blockchain-enabled cross-border insurance: from legal issues, solution design, to implementation",
"authors": [
"Jiaxin Ran",
"Dechuan Li",
"Qixin Zheng",
"Jerome Yen",
"Yingjie Xue"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://elsp-homepage.oss-cn-hongkong.aliyuncs.compaper/journal/open/BC/2024/blockchain20240003.pdf",
"pdfUrl": "https://elsp-homepage.oss-cn-hongkong.aliyuncs.compaper/journal/open/BC/2024/blockchain20240003.pdf",
"doi": "10.55092/blockchain20240003",
"abstract": "Traditional insurance contracts are beset with challenges such as cumbersome notification, complex underwriting and inefficient claims settlement, all of which impede the industry’s growth. In response, the digital transformation of insurance companies has become essential. Blockchain technology, with its inherent features of transparency and immutability, offers significant potential for transforming the insurance industry and there has been considerable research on using blockchain technology in the insurance sector. However, when it comes to cross-border insurance service, current solutions fall short in effectively navigating the legal and compliance complexities inherent in cross-border insurance service delivery. When transmitting data across borders, it is essential to adhere to the legal requirements of cross-border laws and regulations, especially considering the variations in regional data protection and privacy legislation. A general solution for managing cross-border data transfer that both supports service delivery and adheres to compliance standards, has yet to be developed. In this paper, we propose solutions to secure data transfer in cross-border insurance service provision. First, we examine the legal and compliance challenges associated with cross-border data transfer. Following this, we introduce a system that integrates blockchain, smart contracts, and Trusted Execution Environment (TEE) to enhance cross-border insurance services. We propose a cross-chain protocol, which incorporates hash-locking and the notary mechanism for efficiency and security. We develop a prototype for implementing our proposed protocol and conduct extensive testing to show the practicality and security of our proposed protocol.",
"topics": [
"privacy_engineering",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Blockchain",
"language": "en"
},
{
"id": "doaj:2336d07cd13e4f5fbfca826cbdea4d4d",
"title": "A DELEUZIAN PERSPECTIVE ON THE RIGHT OF DATA PROTECTION ON SOCIAL MEDIA",
"authors": [
"Dušan Samardžić"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "http://epub.ius.bg.ac.rs/index.php/eudaimonia/article/view/213",
"pdfUrl": "",
"doi": "10.51204/ivrs_24104a",
"abstract": "The goal of this article is to explore – from the given theoretical framework – the effectiveness of the European Union’s data protection capabilities, namely through the General Data Protection Regulation. The first and second sections develop the theory of control societies – as well as its historical background – and connects it with the theory of surveillance capitalism as its essential component. The third section delas with some critiques that have arisen in the few years after the GDPR came into force. The conclusion of the paper is that, only a few years after the GDPR came into force, it is still too early to decisively say what effect will it have on the big data industry. However, from the problems that have been elaborated, it seems unlikely that the big data industry will be meaningfully challenged when it comes to data protection.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "Eudaimonia",
"language": "en"
},
{
"id": "europepmc:PPR1087412",
"title": "Privacy-preserving predictive maintenance method for cross-border unmanned logistics system integrating federated learning and blockchain",
"authors": [
"Meng Q."
],
"date": "2025-09-18",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-7349963/v1",
"pdfUrl": "https://doi.org/10.21203/rs.3.rs-7349963/v1",
"doi": "10.21203/rs.3.rs-7349963/v1",
"abstract": "Abstract Predictive maintenance of cross-border unmanned logistics systems (CBULS) faces multiple challenges such as data privacy protection, system performance optimization, and collaborative efficiency. To solve these problems, this paper proposes a predictive maintenance method that integrates privacy-preserving federated learning and dynamic consensus blockchain. In the federated learning part, the improved FedProx algorithm is used to deal with non-independent and identically distributed (non-IID) data and device heterogeneity, and multi-layer privacy protection mechanisms such as zero-knowledge proof, fully homomorphic encryption, and local differential privacy are introduced to enhance data security. In the blockchain part, a hybrid consensus mechanism combining delegated proof of stake (DPoS) and practical Byzantine fault tolerance (PBFT) is designed to achieve secure distributed collaboration in high-throughput and low-latency scenarios. In addition, the hierarchical structure and sharding technology are used to optimize system performance and improve algorithm scalability and computational efficiency. Test results show that this method is superior to existing methods in terms of model prediction accuracy, communication efficiency, system throughput, and privacy protection strength, providing an efficient, secure, and scalable solution for predictive maintenance of CBULS.
",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Discover Applied Sciences",
"language": "de"
},
{
"id": "doaj:0d548e0a663443a6a5426e4ea71a1d63",
"title": "Creating a Health Data Marketplace for the Digital Health Era",
"authors": [
"Imtiaz Khan, PhD",
"Mohamed A. Maher",
"Moderator: Anjum Khurshid, PhD"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://blockchainhealthcaretoday.com/index.php/journal/article/view/342",
"pdfUrl": "",
"doi": "10.30953/bhty.v7.342",
"abstract": "With the advent of the General Data Protection Regulation (GDPR) of the EU and the development of technologies like blockchain and distributed ledger technologies (DLT), it is now possible to create a new paradigm with a shared economic model where financial Incentivization will be the main driver for data sharing. This can be achieved by setting up a digital health data marketplace (DHDM).\n\n\nSpeakers on s podcast authored a paper in BTHY journal entitled “From Sharing to Selling: Challenges and Opportunities of Establishing a Digital Health Data Marketplace Using Blockchain Technologies,” https://doi.org/10.30953/bhty.v5.184\n\n\nTheir ongoing work is discussed for the DHDM operation outlined along with current developments and future work. Questions addressed are below:\n\n\n• What inspired the authors to explore the use of blockchain technology in healthcare data sharing and monetization?\n\n\n\n• What are the key challenges and opportunities identified in establishing a digital health data marketplace using blockchain technologies?\n\n\n\n• What are the potential socioeconomic impacts of a digital health data marketplace on patients, healthcare providers, and researchers, and how do you see the economics of health data developing into dynamic systems that will reflect in the processes of care delivery and management?\n\n\n\n• What are the next steps for the research? Are there ongoing projects or collaborations the audience can expect to be excited about?",
"topics": [
"gdpr_compliance",
"data_broker_surveillance"
],
"painPointTracks": [
"Data Brokers",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Blockchain in Healthcare Today",
"language": "en"
},
{
"id": "doaj:5ba873070e8c426f9911f89620976756",
"title": "Visual Control in Today’s Societies: (Non)Recognition of Faces and Emotions",
"authors": [
"Skaidra Trilupaitytė"
],
"date": "2022",
"platform": "doaj",
"sourceUrl": "https://www.journals.vu.lt/politologija/article/view/29132",
"pdfUrl": "",
"doi": "10.15388/polit.2022.106.4",
"abstract": "By using a theoretical approach to the critique of surveillance capitalism, and by drawing on public discourse sources on facial recognition (FR) technology, this paper analyzes visual surveillance in contemporary societies. Currently, there are both numerous instances of a sudden development of FR capabilities on a global scale as well as efforts to prevent the development of what is called the “most dangerous technology.” This paper also questions the techno-solutionism that enables “perfect” mathematical human cognition. Overall, the paper sheds light on the global disagreement on the regulatory environment for FR technology, with different countries, states, or big cities treating biometric data protection differently. There is also a confluence of predicaments and legal concerns in the public sphere regarding FR. Nevertheless, it is possible to outline the typical narratives that emerge in media discourses, highlighted in this paper using three different examples. These are (1) concerns about human rights and privacy (the US case), (2) a “soft” indecisiveness about promoting unfettered innovation on the one hand, and preventing human rights abuses on the other (the EU case), and (3) the fear of digital data being collected by a hostile authoritarian state, namely China (the Lithuanian case).",
"topics": [
"biometric_surveillance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Biometric & Immutable PII",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "Politologija",
"language": "en"
},
{
"id": "europepmc:39415812",
"title": "Legal aspects of generative artificial intelligence and large language models in examinations and theses.",
"authors": [
"März M",
"Himmelbauer M",
"Boldt K",
"Oksche A."
],
"date": "2024-09-16",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3205/zma001702",
"pdfUrl": "https://europepmc.org/articles/PMC11474642?pdf=render",
"doi": "10.3205/zma001702",
"abstract": "The high performance of generative artificial intelligence (AI) and large language models (LLM) in examination contexts has triggered an intense debate about their applications, effects and risks. What legal aspects need to be considered when using LLM in teaching and assessment? What possibilities do language models offer? Statutes and laws are used to assess the use of LLM: - University statutes, state higher education laws, licensing regulations for doctors - Copyright Act (UrhG) - General Data Protection Regulation (DGPR) - AI Regulation (EU AI Act) LLM and AI offer opportunities but require clear university frameworks. These should define legitimate uses and areas where use is prohibited. Cheating and plagiarism violate good scientific practice and copyright laws. Cheating is difficult to detect. Plagiarism by AI is possible. Users of the products are responsible. LLM are effective tools for generating exam questions. Nevertheless, careful review is necessary as even apparently high-quality products may contain errors. However, the risk of copyright infringement with AI-generated exam questions is low, as copyright law allows up to 15% of protected works to be used for teaching and exams. The grading of exam content is subject to higher education laws and regulations and the GDPR. Exclusively computer-based assessment without human review is not permitted. For high-risk applications in education, the EU's AI Regulation will apply in the future. When dealing with LLM in assessments, evaluation criteria for existing assessments can be adapted, as can assessment programmes, e.g. to reduce the motivation to cheat. LLM can also become the subject of the examination themselves. Teachers should undergo further training in AI and consider LLM as an addition.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "GMS Journal for Medical Education",
"language": "de"
},
{
"id": "doaj:f58b26ea85524c2c90db4d65e3996b1a",
"title": "PrivChain-AI leveraging blockchain and federated learning for private financial reporting and access control",
"authors": [
"Saad Alaklabi"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1038/s41598-025-32606-6",
"pdfUrl": "https://europepmc.org/articles/PMC12824311?pdf=render",
"doi": "10.1038/s41598-025-32606-6",
"abstract": "Abstract Financial institutions are currently faced with suffering never experienced before as they strive to guarantee the privacy of data and address the demands of regulation to report and cooperate in machine learning. This paper proposes PrivChain-AI, a novel blockchain-based federated learning system designed to facilitate secure and privacy-preserving financial reporting and access control. The proposed framework will integrate three key components: differential privacy, homomorphic encryption, and smart contract-based governance, enabling cooperative model training across financial institutions while preventing the leakage of sensitive information. PrivChain-AI is a hierarchical design that incorporates permissioned consensus protocols and utilises zero-knowledge proof verification to authenticate transactions. It has been demonstrated that the performance is higher than that of the actual financial data, with an outcome of 94.7% accuracy in fraud recognition at the cost of e-differentiation privacy, where ϵ = 1.0. It is 40% faster in terms of communication overhead and ensures regulatory compliance, as it features immutable audit trails. The analysis of performances reveals that a privacy preservation metric improves by 78%, and access control granularity is improved by 62% compared to the current state-of-the-art approaches. The PrivChain-AI paradigm introduced provides a new analytical model for safe, collaborative finance, meeting the highest standards and ensuring compliance with relevant regulatory jurisdictions.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Scientific Reports",
"language": "en"
},
{
"id": "europepmc:PPR1146464",
"title": "SHIELD-Health: Secure Healthcare IoT with Energy-efficient Ledger-based Distributed Federated Learning",
"authors": [
"Mali T",
"Rathore N",
"Mandloi J",
"Verma A",
"Mattar EA",
"Bhattacharya P."
],
"date": "2026-01-22",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-8533915/v1",
"pdfUrl": "https://doi.org/10.21203/rs.3.rs-8533915/v1",
"doi": "10.21203/rs.3.rs-8533915/v1",
"abstract": "Abstract Healthcare Internet of Things (HIoT) has revolutionized patient care through continuous monitoring and personalized treatment, but it introduces critical challenges in privacy protection, data security, and resource management across heterogeneous devices. Traditional centralized machine learning (ML) approaches face significant limitations due to privacy regulations and security concerns, leading to the emergence of federated learning (FL) and blockchain (BC) as complementary solutions. While FL enables collaborative model training without sharing raw data, and BC provides immutable verification and secure record management. We present SHIELD-Health, a novel framework that synergistically integrates these technologies to create a comprehensive solution for secure analytics in healthcare environments, featuring four key innovations: (1) resource-aware computation that dynamically adapts to device capabilities (2) a multi-layered privacy architecture designed for differential privacy and secure aggregation (3) Byzantine-robust aggregation ensuring model integrity under adversarial conditions, and (4) healthcare-specific optimizations including temporal attention mechanisms for physiological time-series data. Extensive evaluation demonstrates exceptional performance across multiple dimensions, maintaining high accuracy while achieving substantial communication efficiency and energy savings for resource-constrained devices. The framework also shows remarkable resilience against poisoning attacks, and robust performance under challenging non-independent and identically distributed (IID) data distributions common in healthcare scenarios. It represents a significant advancement in privacy-preserving collaborative analytics for sensitive medical applications where security, privacy, and resource constraints are paramount considerations.
",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "de"
},
{
"id": "europepmc:41563839",
"title": "Federated Learning in Healthcare: From Research to Real-World Deployment.",
"authors": [
"Bakas S",
"Li X",
"Shah P",
"Roth HR."
],
"date": "2026-01-21",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1146/annurev-bioeng-080125-041414",
"pdfUrl": "",
"doi": "10.1146/annurev-bioeng-080125-041414",
"abstract": "Artificial intelligence (AI), including deep and traditional machine learning, holds great promise for advancing biomedical research and healthcare. However, most AI studies remain academic in nature and rarely transition into clinical practice, largely due to limited access to diverse real-world datasets. Centralized learning, the traditional approach to multi-institutional collaboration, is hindered by privacy, legal, and logistical barriers. Federated learning (FL) offers a decentralized alternative, enabling institutions to collaboratively train models without sharing sensitive patient data. This article reviews key algorithmic, privacy, and practical developments in FL for biomedical engineering, including strategies to handle non-identical data distributions and safeguard privacy through differential privacy, secure aggregation, and confidential computing. We also discuss current limitations and considerations for the need of scalable, interoperable infrastructures. FL represents a paradigm shift toward building generalizable, equitable, and clinically impactful AI models. Realizing this vision requires continued advances, such as FL-as-a-service platforms and regulatory-aligned workflows that support persistent and trustworthy model deployment to truly realize AI's promise in patient care.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Annual review of biomedical engineering",
"language": "de"
},
{
"id": "europepmc:PPR1135329",
"title": "SplitML: A Unified Privacy-Preserving Architecture for Federated Split-Learning in Heterogeneous Environments",
"authors": [
"Trivedi D",
"Boudguiga A",
"Kaaniche N",
"Triandopoulos N."
],
"date": "2025-12-17",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202512.1579.v1",
"pdfUrl": "https://doi.org/10.20944/preprints202512.1579.v1",
"doi": "10.20944/preprints202512.1579.v1",
"abstract": "Federated Learning (FL) and Split Learning (SL) maintain client data privacy during collaborative training by keeping raw data on distributed clients and only sharing model updates (FL) or intermediate results (SL) with the centralized server. However, this level of privacy is insufficient, as both FL and SL remain vulnerable to security risks like poisoning and various inference attacks. To address these flaws, we introduce SplitML, a secure and privacy-preserving framework for Federated Split Learning (FSL). SplitML generalizes and formalizes FSL using IND−CPAD secure Fully Homomorphic Encryption (FHE) combined with Differential Privacy (DP) to actively reduce data leakage and inference attacks. This framework allows clients to use different overall model architectures, collaboratively training only the top (common) layers while keeping their bottom layers private. For training, clients use multi-key CKKS FHE to aggregate weights. For collaborative inference, clients can share gradients encrypted with single-key CKKS FHE to reach a consensus based on Total Labels (TL) or Total Predictions (TP). Empirical results show that SplitML significantly improves protection against Membership Inference (MI) attacks, reduces training time, enhances inference accuracy through consensus, and incurs minimal federation overhead.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "de"
},
{
"id": "europepmc:PPR1095114",
"title": "TrustDS: A Policy‑First, Privacy‑Preserving Framework for Interoperable Data Exchange with Real‑World Validation",
"authors": [
"Dockara TR",
"Malhotra M."
],
"date": "2025-10-03",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-7519920/v1",
"pdfUrl": "https://doi.org/10.21203/rs.3.rs-7519920/v1",
"doi": "10.21203/rs.3.rs-7519920/v1",
"abstract": "Abstract We present TrustDS, a policy‑first, privacy‑preserving framework for interoperable data exchange across edge and multi‑cloud environments. TrustDS compiles human‑readable consent and governance policies into an execution DAG that schedules privacy‑enhancing technologies (PETs) like differential privacy (DP), secure multi‑party computation (SMPC), and trusted execution environments (TEEs) - under explicit latency, utility, and cost budgets. We formalize policy admissibility, prove a safety property for admissible plans, and provide a revocation protocol that bounds consent‑revocation propagation within Δt. A cost‑aware planner co‑optimizes operator placement across edge and cloud to minimize latency while respecting egress restrictions and utility targets. We evaluate TrustDS in four sectors (healthcare, finance, transport, retail) using real‑world topologies, reporting p50/p95/p99 latency, throughput, revocation delay, and utility-privacy trade‑offs with 95% confidence intervals. Against two baselines: centralized transfer and a clean‑room exchange - TrustDS achieves comparable or better utility at lower data exposure, with median end‑to‑end latency improvements of 18–34% and revocation propagation below 120 ms under realistic load. We release a scoring rubric for policy and privacy capabilities that enables repeatable comparison of frameworks. To our knowledge, the explicit composition of policy semantics with PET scheduling and revocation guarantees in an interoperable, multi‑cloud data‑exchange framework is novel and practically useful.
",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "de"
},
{
"id": "europepmc:PPR1028867",
"title": "Blockchain-Enabled Federated Learning with Edge Analytics for Secure and Efficient Electronic Health Records Management",
"authors": [
"S M",
"R JK."
],
"date": "2025-05-30",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-6678464/v1",
"pdfUrl": "https://www.researchsquare.com/article/rs-6678464/latest.pdf",
"doi": "10.21203/rs.3.rs-6678464/v1",
"abstract": "Abstract The rapid adoption of Federated Learning (FL) in privacy-sensitive domains such as healthcare, IoT, and smart cities highlights its potential to enable collaborative machine learning without compromising data ownership. However, conventional FL frameworks face several critical challenges: high computational overhead at edge devices, significant communication latency due to frequent model updates, vulnerability to model and data poisoning attacks, and limited privacy preservation mechanisms that expose systems to inference risks. These issues hinder the scalability, efficiency, and trustworthiness of FL in real-world, large-scale deployments—particularly in domains like Electronic Health Records (EHR) management, where data sensitivity is paramount. To address these challenges, this study proposes the Enhanced Privacy-Preserving Blockchain-Enabled Federated Learning (EPP-BCFL) framework—a novel architecture that mixes blockchain technology, hybrid privacy mechanisms, and optimized communication strategies. The proposed system features a three-layer design: (1) the Edge Nodes Layer, where client devices perform local model training while retaining raw data; (2) the Federated Model Aggregation Layer, which securely aggregates encrypted updates using Differential Privacy and Secure Multi-Party Computation (SMPC); and (3) the Blockchain Network Layer, which guarantees tamper-proof auditability and trust through a lightweight Proof-of-Stake (PoS) consensus enhanced with Byzantine Fault Tolerance (BFT). Experimental evaluation on the CIFAR-10 dataset demonstrates that EPP-BCFL achieves 95.2% accuracy, significantly reduced communication overhead, and strong resilience against adversarial attacks. Comparative analysis with existing FL models highlights the proposed framework’s superior performance with respect to privacy preservation, computational efficiency, and robust security, making it well-suited for secure, scalable healthcare applications",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Scientific reports",
"language": "de"
},
{
"id": "europepmc:40756387",
"title": "Ethical AI in medical text generation: balancing innovation with privacy in public health.",
"authors": [
"Liang M."
],
"date": "2025-07-18",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3389/fpubh.2025.1583507",
"pdfUrl": "https://europepmc.org/articles/PMC12313694?pdf=render",
"doi": "10.3389/fpubh.2025.1583507",
"abstract": "
Introduction
The integration of artificial intelligence (AI) into medical text generation is transforming public health by enhancing clinical documentation, patient education, and decision support. However, the widespread deployment of AI in this domain introduces significant ethical challenges, including fairness, privacy protection, and accountability. Traditional AI-driven medical text generation models often inherit biases from training data, resulting in disparities in healthcare communication across different demographic groups. Moreover, ensuring patient data confidentiality while maintaining transparency in AI-generated content remains a critical concern. Existing approaches either lack robust bias mitigation mechanisms or fail to provide interpretable and privacy-preserving outputs, compromising ethical compliance and regulatory adherence.Methods
To address these challenges, this paper proposes an innovative framework that combines privacy-preserving AI techniques with interpretable model architectures to achieve ethical compliance in medical text generation. The method employs a hybrid approach that integrates knowledge-based reasoning with deep learning, ensuring both accuracy and transparency. Privacy-enhancing technologies, such as homomorphic encryption and secure multi-party computation, are incorporated to safeguard sensitive medical data throughout the text generation process. Fairness-aware training protocols are introduced to mitigate biases in generated content and enhance trustworthiness.Results and discussion
The proposed approach effectively addresses critical challenges of bias, privacy, and interpretability in medical text generation. By combining symbolic reasoning with data-driven learning and embedding ethical principles at the system design level, the framework ensures regulatory alignment and improves public trust. This methodology lays the groundwork for broader deployment of ethically sound AI systems in health",
"topics": [
"privacy_engineering",
"ai_governance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "de"
},
{
"id": "europepmc:PPR1045868",
"title": "Federated Learning for Secure and Privacy- Preserving Edge AI in Smart Cities",
"authors": [
"Joshi",
"Fatima S",
"Hanirvesh K",
"Siddiqui S",
"Hazra S."
],
"date": "2025-07-03",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-6979939/v1",
"pdfUrl": "https://www.researchsquare.com/article/rs-6979939/latest.pdf",
"doi": "10.21203/rs.3.rs-6979939/v1",
"abstract": "Abstract The rapid expansion of smart cities has led to the integration of Artificial Intelligence (AI) at the edge, enabling real-time decision-making for intelligent urban infrastructure. However, conventional centralized AI models pose critical challenges, including data privacy risks, security vulnerabilities, and high computational overhead. This paper investigates Federated Learning (FL) as a transformative paradigm to enhance security, privacy, and efficiency in edge AI systems for smart cities. Unlike traditional AI training methods, to cyber threats while ensuring compliance with data protection regulations. To address key challenges in heterogeneous smart city environments, we propose a hybrid optimization framework integrating differential privacy, secure multi-party computation (SMPC), and blockchain-based authentication. This approach strengthens resilience against adversarial attacks while ensuring secure model updates. Additionally, we introduce an adaptive aggregation mechanism, which dynamically adjusts model updates based on device reliability, data distribution, and network conditions, optimizing both learning efficiency and energy consumption in edge AI networks. Extensive experimentation on real-world smart city datasets demonstrates that the proposed framework enhances model accuracy, robustness, and privacy preservation compared to conventional AI approaches. Our findings establish Federated Learning as a cornerstone for secure, scalable, and privacy-aware AI in smart cities, facilitating trustworthy deployment of intelligent urban infrastructure. This research provides valuable insights for policymakers, researchers, and industry professionals, paving the way for next-generation AI-driven smart cities with enhanced security, privacy, and efficiency.
",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "de"
},
{
"id": "europepmc:41008349",
"title": "Adaptive Multimodal Fusion in Vertical Federated Learning for Decentralized Glaucoma Screening.",
"authors": [
"Jabbar A",
"Huang J",
"Jabbar MK",
"Ali A."
],
"date": "2025-09-14",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3390/brainsci15090990",
"pdfUrl": "https://europepmc.org/articles/PMC12468838?pdf=render",
"doi": "10.3390/brainsci15090990",
"abstract": "Background/Objectives: Early and accurate detection of glaucoma is vital for preventing irreversible vision loss, yet traditional diagnostic approaches relying solely on unimodal retinal imaging are limited by data sparsity and constrained context. Furthermore, real-world clinical data are often fragmented across institutions under strict privacy regulations, posing significant challenges for centralized machine learning methods. Methods: To address these barriers, this study proposes a novel Quality Aware Vertical Federated Learning (QAVFL) framework for decentralized multimodal glaucoma detection. The proposed system dynamically integrates clinical text, retinal fundus images, and biomedical signal data through modality-specific encoders, followed by a Fusion Attention Module (FAM) that adaptively weighs the reliability and contribution of each modality. Unlike conventional early fusion or horizontal federated learning methods, QAVFL operates in vertically partitioned environments and employs secure aggregation mechanisms incorporating homomorphic encryption and differential privacy to preserve patient confidentiality. Results: Extensive experiments conducted under heterogeneous non-IID settings demonstrate that QAVFL achieves an accuracy of 98.6%, a recall of 98.6%, an F1-score of 97.0%, and an AUC of 0.992, outperforming unimodal and early fusion baselines with statistically significant improvements (p < 0.01). Conclusions: The findings validate the effectiveness of dynamic multimodal fusion under privacy-preserving decentralized learning and highlight the scalability and clinical applicability of QAVFL for robust glaucoma screening across fragmented healthcare environments.",
"topics": [
"privacy_engineering",
"data_anonymization",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "Brain sciences",
"language": "de"
},
{
"id": "europepmc:41228128",
"title": "Federated Learning in Public Health: A Systematic Review of Decentralized, Equitable, and Secure Disease Prevention Approaches.",
"authors": [
"Shah ST",
"Ali Z",
"Waqar M",
"Kim A."
],
"date": "2025-10-30",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3390/healthcare13212760",
"pdfUrl": "https://europepmc.org/articles/PMC12607528?pdf=render",
"doi": "10.3390/healthcare13212760",
"abstract": "Background and Objectives: Public health needs collaborative, privacy-preserving analytics, but centralized AI is constrained by data sharing and governance. Federated learning (FL) enables training without moving sensitive data. This review assessed how FL is used for disease prevention in population and public health, and mapped benefits, challenges, and policy implications. Methods: Following PRISMA 2020, we searched PubMed, Scopus, Web of Science, IEEE Xplore, and Google Scholar for peer reviewed English-language studies from January 2020-30 June 2025, applying FL to surveillance, outbreak detection, risk prediction, or policy support. Two reviewers screened and extracted data with third-reviewer arbitration. Quality was appraised with a tool adapted from MMAT and AI reporting frameworks. No meta-analysis was performed. Results: Of 5230 records identified (4720 after deduplication), 200 full texts were assessed and 19 were included. Most used horizontal FL across multiple institutions for communicable diseases, COVID-19, tuberculosis and some chronic conditions. Reported gains included privacy preservation across sites, better generalizability from diverse data, near real-time intelligence, localized risk stratification, and support for resource planning. Common barriers were non-IID data, interoperability gaps, compute and network limits in low-resource settings, unclear legal pathways, and concerns about fairness and transparency. Few studies linked directly to formal public-health policy or low-resource deployments. Conclusions: FL is promising for equitable, secure, and scalable disease-prevention analytics that respect data sovereignty. Priorities include robust methods for heterogeneity, interoperable standards, secure aggregation, routine fairness auditing, clearer legal and regulatory guidance, and capacity building in underrepresented regions.",
"topics": [
"privacy_engineering",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Solutions Market",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "de"
},
{
"id": "europepmc:PPR1028241",
"title": "Design of Federated Recommendation Model and Data Privacy Protection Algorithm Based on Graph Convolutional Networks",
"authors": [
"Peng H",
"Ge L",
"Zheng X",
"Wang Y."
],
"date": "2025-05-28",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202505.2200.v1",
"pdfUrl": "https://www.preprints.org/frontend/manuscript/41e1645477faef54b91a5023ae308f92/download_pub",
"doi": "10.20944/preprints202505.2200.v1",
"abstract": "To enhance the performance and privacy of recommender systems in distributed settings, this paper proposes a federated recommendation model based on graph convolutional networks (GCNs). Leveraging local user-item bipartite graphs, the model extracts high-order interaction features and performs parameter aggregation across clients. A Gaussian mechanism is introduced to enforce ε-differential privacy, combined with a secure aggregation protocol based on secret sharing to mitigate embedding leakage and reconstruction risks. Experimental analysis shows that the proposed multi-layer framework achieves high accuracy and stable convergence on heterogeneous datasets. The integration of privacy budget scheduling and gradient trimming further improves model robustness under attack scenarios. The results demonstrate that the model offers strong structural modeling and privacy protection capabilities, supporting personalized recommendation in high-risk environments.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "de"
},
{
"id": "openaire:10.3389/fdgth.2025.1576290",
"title": "Comprehensive evaluation framework for synthetic tabular data in health: fidelity, utility and privacy analysis of generative models with and without privacy guarantees",
"authors": [
"Mikel Hernandez",
"Mikel Hernandez",
"Mikel Hernandez",
"Pablo A. Osorio-Marulanda",
"Pablo A. Osorio-Marulanda",
"Mikel Catalina",
"Lorea Loinaz",
"Lorea Loinaz",
"Gorka Epelde",
"Gorka Epelde",
"Naiara Aginako"
],
"date": "2025-04-24",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3389/fdgth.2025.1576290",
"pdfUrl": "https://www.frontiersin.org/journals/digital-health/articles/10.3389/fdgth.2025.1576290/pdf",
"doi": "10.3389/fdgth.2025.1576290",
"abstract": "The generation of synthetic tabular data has emerged as a key privacy-enhancing technology to address challenges in data sharing, particularly in healthcare, where sensitive attributes can compromise patient privacy. Despite significant progress, balancing fidelity, utility, and privacy in complex medical datasets remains a substantial challenge. This paper introduces a comprehensive and holistic evaluation framework for synthetic tabular data, consolidating metrics and privacy risk measures across three key categories (fidelity, utility and privacy) and incorporating a fidelity-utility tradeoff metric. The framework was applied to three open-source medical datasets to evaluate synthetic tabular data generated by five generative models, both with and without differential privacy. Results showed that simpler models generally achieved better fidelity and utility, while more complex models provided lower privacy risks. The addition of differential privacy enhanced privacy preservation but often reduced fidelity and utility, highlighting the complexity of balancing fidelity, utility and privacy in synthetic data generation for medical datasets. Despite its contributions, this study acknowledges limitations, such as the lack of evaluation metrics neither privacy risk measures for required model training time and resource usage, reliance on default model parameters, and the assessment of models that incorporates differential privacy with only a single privacy budget. Future work should explore parameter optimization, alternative privacy mechanisms, broader applications of the framework to diverse datasets and domains, and collaborations with clinicians for clinical utility evaluation. This study provides a foundation for improving synthetic tabular data evaluation and advancing privacy-preserving data sharing in healthcare.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Frontiers in Digital Health",
"language": "en"
},
{
"id": "europepmc:39196905",
"title": "An end-to-end framework for private DGA detection as a service.",
"authors": [
"Maia RJM",
"Ray D",
"Pentyala S",
"Dowsley R",
"De Cock M",
"Nascimento ACA",
"Jacobi R."
],
"date": "2024-08-28",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1371/journal.pone.0304476",
"pdfUrl": "https://journals.plos.org/plosone/article/file?id=10.1371/journal.pone.0304476&type=printable",
"doi": "10.1371/journal.pone.0304476",
"abstract": "Domain Generation Algorithms (DGAs) are used by malware to generate pseudorandom domain names to establish communication between infected bots and command and control servers. While DGAs can be detected by machine learning (ML) models with great accuracy, offering DGA detection as a service raises privacy concerns when requiring network administrators to disclose their DNS traffic to the service provider. The main scientific contribution of this paper is to propose the first end-to-end framework for privacy-preserving classification as a service of domain names into DGA (malicious) or non-DGA (benign) domains. Our framework achieves these goals by carefully designed protocols that combine two privacy-enhancing technologies (PETs), namely secure multi-party computation (MPC) and differential privacy (DP). Through MPC, our framework enables an enterprise network administrator to outsource the problem of classifying a DNS (Domain Name System) domain as DGA or non-DGA to an external organization without revealing any information about the domain name. Moreover, the service provider's ML model used for DGA detection is never revealed to the network administrator. Furthermore, by using DP, we also ensure that the classification result cannot be used to learn information about individual entries of the training data. Finally, we leverage post-training float16 quantization of deep learning models in MPC to achieve efficient, secure DGA detection. We demonstrate that by using quantization achieves a significant speed-up, resulting in a 23% to 42% reduction in inference runtime without reducing accuracy using a three party secure computation protocol tolerating one corruption. Previous solutions are not end-to-end private, do not provide differential privacy guarantees for the model's outputs, and assume that model embeddings are publicly known. Our best protocol in terms of accuracy runs in about 0.22s.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "PloS one",
"language": "de"
},
{
"id": "doaj:01947ebdb25d419c979895c9a0480ef3",
"title": "Privacy-Preserving Federated Learning in Healthcare, E-Commerce, and Finance: A Taxonomy of Security Threats and Mitigation Strategies",
"authors": [
"Kumar Rahul",
"Shieh Chin-Shiuh",
"Chakrabarti Prasun",
"Kumar Ashok",
"Moolchandani Jhankar",
"Sinha Raj"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.epj-conferences.org/articles/epjconf/pdf/2025/13/epjconf_icetsf2025_01066.pdf",
"pdfUrl": "https://www.epj-conferences.org/articles/epjconf/pdf/2025/13/epjconf_icetsf2025_01066.pdf",
"doi": "10.1051/epjconf/202532801066",
"abstract": "Federated Learning (FL) transformed decentralized machine learning by allowing joint model training without mutually sharing raw data, hence being especially useful in privacy-sensitive applications like healthcare, e-commerce, and finance. Even with its privacy-focused architecture, FL is vulnerable to a range of security attacks such as data poisoning, model inversion, membership inference attacks, and communication interception. These attacks compromise the confidentiality of patients in healthcare, consumer data privacy in e-commerce, and financial safety in banking, thus necessitating effective privacy-preserving mechanisms. This survey presents a classification of security threats in FL, grouping them by their source, effect, and attack mode. We review state-of-the-art countermeasures, such as differential privacy, secure multi-party computation, homomorphic encryption, and resilient aggregation methods, their effectiveness, trade-offs, and real-world applicability to FL. In medicine, FL enables joint disease diagnosis without compromising patient confidentiality; in online shopping, it provides personalized suggestions without revealing customer tastes; and in banking, it improves fraud detection without violating regulatory requirements. In addition, we discuss future horizons in privacy-preserving FL, including adversarial robustness, blockchain-protected models, and tailored FL architectures, improving security and resiliency in these domains. We also discuss the balancing problems between security, accuracy, and computational efficiency with possible trade-offs in scaling privacy-preserving FL By analyzing threats and mitigation strategies systematically, this paper will provide direction to future research on designing secure, scalable, and privacy-preserving FL frameworks for the changing healthcare, e-commerce, and finance needs.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "EPJ Web of Conferences",
"language": "en"
},
{
"id": "doaj:023d4a729f254c03b6f3e25d65832a82",
"title": "A Survey on Security and Privacy in Federated Learning-Based Intrusion Detection Systems for 5G and Beyond Networks",
"authors": [
"Hadiseh Rezaei",
"Rahim Taheri",
"Ehsan Nowroozi",
"Mehrdad Hajizadeh",
"Stavros Shiaeles",
"Thomas Bauschert"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/11300785/",
"pdfUrl": "",
"doi": "10.1109/ojcoms.2025.3644477",
"abstract": "The rapid growth of Internet of Things (IoT) devices and the introduction of 5G networks have created new opportunities for enhancing network services, while also introducing significant security concerns. Intrusion Detection Systems (IDS) are crucial for identifying malicious activities and unauthorized access in these environments. However, current IDS solutions face challenges such as sharing sensitive data and managing large-scale networks. Federated Learning (FL) presents a promising solution by enabling models to be trained on decentralized devices without sharing private data. This paper examines how FL can enhance IDS for IoT and 5G networks, with an emphasis on privacy and security concerns. We analyze various privacy, homomorphic encryption, and security mechanisms in FL, including Differential Privacy (DP) and secure aggregation, and their potential applications in strengthening IDS solutions. Additionally, we explore how FL contributes to the development of more secure and efficient IDS systems while addressing challenges such as data heterogeneity and security risks. Finally, we identify gaps in the existing research and propose directions for future work to enhance the robustness and practicality of FL-based IDS for IoT and 5G environments.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "IEEE Open Journal of the Communications Society",
"language": "en"
},
{
"id": "doaj:09676a311cf84f69b90a79d9216c1305",
"title": "TwinGuard: Privacy-Preserving Digital Twins for Adaptive Email Threat Detection",
"authors": [
"Taiwo Oladipupo Ayodele"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2624-800X/5/4/91",
"pdfUrl": "",
"doi": "10.3390/jcp5040091",
"abstract": "Email continues to serve as a primary vector for cyber-attacks, with phishing, spoofing, and polymorphic malware evolving rapidly to evade traditional defences. Conventional email security systems, often reliant on static, signature-based detection struggle to identify zero-day exploits and protect user privacy in increasingly data-driven environments. This paper introduces TwinGuard, a privacy-preserving framework that leverages digital twin technology to enable adaptive, personalised email threat detection. TwinGuard constructs dynamic behavioural models tailored to individual email ecosystems, facilitating proactive threat simulation and anomaly detection without accessing raw message content. The system integrates a BERT–LSTM hybrid for semantic and temporal profiling, alongside federated learning, secure multi-party computation (SMPC), and differential privacy to enable collaborative intelligence while preserving confidentiality. Empirical evaluations were conducted using both synthetic AI-generated email datasets and real-world datasets sourced from Hugging Face and Kaggle. TwinGuard achieved 98% accuracy, 97% precision, and a false positive rate of 3%, outperforming conventional detection methods. The framework offers a scalable, regulation-compliant solution that balances security efficacy with strong privacy protection in modern email ecosystems.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Journal of Cybersecurity and Privacy",
"language": "en"
},
{
"id": "europepmc:40534991",
"title": "Genomic privacy and security in the era of artificial intelligence and quantum computing.",
"authors": [
"Annan R",
"Noland J",
"Perkins K",
"Yuan X",
"Roy K",
"Qingge L."
],
"date": "2025-06-06",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1007/s10791-025-09627-w",
"pdfUrl": "https://europepmc.org/articles/PMC12175736?pdf=render",
"doi": "10.1007/s10791-025-09627-w",
"abstract": "The rapid advancements in sequencing technologies have greatly increased access to genomic data stored in public databases. This has raised significant privacy and security concerns. This review emphasizes the importance of protecting genomic data by analyzing vulnerabilities in current storage and sharing practices. It examines the risks genetic databases face from cyber-attacks and internal breaches, focusing especially on advanced AI-driven threats and quantum computing vulnerabilities. The review explores machine learning methods designed to secure data. It highlights algorithms that prioritize privacy while maintaining data confidentiality, such as differential privacy, federated learning, and synthetic data generation using Generative Adversarial Networks (GANs). Findings demonstrate progress in mitigating common privacy breaches like re-identification and inference attacks. However, persistent vulnerabilities remain, particularly to emerging threats such as model inversion and membership inference attacks. The review advocates an integrated approach combining robust legislative frameworks with advanced technology to address genomic privacy challenges. It calls for intensified research efforts to safeguard genomic information. In particular, there is an urgent need to adopt quantum-resistant cryptographic methods, including lattice-based encryption and blockchain-integrated security frameworks. The paper emphasizes the necessity for genomics researchers to prioritize data privacy and security. This ensures responsible handling of genomic information in research.",
"topics": [
"data_anonymization",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII"
],
"relevanceScore": 0.55,
"venue": "Discover computing",
"language": "de"
},
{
"id": "https://openalex.org/W4214756703",
"title": "Datenschutzrechtliche Rahmenbedingungen medizinischer Forschung: Vorgaben der EU-Datenschutz-Grundverordnung und national geltender Gesetze",
"authors": [
"Thilo Weichert"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.32745/9783954667000",
"pdfUrl": "https://www.mwv-open.de/site/books/10.32745/9783954667000/download/8417/",
"doi": "https://doi.org/10.32745/9783954667000",
"abstract": "The European Data Protection Regulation applies since May 25th, 2018. It creates a uniform data protection legal framework within the EU. National and international medical research projects, regardless of whether they were started before or after the introduction of the GDPR, are obliged to follow this new regulation and implement it promptly. This raises various challenges for a large number of medical research projects. The University Medicine Greifswald commissioned this legal report, that was prepared by DIERKS+COMPANY. Two real-world research projects, the Baltic Fracture Competence Centre (BFCC) as well as the German Centre for Cardiovascular Research (DZHK) provide use cases, questions, and context for this legal report. It addresses questions regarding all steps of data processing. The report provides practical answers to a wide array of technical and organisational questions in the area of data protection-compliant processing of research data. A comprehensive guide to GDPR-compliant data processing has been developed, which both summarises the broad legal environment and provides specific assistance in the design and implementation of GDPR-compliant data management processes, including Informed Consent, Legal Consequences of Withdrawal, and Privacy by Design.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Medizinisch Wissenschaftliche Verlagsgesellschaft eBooks",
"language": "en"
},
{
"id": "https://openalex.org/W3096896891",
"title": "Datenschutzgerechte Forschungsschnittstelle für medizinische Daten",
"authors": [
"Moritz Leitner"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://publikationen.bibliothek.kit.edu/1000125554",
"pdfUrl": "https://doi.org/10.5445/ir/1000125554",
"doi": "https://doi.org/10.5445/ir/1000125554",
"abstract": "Die Digitalisierung im Gesundheitswesen schreitet voran: Nach dem Patientendaten-Schutz- Gesetz (PDSG) müssen die Krankenkassen ihren Versicherten spätestens ab dem 1. Januar 2021 eine elektronische Patientenakte (ePA) anbieten, in der auf Wunsch beispielsweise Diagnosen, Therapiemaßnahmen oder Medikationspläne gespeichert werden. Darüber hinaus haben Versicherte ab 2023 die Möglichkeit einer Datenspende, sie können also Daten ihrer ePA der medizinischen Forschung zur Verfügung stellen. Durch die Auswertung solcher Real-World-Daten könnten Nebenwirkungen von Medikamenten in Zukunft schneller entdeckt werden. Einer Datennutzung steht allerdings die besondere Schutzwürdigkeit von personenbezogenen Gesundheitsdaten entgegen, deren missbräuchliche Verwendung zu einer Stigmatisierung oder Diskriminierung von Betroffenen führen kann. Um den Zielkonflikt zwischen Datenschutz und Forschungsdatennutzung bestmöglich zu lösen, wurden unterschiedliche Methoden zum Schutz der Privatsphäre entwickelt, die in der Literatur gemeinhin als Privacy-Enhancing Technologies (PETs) bezeichnet werden. Diese Arbeit bietet einerseits einen Überblick über den aktuellen Stand von E-Health in Deutschland. Anderseits werden die wichtigsten PETs erörtert. Dies umfasst insbesondere Anonymitätsmaße, wie 𝑘-Anonymity, l-Diversity, 𝑡-Closeness, 𝛿-Presence und Differential Privacy (DP), und homomorphe Verschlüsselung. Abschließend werden die vorgestellten PETs hinsichtlich ihrer Eignung für medizinische Daten untersucht. Hierfür wurde im Rahmen dieser Arbeit eine prototypische Forschungsschnittstelle namens PRIvacy cOmpliant Research Interface (PRIORI) entwickelt, die zur Anonymisierung und statistischen Auswertung von Datensätzen auf die Open-Source-Lösungen ARX und OpenDP setzt.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Repository KITopen (Karlsruhe Institute of Technology)",
"language": "de"
},
{
"id": "s2:d104fab61bd805cef4a9d5526529c7c498b40bf7",
"title": "No harm no foul: how harms caused by dark patterns are conceptualised and tackled under EU data protection, consumer and competition laws",
"authors": [
"Cristiana Santos",
"Viktorija Morozovaite",
"Silvia De Conca"
],
"date": "2025-02-17",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/d104fab61bd805cef4a9d5526529c7c498b40bf7",
"pdfUrl": "https://doi.org/10.1080/13600834.2025.2461958",
"doi": "10.1080/13600834.2025.2461958",
"abstract": "ABSTRACT Although several Human–Computer Interaction (HCI) studies have empirically investigated the harms caused by dark patterns, with policymakers and regulators regarding these harms significant, they have yet to be examined from a legal perspective. This paper identifies the individual, collective, material and non-material harms deriving from dark patterns, dissecting the role that harms play in the emerging European ‘dark patterns acquis’, comprising the Digital Services Act, Digital Markets Act, AI Act and Data Act. In particular, it systematises the body of knowledge of dark patterns’ harms from HCI scholarship and proposes a dark pattern harm taxonomy. Ultimately, the paper reconciled the debate concerning dark patterns’ harms in HCI with the legal requirements for assessing harms, in light of the remedies mechanisms offered by European data protection, consumer law and competition law.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Information & Communications Technology Law",
"language": "en"
},
{
"id": "arxiv:2003.09890",
"title": "Annotation-Based Static Analysis for Personal Data Protection",
"authors": [
"Kalle Hjerppe",
"Jukka Ruohonen",
"Ville Leppänen"
],
"date": "2020-03-22",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2003.09890v1",
"pdfUrl": "https://arxiv.org/pdf/2003.09890v1",
"doi": "10.1007/978-3-030-42504-3_22",
"abstract": "This paper elaborates the use of static source code analysis in the context of data protection. The topic is important for software engineering in order for software developers to improve the protection of personal data during software development. To this end, the paper proposes a design of annotating classes and functions that process personal data. The design serves two primary purposes: on one hand, it provides means for software developers to document their intent; on the other hand, it furnishes tools for automatic detection of potential violations. This dual rationale facilitates compliance with the General Data Protection Regulation (GDPR) and other emerging data protection and privacy regulations. In addition to a brief review of the state-of-the-art of static analysis in the data protection context and the design of the proposed analysis method, a concrete tool is presented to demonstrate a practical implementation for the Java programming language.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2502.06425",
"title": "Generating Privacy-Preserving Personalized Advice with Zero-Knowledge Proofs and LLMs",
"authors": [
"Hiroki Watanabe",
"Motonobu Uchikoshi"
],
"date": "2025-02-10",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2502.06425v2",
"pdfUrl": "https://arxiv.org/pdf/2502.06425v2",
"doi": "10.1145/3701716.3715597",
"abstract": "Large language models (LLMs) are increasingly utilized in domains such as finance, healthcare, and interpersonal relationships to provide advice tailored to user traits and contexts. However, this personalization often relies on sensitive data, raising critical privacy concerns and necessitating data minimization. To address these challenges, we propose a framework that integrates zero-knowledge proof (ZKP) technology, specifically zkVM, with LLM-based chatbots. This integration enables privacy-preserving data sharing by verifying user traits without disclosing sensitive information. Our research introduces both an architecture and a prompting strategy for this approach. Through empirical evaluation, we clarify the current constraints and performance limitations of both zkVM and the proposed prompting strategy, thereby demonstrating their practical feasibility in real-world scenarios.",
"topics": [
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2301.01568",
"title": "Identifying Personal Data Processing for Code Review",
"authors": [
"Feiyang Tang",
"Bjarte M. Østvold",
"Magiel Bruntink"
],
"date": "2023-01-04",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2301.01568v1",
"pdfUrl": "https://arxiv.org/pdf/2301.01568v1",
"doi": "10.5220/0011725700003405",
"abstract": "Code review is a critical step in the software development life cycle, which assesses and boosts the code's effectiveness and correctness, pinpoints security issues, and raises its quality by adhering to best practices. Due to the increased need for personal data protection motivated by legislation, code reviewers need to understand where personal data is located in software systems and how it is handled. Although most recent work on code review focuses on security vulnerabilities, privacy-related techniques are not easy for code reviewers to implement, making their inclusion in the code review process challenging. In this paper, we present ongoing work on a new approach to identifying personal data processing, enabling developers and code reviewers in drafting privacy analyses and complying with regulations such as the General Data Protection Regulation (GDPR).",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "crossref:10.34069/ai/2020.27.03.42",
"title": "Certain aspects of personal data protection in the social network: european experience and legislative regulation in Ukraine",
"authors": [
"Iryna Davydova",
"Olena Bernaz-Lukavetska",
"Semen Reznichenko"
],
"date": "2020-03-21",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.34069/ai/2020.27.03.42",
"pdfUrl": "https://amazoniainvestiga.info/check/27/42-383-390.pdf",
"doi": "10.34069/ai/2020.27.03.42",
"abstract": "The purpose of this study is to examine some aspects of personal data protection in the social network, a comparative analysis of the protection of personal data in the social network under Ukrainian and European legislation, namely the General Data Protection Regulation of the European Union. The methods used in this work are: dialectical, comparative-legal, formal-logical, analysis and dogmatic interpretation. Each of these methods was used in the study to understand and qualitatively explain to the audience categories the individual aspects of personal data protection on the social network. This article reveals the notion of: personal data in the social network, the features of their collection, storage and protection in accordance with European legislation and the development of proposals aimed at improving these processes in Ukraine. The research also addresses the following issues: Features of managing consent to the processing of personal data that have already been obtained; who can act as an \"operator\" under EU law and what actions he can take; who can act as \"controller\" and what functions it performs. The article concludes that there is an urgent need to streamline Ukrainian domestic legislation in line with EU law, which should result in a new law on personal data protection that complies with GDPR norms. As a result, a new law on personal data protection may soon emerge in Ukraine, replacing the outdated Law of Ukraine “On Personal Data Protection” of 01.06.2010, which is a “mirror” of the repealed Directive 95/46/EC of the European Parliament and of the Council.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Revista Amazonia Investiga",
"language": "en"
},
{
"id": "crossref:10.69554/hbgg8150",
"title": "Regulating deep fakes and synthetic media: Privacy, policy and global regulatory challenges",
"authors": [
"Sanya Darakhshan Kishwar",
"Anjali Tripathi",
"Sadqua Khatoon",
"Deepali Poddar",
"Bharat Khurana"
],
"date": "2025-09-01",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.69554/hbgg8150",
"pdfUrl": "",
"doi": "10.69554/hbgg8150",
"abstract": "Deep fake technology presents a profound challenge to data protection, privacy and regulatory frameworks worldwide. By exploiting biometric data without consent, deep fakes pose severe threats to privacy frameworks such as the European Union’s (EU) General Data Protection Regulation (GDPR) and India’s Digital Personal Data Protection Act 2023 (DPDPA). The ability to manipulate digital content using artificial intelligence (AI) raises concerns over identity theft, misinformation and biometric data security. This paper examines regulatory gaps, emerging AI-driven detection strategies and the need for privacy-preserving technological solutions. Through a comparative legal analysis, we identify gaps in existing regulations and propose a privacy-centric framework for mitigating deep fake risks. We further examine AI-driven solutions for authentication and policy interventions necessary for global regulatory alignment. Our findings suggest a multitiered regulatory response integrating technology, governance and privacy laws to counter deep fake threats while protecting individual rights. This article is also included in The Business & Management Collection which can be accessed at https://hstalks.com/business/.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "crossref:10.31235/osf.io/rf3ja",
"title": "Dark Patterns, Enforcement, and the emerging Digital Design Acquis: Manipulation beneath the Interface",
"authors": [
"Mark Leiser",
"Cristiana Santos"
],
"date": "2023-04-30",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.31235/osf.io/rf3ja",
"pdfUrl": "",
"doi": "10.31235/osf.io/rf3ja",
"abstract": "The term ‘dark patterns’ is commonly used to describe manipulative techniques implemented into the user interface of websites and apps that lead users to make choices or decisions that would not have otherwise been taken. Legal academic and policy work has focussed on establishing classifications, definitions of dark patterns, constitutive elements, and typologies of dark patterns across different fields. Regulators have responded to this issue with several enforcement decisions related to data protection and privacy violations, and with rulings protecting consumers. Accordingly, this article analyses the appropriateness of regulatory oversight of designers and platforms that deploy dark patterns inside digital technologies. By further analysing design techniques, we conclude this type of deceptive design is inappropriately attributed to the user interface when some patterns are embedded in the system architecture. With this in mind, the article also analyses the emerging digital design acquis of the European Union. The Digital Markets Act and Digital Services Act, the proposals for a new Data Act and AI Act are critiqued for suitability of regulating deceptive design over the entirety of, what we coin, the deceptive design visibility spectrum.
",
"topics": [
"jurisdiction_regulatory",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Sector Regulations",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::61c51653db0bb23f94f97a7b47a88484",
"title": "Unmasking the Reality of PII Masking Models: Performance Gaps and the Call for Accountability",
"authors": [
"Singh, Devansh",
"Narayanan, Sundaraparipurnan"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.48550/arxiv.2504.12308",
"pdfUrl": "",
"doi": "10.48550/arxiv.2504.12308",
"abstract": "Privacy Masking is a critical concept under data privacy involving anonymization and de-anonymization of personally identifiable information (PII). Privacy masking techniques rely on Named Entity Recognition (NER) approaches under NLP support in identifying and classifying named entities in each text. NER approaches, however, have several limitations including (a) content sensitivity including ambiguous, polysemic, context dependent or domain specific content, (b) phrasing variabilities including nicknames and alias, informal expressions, alternative representations, emerging expressions, evolving naming conventions and (c) formats or syntax variations, typos, misspellings. However, there are a couple of PII datasets that have been widely used by researchers and the open-source community to train models on PII detection or masking. These datasets have been used to train models including Piiranha and Starpii, which have been downloaded over 300k and 580k times on HuggingFace. We examine the quality of the PII masking by these models given the limitations of the datasets and of the NER approaches. We curate a dataset of 17K unique, semi-synthetic sentences containing 16 types of PII by compiling information from across multiple jurisdictions including India, U.K and U.S. We generate sentences (using language models) containing these PII at five different NER detection feature dimensions - (1) Basic Entity Recognition, (2) Contextual Entity Disambiguation, (3) NER in Noisy & Real-World Data, (4) Evolving & Novel Entities Detection and (5) Cross-Lingual or multi-lingual NER) and 1 in adversarial context. We present the results and exhibit the privacy exposure caused by such model use (considering the extent of lifetime downloads of these models). We conclude by highlighting the gaps in measuring performance of the models and the need for contextual disclosure in model cards for such models.",
"topics": [
"data_anonymization",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.55,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "openaire:10.37936/ecti-cit.2023172.252270",
"title": "Enabling Efficient Personally Identifiable Information Detection with Automatic Consent Discovery",
"authors": [
"Somchart Fugkeaw",
"Pattavee Sanchol"
],
"date": "2023-06-08",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.37936/ecti-cit.2023172.252270",
"pdfUrl": "https://ph01.tci-thaijo.org/index.php/ecticit/article/download/252270/170736",
"doi": "10.37936/ecti-cit.2023172.252270",
"abstract": "Personal data leakage prevention has now become a critical issue for implementing data management and sharing in many industries. Several data privacy regulations such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPPA), California Consumer Privacy Act (CCPA), and Thailand's Personal Data Protection Act (PDPA) have been issued to enforce organizations to collect, process, and transfer personally identifiable information (PII) securely. In this paper, we propose a design and development of PII RapidDiscover, an efficient Thai and English PII discovery system featured with automatic consent discovery. At the core of our proposed system, we introduce the PII scanning algorithm based on the Presidio library and a natural language processing (NLP) technique to improve the scan result of PII written in Thai and English. Finally, we conducted the experiments to demonstrate the efficiency of our proposed system.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "ECTI Transactions on Computer and Information Technology",
"language": "en"
},
{
"id": "openaire:10.22214/ijraset.2024.62868",
"title": "Effective Deep Learning Technique for Enhanced Data Privacy and Security",
"authors": [
"Prof. D. M. Kanade",
"Sharanya Datrange",
"Rutuja Aher",
"Nayan Deshmukh",
"Divya Tambat"
],
"date": "2024-05-31",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.22214/ijraset.2024.62868",
"pdfUrl": "",
"doi": "10.22214/ijraset.2024.62868",
"abstract": "Abstract: In the past, data privacy and security during analysis were challenging. Sensitive information often remained vulnerable, risking privacy breaches. This research introduces a comprehensive solution to address these challenges. It consists of three main stages: PII detection, differential privacy with Gaussian noise, and homomorphic encryption. It starts with data collection from various sources. What sets is the system apart is its ability to safeguard personal data. This research employ PII detection tech- niques to identify and anonymize sensitive information, preserving privacy without compromising data utility. Next, preprocess the data, enhancing its quality for analysis. Differential privacy is applied, intro- ducing controlled Gaussian noise and aggregating the data to protect individual privacy while enabling meaningful insights. Moreover, This research uses homomorphic encryption, which allows confidential calculations to be performed without revealing sensitive information. This is especially beneficial for securing indian household data. As move on to data analysis, the research system leverages machine learning and analytical methods to extract insights from the protected data. Finally, the results are visu- alized and presented in reports, ensuring that the protected data is effectively utilized while respecting privacy and security concerns. In summary, the system provides a comprehensive solution for handling sensitive data, ensuring privacy, and enabling valuable insights to be drawn from the data without com- promising individuals privacy and data security. It significantly enhances data privacy and security compared to the past, where these concerns were inadequately addressed.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "International Journal for Research in Applied Science and Engineering Technology",
"language": "en"
},
{
"id": "openaire:10.55752/amwa.2024.346",
"title": "European Union Regulation on Personal Data Protection in Medical Writing",
"authors": [
"Tatiana Revenco"
],
"date": "2024-09-10",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.55752/amwa.2024.346",
"pdfUrl": "",
"doi": "10.55752/amwa.2024.346",
"abstract": "The European General Data Protection Regulation 2016/679 (GDPR) aims to harmonize data protection laws across European Union (EU) Member States. The goal of GDPR is to ensure respect of the fundamental right to protection of the personal data and privacy, to enhance security measures, including information technology (IT) for data protection, and to render natural persons control over their personal data. Importantly, companies, institutions, freelancers (including medical writers) located outside the EU and handling personal data of natural persons living on the territory of the EU must comply with GDPR. Medical writers edit documents related to the activities in health sector that comprise personal data, specifically health data considered as sensitive data. Therefore, medical writing should put in place robust security measures and comply with the GDPR. This article is a clarification of the GDPR notions, principles, technical and organizational measures applied to the medical writing to guarantee protection of the personal data and respect of individual’s rights and freedoms.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::7080ca82f4244cd69332565198eb3f41",
"title": "Assessing differentially private deep learning with Membership Inference",
"authors": [
"Bernau, Daniel",
"Grassal, Philip-William",
"Robl, Jonas",
"Kerschbaum, Florian"
],
"date": "2019-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.48550/arxiv.1912.11328",
"pdfUrl": "",
"doi": "10.48550/arxiv.1912.11328",
"abstract": "Attacks that aim to identify the training data of public neural networks represent a severe threat to the privacy of individuals participating in the training data set. A possible protection is offered by anonymization of the training data or training function with differential privacy. However, data scientists can choose between local and central differential privacy and need to select meaningful privacy parameters $��$ which is challenging for non-privacy experts. We empirically compare local and central differential privacy mechanisms under white- and black-box membership inference to evaluate their relative privacy-accuracy trade-offs. We experiment with several datasets and show that this trade-off is similar for both types of mechanisms. This suggests that local differential privacy is a sound alternative to central differential privacy for differentially private deep learning, since small $��$ in central differential privacy and large $��$ in local differential privacy result in similar membership inference attack risk.",
"topics": [
"data_anonymization",
"llm_privacy_attacks"
],
"painPointTracks": [
"AI Anonymization",
"AI Training PII"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::695b6d03a72537522cb9e67eb9404887",
"title": "The Y.I.N. Mazari Ordering: A Necessary Primitive for verifiable differential Privacy in Federated Learning",
"authors": [
"Mazari, Ilyes Tarik",
"Mazari, Yanis",
"Mazari, Ilyan"
],
"date": "2025-12-04",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.17816122",
"pdfUrl": "",
"doi": "10.5281/zenodo.17816122",
"abstract": "We introduce the Y.I.N. Mazari Ordering, a fundamental primitive for achieving verifiable differential privacy in federated learning systems. The ordering (noise → proof → encrypt → aggregate) is proven to be necessary—no efficient alternative exists—and universal across all encryption schemes, proof systems, and aggregation topologies. Patent pending: US 63/923,348, US 19/399,646, US 19/403,244 Keywords: Verifiable Differential Privacy, Federated Learning, Zero-Knowledge Proofs, Homomorphic Encryption, Privacy-Preserving Machine Learning",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.54254/2755-2721/2025.20957",
"title": "An Overview of Privacy-preserving Technologies in Blockchain",
"authors": [
"Yuxin Ding"
],
"date": "2025-02-21",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.54254/2755-2721/2025.20957",
"pdfUrl": "",
"doi": "10.54254/2755-2721/2025.20957",
"abstract": " Blockchain technology, with its decentralization as well as tamper-proof characteristics, has achieved wide application in major fields in recent years. However, because of the potential of privacy leakage that comes with its transparency, privacy protection technology has emerged as a key area of current blockchain research. The first step involves reviewing the blockchain's architecture and selecting a summary of the privacy threats posed by the four layers of the blockchain: data, network, transaction, and application. Next, it concentrates on describing the two more significant types of blockchain privacy protection technology: zero-knowledge proof and homomorphic encryption. The former is developed from its fundamental ideas, application scenarios in the blockchain, and performance and security analysis. Conversely, zero-knowledge proof is derived from three from three aspects of its basic concept, application in blockchain, and technical challenges; finally, the privacy protection technology in blockchain is summarized and a prediction of its future research direction development is made.",
"topics": [
"privacy_engineering",
"sector_finance"
],
"painPointTracks": [
"Financial & Payment PII",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.59613/global.v2i7.234",
"title": "The Legal Implications of Data Protection Laws, AI Regulation, and Cybersecurity Measures on Privacy Rights in 2024",
"authors": [
"Dharma Setiawan Negara",
"Nunu Burhanuddin",
"Abu Sahman Nasim",
"Juni Irianti Sitinjak",
"Johannes Johny Koynja"
],
"date": "2024-07-25",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.59613/global.v2i7.234",
"pdfUrl": "",
"doi": "10.59613/global.v2i7.234",
"abstract": "This study explores the legal implications of data protection laws, artificial intelligence (AI) regulation, and cybersecurity measures on privacy rights in 2024. The primary objective is to qualitatively analyze how recent advancements and legislative changes in these areas impact individual privacy rights and shape the legal landscape for data protection. The research employs a qualitative literature review methodology, synthesizing findings from academic articles, legal texts, policy papers, and case studies to provide a comprehensive understanding of the evolving legal challenges and implications for privacy rights. The literature review methodology involves systematically collecting and analyzing a wide range of scholarly sources on data protection, AI regulation, and cybersecurity. The study categorizes the literature into key themes, such as the effectiveness of current data protection laws, the ethical and legal considerations of AI, and the impact of cybersecurity measures on personal data security. Through a thematic analysis, the research identifies the intersection of these legal areas and their collective influence on privacy rights. The findings reveal that recent data protection laws, such as the General Data Protection Regulation (GDPR) and emerging national legislations, have significantly enhanced individual control over personal data and accountability for data breaches. However, the rapid advancement of AI technologies poses new challenges for privacy, including concerns about data bias, algorithmic transparency, and the ethical use of personal information. Cybersecurity measures are essential for protecting data integrity and preventing unauthorized access, yet they also raise issues related to surveillance and the potential infringement of privacy rights.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.26881/gsp.2024.3.07",
"title": "Protection of Personal Data Processed in Artificial Intelligence Systems",
"authors": [
"Maria Jędrzejczak"
],
"date": "2024-09-15",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.26881/gsp.2024.3.07",
"pdfUrl": "",
"doi": "10.26881/gsp.2024.3.07",
"abstract": "The text undertakes an analysis of European Union regulations on the prevention of data protection breaches in AI systems, taking into account the provisions of the General Data Protection Regulation (GDPR) and the draft AI Act. Legal guarantees for the protection of personal data processed in AI systems are sought in the general principles of the GDPR (in particular the principles of lawfulness, transparency, data minimisation and confidentiality) and the regulations on liability for data breaches. The conclusions of the analysis indicate that the implementation of the solutions contained in the current and proposed regulations may be hampered by the autonomy of some AI systems.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.31916/sjmi2024-01-03",
"title": "Personal Data Protection Issues in the Era of Artificial Intelligence",
"authors": [
"Giljae Lee"
],
"date": "2024-12-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.31916/sjmi2024-01-03",
"pdfUrl": "",
"doi": "10.31916/sjmi2024-01-03",
"abstract": "This paper discusses the challenges associated with personal data protection in the era of artificial intelligence (AI). While AI technologies enable personalized services by collecting and analyzing large amounts of data, concerns regarding privacy and data protection are growing. The methods AI systems use to process data are often opaque, which poses a potential risk to individual rights and freedoms. Therefore, exploring data protection measures suitable for the AI era is crucial. Personal data protection is essential to comply with legal requirements and maintain individual privacy and trust. In the digital era, personal data is used in various ways, leading to issues such as data breaches, misuse, and discriminatory algorithms. These problems can erode trust and negatively affect innovation and economic growth. Strengthening personal data protection has thus become a socially important task. As AI technologies advance, existing data protection laws are proving insufficient to address new challenges. Regulations such as the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have been enacted to strengthen personal data protection, but they face limitations in keeping up with the complexities of AI technology. The complexity of AI algorithms makes it difficult to ensure transparency in data collection and processing, hindering trust in the use of personal data.To address these issues, companies must establish clear data protection policies, policymakers to develop flexible regulations, and engineers to adopt principles that consider personal data protection in system design. These efforts will help reinforce personal data protection and enhance the reliability of AI systems. In conclusion, a trust-based data protection framework is necessary for AI technologies to respect privacy and have a positive societal impact. Companies and governments must cooperate to strengthen data protection and build societal tru",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1093/combul/bwac099",
"title": "Beware the Algorithm: Understanding AI Compliance",
"authors": [
"Kingsley Hayes"
],
"date": "2022-08-19",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1093/combul/bwac099",
"pdfUrl": "",
"doi": "10.1093/combul/bwac099",
"abstract": "Abstract The relationship between artificial intelligence (AI) and the General Data Protection Regulation (GDPR) is complex, writes Kingsley Hayes, Partner and Head of Data Breach at Keller Lenkner UK.",
"topics": [
"gdpr_compliance",
"ai_governance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:0928-2750(20240401)33:2;1-O",
"title": "Editorial: European Law Restrictions on Tax Authorities’ Use of Artificial Intelligence Systems: Reflections on Some Recent Developments",
"authors": [],
"date": "2024-04-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.54648/ecta2024006",
"pdfUrl": "",
"doi": "10.54648/ecta2024006",
"abstract": "The article discusses the increasing use of artificial intelligence (AI) by tax authorities in the European Union, the resulting benefits and risks, and the necessity for an appropriate legal framework. Tax administrations employ AI systems for various tasks, from risk detection to legal analysis. While automation offers efficiency, there are also risks, such as violations of fundamental rights and discrimination, illustrated by examples like the Dutch childcare benefits scandal. It deals with two relevant EU regulations, namely the General Data Protection Regulation (GDPR) and the proposed European AI regulation (AI Act), emphasizing the need for more clarity and protection for taxpayers. The GDPR imposes a principled ban on fully automated decisions but allows exceptions if appropriate measures are in place. The AI Act introduces a right to human intervention for high-risk AI systems, but the author argues that the regulations are not clear enough, especially in view of the upcoming ‘tax administration 3.0ʹ model of the OECD further reducing human intervention. In short, specific guidelines and regulations are needed to ensure the fundamental rights of taxpayers in an increasingly automated tax environment. Artificial Intelligence (AI), Tax authorities, General Data Protection Regulation (GDPR), European Union Artificial Intelligence Regulation (AI Act), Fundamental rights, Tax collection process, Human intervention, Risk detection, Taxpayer assistance, Tax administration 3.0 model (OECD)",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.2139/ssrn.4874341",
"title": "Personal Data Protection in AI-Native 6G Systems",
"authors": [
"Navaie, Keivan"
],
"date": "2024-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2139/ssrn.4874341",
"pdfUrl": "",
"doi": "10.2139/ssrn.4874341",
"abstract": "As 6G evolves into an AI-native technology, the integration of artificial intelligence (AI) and Generative AI into cellular communication systems presents unparalleled opportunities for enhancing connectivity, network optimization, and personalized services. However, these advancements also introduce significant data protection challenges, as AI models increasingly depend on vast amounts of personal data for training and decision-making. In this context, ensuring compliance with stringent data protection regulations, such as the General Data Protection Regulation (GDPR), becomes critical for the design and operational integrity of 6G networks. These regulations shape key system architecture aspects, including transparency, accountability, fairness, bias mitigation, and data security. This paper identifies and examines the primary data protection risks associated with AI-driven 6G networks, focusing on the complex data flows and processing activities throughout the 6G lifecycle. By exploring these risks, we provide a comprehensive analysis of the potential privacy implications and propose effective mitigation strategies. Our findings stress the necessity of embedding privacy-by-design and privacy-by-default principles in the development of 6G standards to ensure both regulatory compliance and the protection of individual rights.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "CoRR",
"language": "en"
},
{
"id": "openaire:S2212827125006183",
"title": "Legal Implications of Vision-Language Foundation Models (VLFM) in Industrial Applications in Europe: An Inquiry into Data Protection, Copyright, and AI Regulation",
"authors": [
"Moenck, Keno",
"Wais, Niklas",
"Gomse, Martin",
"Schüppstuhl, Thorsten",
"Paal, Boris"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1016/j.procir.2025.02.223",
"pdfUrl": "",
"doi": "10.1016/j.procir.2025.02.223",
"abstract": "The rise of Foundation Models (FM) starts to revolutionize different aspects of machine vision in industrial applications. Increased generalizability, robustness, reliability, and the capacity for few-shot learning make vision systems adaptable and flexible to an unprecedented degree. Yet, the development and deployment of fine-tuned models in the industrial domain face unique legal challenges in Europe that arise from stringent regulations, including Copyright Law, the General Data Protection Regulation (GDPR), and the recently enacted AI Act. In this work, we investigate the legal implications of pre-training (1), fine-tuning (2), and utilizing VFMs (3) in industrial contexts in Europe, with a specific focus on manufacturing. With this contribution, we aim to raise awareness on how various regulations will impact the use of VLFMs in industrial settings.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.70382/mejhlar.v10i6.078",
"title": "ARTIFICIAL INTELLIGENCE GOVERNANCE: LEGAL AND PUBLIC POLICY IMPLICATIONS FOR DATA PRIVACY AND ALGORITHMIC ACCOUNTABILITY",
"authors": [
"null MICHAEL OGHALE IGHOFIOMONI",
"null OLUWABUSAYO OLUFUNKE AWOYOMI",
"null RAPHAEL POPOOLA",
"null EMMANUEL CHIAGOZIE AHAIWE",
"null CONFIDENCE ADIMCHI CHINONYEREM",
"null NIMOTALLAHI ADESAYO AZEEZ"
],
"date": "2025-11-03",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.70382/mejhlar.v10i6.078",
"pdfUrl": "",
"doi": "10.70382/mejhlar.v10i6.078",
"abstract": "Artificial Intelligence (AI) is an explanatory force in modern government and presents fundamental legal and public policy issues concerning data protection and algorithmic accountability. As AI calculations become more deeply embedded in decision-making in healthcare, finance, policing, and public administration, they strain existing regulation to safeguard personal data and promote equity. This research takes into account the function and legal implications of policy in the oversight of AI-based data collection and machine decision-making, particularly the need for effective governance structures that promote transparency, fairness, and accountability. By learning from international models such as the EU's General Data Protection Regulation (GDPR) and the Draft Artificial Intelligence Act, the study seeks to prove that legislation and ethical codes are capable of encompassing promises of data abuse, discrimination, and bias in algorithmic decision-making within them. The study highlights that optimal AI regulation hinges on marrying innovation with core human rights principles and ensuring technology is leveraged for the greater good without breaching privacy or justice. Strengthening the governing structures, providing assurance mechanisms, and upholding ethical regulation are essential in attaining a balance between society protection and technological advancement.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.2139/ssrn.3442612",
"title": "Privacy Challenges and Approaches to the Consent Dilemma",
"authors": [
"Malin Olivia Soeder"
],
"date": "2019-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2139/ssrn.3442612",
"pdfUrl": "",
"doi": "10.2139/ssrn.3442612",
"abstract": "Privacy decisions and their underlying tradeoffs are genuine fields of study in economics. This master thesis builds on the well recorded findings that people give away more private information than they would like to reveal according to their pre-decisional statements. This so called ‘privacy paradox’ is one political justification for renewing outdated privacy laws towards a more privacy protecting approach. Since May 2018 the ‘General Data Protection Regulation’ (GDPR) is legally enforceable in Europe and intends to give Europeans citizens’ the legislative frame to protect their data. By changing the decision design from opting out of sharing data, to opting in allowing the use of private information, the regulation aims at giving Europeans thought-out control over their data. However, only few reads the privacy regulations of service providers and are able to process the information towards well-balanced decisions. This results in inflationary consent-giving of users and works against the actual political intention of enabling an informed consent giving. This master thesis intends in unfolding this ‘consent dilemma’ and finding solutions towards better informed decision-making.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1145/3636555.3636921",
"title": "Scaling While Privacy Preserving: A Comprehensive Synthetic Tabular Data Generation and Evaluation in Learning Analytics",
"authors": [
"Qinyi Liu",
"Mohammad Khalil",
"Jelena Jovanovic",
"Ronas Shakya"
],
"date": "2024-03-18",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/3636555.3636921",
"pdfUrl": "",
"doi": "10.1145/3636555.3636921",
"abstract": "Privacy poses a significant obstacle to the progress of learning analytics (LA), presenting challenges like inadequate anonymization and data misuse that current solutions struggle to address. Synthetic data emerges as a potential remedy, offering robust privacy protection. However, prior LA research on synthetic data lacks thorough evaluation, essential for assessing the delicate balance between privacy and data utility. Synthetic data must not only enhance privacy but also remain practical for data analytics. Moreover, diverse LA scenarios come with varying privacy and utility needs, making the selection of an appropriate synthetic data approach a pressing challenge. To address these gaps, we propose a comprehensive evaluation of synthetic data, which encompasses three dimensions of synthetic data quality, namely resemblance, utility, and privacy. We apply this evaluation to three distinct LA datasets, using three different synthetic data generation methods. Our results show that synthetic data can maintain similar utility (i.e., predictive performance) as real data, while preserving privacy. Furthermore, considering different privacy and data utility requirements in different LA scenarios, we make customized recommendations for synthetic data generation. This paper not only presents a comprehensive evaluation of synthetic data but also illustrates its potential in mitigating privacy concerns within the field of LA, thus contributing to a wider application of synthetic data in LA and promoting a better practice for open science.",
"topics": [
"data_anonymization",
"sector_education"
],
"painPointTracks": [
"AI Anonymization",
"Children & Education PII"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.55041/isjem05057",
"title": "Privacy-preserving data mining and federated learning methods",
"authors": [
"Vaishnavi Deshkmukh",
"Vidya Gadhave"
],
"date": "2025-10-06",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.55041/isjem05057",
"pdfUrl": "",
"doi": "10.55041/isjem05057",
"abstract": "Abstract Privacy-preserving federated learning (PPFL) represents a paradigmatic shift in collaborative machine learning, addressing critical privacy concerns while enabling distributed model training across multiple organizations without compromising sensitive data. This research presents a comprehensive analysis of privacy-enhancing techniques integrated with federated learning frameworks, demonstrating how differential privacy, homomorphic encryption, and secure multi-party computation can provide robust privacy guarantees while maintaining model utility. Through systematic evaluation across healthcare, finance, and IoT applications, our findings reveal that PPFL can achieve up to 94% model accuracy while reducing privacy risks by over 60% compared to centralized approaches. The study evaluates trade-offs between privacy guarantees, communication overhead, and computational efficiency, showing that hybrid approaches combining multiple privacy techniques offer optimal performance with privacy budgets as low as ε=0.1 for differential privacy implementations. These results demonstrate the practical viability of deploying privacy-preserving federated learning systems in real-world scenarios where data sensitivity and regulatory compliance are paramount",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.4018/979-8-3693-2081-5.ch013",
"title": "Safeguarding Privacy Through Federated Machine Learning Techniques",
"authors": [
"Sayani Chattopadhyay",
"Shalbani Das"
],
"date": "2024-02-14",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.4018/979-8-3693-2081-5.ch013",
"pdfUrl": "",
"doi": "10.4018/979-8-3693-2081-5.ch013",
"abstract": "The chapter thoroughly addresses ML privacy threats like risks, attacks, and leaks. It explores the methods of differential privacy, homomorphic encryption, and SMPC. Federated learning is detailed, covering concepts, benefits, techniques (averaging, aggregation). Advancements include transfer learning, differential privacy, edge device use. Real cases show privacy's value in healthcare, finance, IoT. The conclusion touches on trends, regulations, privacy-utility balance. The chapter aims to overview privacy-preserving and federated ML, stressing their role in data security with insights for researchers, practitioners, policymakers for privacy-conscious ML. Valuable insights are provided for researchers, practitioners, and policymakers aiming for a privacy-conscious future in machine learning.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.32628/cseit251112203",
"title": "Federated Learning in Distributed Systems: A Privacy-First Approach",
"authors": [
"null Ankush Singhal"
],
"date": "2025-02-07",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.32628/cseit251112203",
"pdfUrl": "",
"doi": "10.32628/cseit251112203",
"abstract": "Federated learning has emerged as a transformative approach in machine learning, addressing critical challenges in data privacy and distributed computation. This article examines the evolution and implementation of federated learning across various sectors, focusing on its impact in healthcare, smart cities, and enterprise applications. The article analyzes the core principles of decentralized model training, advanced privacy-preserving techniques, and real-world applications. Through detailed examination of secure aggregation protocols, differential privacy mechanisms, and homomorphic encryption integration, this article demonstrates the effectiveness of federated learning in maintaining data privacy while achieving competitive model performance. The article highlights significant advancements in healthcare analytics, particularly in medical imaging and personalized treatment optimization, as well as substantial improvements in smart city infrastructure management. This article contributes to the understanding of federated learning's practical implementation challenges and solutions, providing insights into future directions for privacy-preserving distributed machine learning.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::2efbf51172b241ea19aa6057de87c8be",
"title": "The Y.I.N. Mazari Architecture: From Classical to Quantum - Privacy-Preserving Federated Learning with Optimal Cryptographic Ordering Including QFED-MAZARI Quantum Extension (CIP)",
"authors": [
"MAZARI, Ilyes Tarik",
"Mazari, Yanis",
"Ilyan, Mazari"
],
"date": "2025-12-14",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.17925841",
"pdfUrl": "",
"doi": "10.5281/zenodo.17925841",
"abstract": "We present the Y.I.N. Mazari Architecture, an 8-pillar privacy-preserving federated learning system built around a novel cryptographic ordering: DP→ZK→HE (Differential Privacy →Zero-Knowledge Proof →Homomorphic Encryption) applied to federated learning gradients. The name Y.I.N. honors Yanis, Ilyan, and Neylia Mazari, while embodying the core principle that Your Information Never leaves your control.We identify a fundamental barrier in privacy-preserving federated learning: the inability to verify that participants correctly applied differential privacy noise while maintainin computational efficiency. The Y.I.N. Mazari Ordering resolves this barrier through a specific sequencing of cryptographic operations.This paper extends the classical architecture into the quantum domain through theQFEDMAZARIsystem,introducingtheMazariQuantumOrdering: QDP→MUA→DQEM(Quantum Differential Privacy →Manifold Unitary Aggregation →Distributed Quantum Error Mitigation). Experimental results demonstrate 99.37% model accuracy with 223× speed improvement in classical systems, while the quantum extension achieves 91.9% accuracy with 40–50% communication reduction. Together, the classical and quantum architectures establish a comprehensive 30-year intellectual property runway.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.22399/ijcesen.2505",
"title": "Federated Learning for AI-Powered Privacy in Distributed Systems",
"authors": [
"null Prudhivi Anuradha",
"null C. Arunbala",
"null U. Harita",
"null K. Valarmathi",
"null S. Thenappan",
"null V. Saravanan"
],
"date": "2025-06-18",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.22399/ijcesen.2505",
"pdfUrl": "",
"doi": "10.22399/ijcesen.2505",
"abstract": "Federated Learning (FL) has emerged as a cutting-edge technique for privacy-preserving machine learning in distributed systems. Unlike traditional machine learning, which relies on centralized data storage, FL enables model training directly on decentralized data sources, ensuring that sensitive information never leaves its local environment. This paper explores the integration of Federated Learning with AI-powered privacy frameworks, focusing on secure multi-party computation, differential privacy, and cryptographic techniques to further safeguard user data. Through a comprehensive review of existing FL models and privacy-enhancing methods, the paper discusses how federated learning can be leveraged to address the challenges of data security, user privacy, and computational efficiency in distributed systems, particularly in fields like healthcare, finance, and IoT. The proposed framework demonstrates how Federated Learning, combined with AI-driven privacy techniques, can foster more trustworthy and secure collaborative machine learning processes while minimizing data leakage risks.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.15688/nbit.jvolsu.2023.3.5",
"title": "Studying of Privacy-Enhancing Technologies",
"authors": [
"Yana Chumburidze",
"Olesya Kakorina"
],
"date": "2023-12-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.15688/nbit.jvolsu.2023.3.5",
"pdfUrl": "https://doi.org/10.15688/nbit.jvolsu.2023.3.5",
"doi": "10.15688/nbit.jvolsu.2023.3.5",
"abstract": "Confidential information is a valuable asset for organizations, and its protection is critical to ensure business security and maintain the trust of customers and partners. The issue of data privacy is becoming increasingly relevant in light of the growing number of data leaks both around the world and in Russia. This paper discusses various privacy-enhancing technologies. In this regard, new technologies are emerging that allow you to protect data from unauthorized access and maintain their confidentiality. This paper discusses various technologies that increase data privacy, such as data anonymization, pseudonymization, multiple computing methods, blockchain, differential confidentiality, homomorphic encryption, their advantages and disadvantages. The classification of technologies that increase privacy is given.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "NBI Technologies",
"language": "en"
},
{
"id": "openaire:10.64357/neya-gjnps-vz-imp-dt-cm-str-04",
"title": "Data Protection and Privacy in Non-Profit Research: Ethical Imperatives and Practical Strategies",
"authors": [
"Anna Neya Kazanskaia"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.64357/neya-gjnps-vz-imp-dt-cm-str-04",
"pdfUrl": "",
"doi": "10.64357/neya-gjnps-vz-imp-dt-cm-str-04",
"abstract": "This article examines the ethical, legal, and practical dimensions of data protection and privacy in non-profit research. It highlights the importance of safeguarding participant information through confidentiality, anonymization, and pseudonymization, while navigating regulatory frameworks such as GDPR, CCPA, and HIPAA. Emphasizing both ethical responsibility and practical implementation, the article presents cost-effective strategies suitable for resource-constrained organizations, including open-source encryption, secure cloud storage, and community-driven approaches. By integrating ethical principles with technical safeguards, non-profits can strengthen credibility, protect participant rights, and maintain stakeholder trust, demonstrating that robust data protection is achievable even in low-resource environments.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "NEYA Global Journal of Non-Profit Studies",
"language": "en"
},
{
"id": "openaire:10.1093/idpl/ipr018",
"title": "The problem of 'personal data' in cloud computing: what information is regulated?--the cloud of unknowing",
"authors": [
"W. K. Hon",
"C. Millard",
"I. Walden"
],
"date": "2011-09-14",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1093/idpl/ipr018",
"pdfUrl": "",
"doi": "10.1093/idpl/ipr018",
"abstract": "† Cloud computing service providers, even those based outside Europe, may become subject to the EU Data Protection Directive’s extensive and complex regime purely through their customers’ choices, of which they may have no knowledge or control. † This article considers the definition and application of the EU ‘personal data’ concept in the context of anonymization/pseudonymization, encryption, and data fragmentation in cloud computing. † It argues that the ‘personal data’ definition should be based on the realistic risk of identification, and that applicability of data protection rules should be based on risk of harm and its likely severity.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-030-56883-2_19",
"title": "Privacy and Consent",
"authors": [
"Tim Benson",
"Grahame Grieve"
],
"date": "2020-10-20",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-030-56883-2_19",
"pdfUrl": "",
"doi": "10.1007/978-3-030-56883-2_19",
"abstract": "Information governance is a large topic, which has at its heart the ethical issue when it is right to share information. Data protection is built around some core principles, which are incorporated in HIPAA and GDPR legislation. Healthcare staff are usually required to sign a confidentiality code of conduct. Computer systems use the concepts of consent, authentication (including OAuth) and authorization to implement access control policies. Cryptography is used to protect data from unauthorized reading. Individuals and organizations have rights and responsibilities, which may include anonymization or pseudonymization of data. These are usually set out in legal contracts.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.64357/neya-gjnps-rsc-eth-dt-04",
"title": "Data Protection and Privacy in Non-Profit Research: Ethical and Practical Considerations",
"authors": [
"Anna Neya Kazanskaia"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.64357/neya-gjnps-rsc-eth-dt-04",
"pdfUrl": "",
"doi": "10.64357/neya-gjnps-rsc-eth-dt-04",
"abstract": "Data protection and privacy are fundamental to ethical research in the non-profit sector, ensuring confidentiality, safeguarding participants’ dignity, and reinforcing organizational trust. This article examines the ethical and practical dimensions of privacy in research involving vulnerable populations, with particular attention to international frameworks such as GDPR, CCPA, and HIPAA. It explores techniques including anonymization, pseudonymization, and encryption, while highlighting layered security safeguards—physical, technical, and administrative. Special emphasis is placed on cost-effective strategies for resource-constrained organizations, from open-source tools to community-centered practices. By integrating global ethical principles with practical applications, the article provides both academics and practitioners with actionable approaches to strengthening privacy and data protection in diverse non-profit research settings.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "NEYA Global Journal of Non-Profit Studies",
"language": "en"
},
{
"id": "openaire:10.17762/ijcnis.v14i1.5187",
"title": "Improved Technique for Preserving Privacy while Mining Real Time Big Data",
"authors": [
"Ila Chandrakar"
],
"date": "2022-04-15",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.17762/ijcnis.v14i1.5187",
"pdfUrl": "",
"doi": "10.17762/ijcnis.v14i1.5187",
"abstract": "With the evolution of Big data, data owners require the assistance of a third party (e.g.,cloud) to store, analyse the data and obtain information at a lower cost. However, maintaining privacy is a challenge in such scenarios. It may reveal sensitive information. The existing research discusses different techniques to implement privacy in original data using anonymization, randomization, and suppression techniques. But those techniques are not scalable, suffers from information loss, does not support real time data and hence not suitable for privacy preserving big data mining. In this research, a novel approach of two level privacy is proposed using pseudonymization and homomorphic encryption in spark framework. Several simulations are carried out on the collected dataset. Through the results obtained, we observed that execution time is reduced by 50%, privacy is enhanced by 10%. This scheme is suitable for both privacy preserving Big Data publishing and mining.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Int. J. Commun. Networks Inf. Secur.",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-031-22412-6_5",
"title": "Data Practices and Management",
"authors": [
"Rea Roje"
],
"date": "2023-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-031-22412-6_5",
"pdfUrl": "",
"doi": "10.1007/978-3-031-22412-6_5",
"abstract": "AbstractEmploying good data management practices is important for enhancing the transparency and validity of research, as well as the reproducibility of research findings. This chapter aims to help early career researchers translate the European Code of Conduct for Research Integrity principles and guidance on data management practices into everyday research. In this chapter we will guide you on data practices and management throughout the lifecycle of research data – data management planning, organizing and storing data, preserving and sharing data, reusing and citing data. You will also learn about the data management procedures relevant to each of the data lifecycle phases – preparation of data management plans, procedures for storing data properly and securely, examples of repositories for preserving and sharing data, licenses for reusing data, etc. The chapter will also outline the FAIR data principles and data protection requirements and safeguards important when handling personal data in your research (GDPR requirements, pseudonymization, anonymization, and deleting data).",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-031-32064-4_4",
"title": "Privacy Statements in China, Germany, and the United States",
"authors": [
"Lars Hornuf",
"Sonja Mangold",
"Yayun Yang"
],
"date": "2023-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-031-32064-4_4",
"pdfUrl": "",
"doi": "10.1007/978-3-031-32064-4_4",
"abstract": "AbstractThis chapter investigates how crowdsourcing platforms handle matters of data protection and analyzes information from 416 privacy statements. We find that German platforms mostly base their data processing solely on the GDPR, while U.S. platforms refer to numerous international, European, and state-level legal sources on data protection. The Chinese crowdsourcing platforms are usually not open to foreigners and do not refer to the GDPR. The privacy statements provide evidence that some U.S. platforms are specific in the sense that they explicitly state which data are not processed. When we compare the privacy practices of crowdsourcing platforms with the German fintech sector, it is noticeable that pseudonymization and anonymization are, at least in Germany, used much more frequently on crowdsourcing platforms. Most privacy statements did not exhaustively clarify what personal data are shared, even though they mentioned the sharing of data with third parties.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/bigdata.congress.2013.15",
"title": "Engineering Privacy for Big Data Apps with the Unified Modeling Language",
"authors": [
"Dawn N. Jutla",
"Peter Bodorik",
"Sohail Ali"
],
"date": "2013-06-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/bigdata.congress.2013.15",
"pdfUrl": "",
"doi": "10.1109/bigdata.congress.2013.15",
"abstract": "This paper describes proposed privacy extensions to UML to help software engineers to quickly visualize privacy requirements, and design privacy into big data applications. To adhere to legal requirements and/or best practices, big data applications will need to apply Privacy by Design principles and use privacy services, such as, and not limited to, anonymization, pseudonymization, security, notice on usage, and consent for usage. We extend UML with ribbon icons representing needed big data privacy services. We further illustrate how privacy services can be usefully embedded in use case diagrams using containers. These extensions to UML help software engineers to visually and quickly model privacy requirements in the analysis phase, this phase is the longest in any software development effort. As proof of concept, a prototype based on our privacy extensions to Microsoft Visio's UML is created and the utility of our UML privacy extensions to the Use Case Diagram artifact is illustrated employing an IBM Watson-like commercial use case on big data in a health sector application.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1093/ehjdh/ztae009",
"title": "Risks and benefits of sharing patient information on social media: a digital dilemma",
"authors": [
"Robert M A van der Boon",
"A John Camm",
"C Aguiar",
"E Biasin",
"G Breithardt",
"H Bueno",
"I Drossart",
"N Hoppe",
"E Kamenjasevic",
"R Ladeiras-Lopes",
"Paul McGreavy",
"P Lanzer",
"R Vidal-Perez",
"Nico Bruining"
],
"date": "2024-02-12",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1093/ehjdh/ztae009",
"pdfUrl": "",
"doi": "10.1093/ehjdh/ztae009",
"abstract": "Abstract Social media (SoMe) has witnessed remarkable growth and emerged as a dominant method of communication worldwide. Platforms such as Facebook, X (formerly Twitter), LinkedIn, Instagram, TikTok, and YouTube have become important tools of the digital native generation. In the field of medicine, particularly, cardiology, attitudes towards SoMe have shifted, and professionals increasingly utilize it to share scientific findings, network with experts, and enhance teaching and learning. Notably, SoMe is being leveraged for teaching purposes, including the sharing of challenging and intriguing cases. However, sharing patient data, including photos or images, online carries significant implications and risks, potentially compromising individual privacy both online and offline. Privacy and data protection are fundamental rights within European Union treaties, and the General Data Protection Regulation (GDPR) serves as the cornerstone of data protection legislation. The GDPR outlines crucial requirements, such as obtaining ‘consent’ and implementing ‘anonymization’, that must be met before sharing sensitive and patient-identifiable information. Additionally, it is vital to consider the patient’s perspective and prioritize ethical and social considerations when addressing challenges associated with sharing patient information on SoMe platforms. Given the absence of a peer-review process and clear guidelines, we present an initial approach, a code of conduct, and recommendations for the ethical use of SoMe. In conclusion, this comprehensive review underscores the importance of a balanced approach that ensures patient privacy and upholds ethical standards while harnessing the immense potential of SoMe to advance cardiology practice and facilitate knowledge dissemination.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "European heart journal. Digital health",
"language": "en"
},
{
"id": "s2:8369871fbba120596b40bdca3d1ed482a9e0525e",
"title": "Balancing Innovation and Privacy: Data Security Strategies in Natural Language Processing Applications",
"authors": [
"Shaobo Liu",
"Guiran Liu",
"Binrong Zhu",
"Yuanshuai Luo",
"Linxiao Wu",
"Rui Wang"
],
"date": "2024-10-11",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/8369871fbba120596b40bdca3d1ed482a9e0525e",
"pdfUrl": "http://arxiv.org/pdf/2410.08553",
"doi": "10.1109/ICMLCA63499.2024.10754062",
"abstract": "This research addresses privacy protection in Natural Language Processing (NLP) by introducing a novel algorithm based on differential privacy, aimed at safeguarding user data in common applications such as chatbots, sentiment analysis, and machine translation. With the widespread application of NLP technology, the security and privacy protection of user data have become important issues that need to be solved urgently. This paper proposes a new privacy protection algorithm designed to effectively prevent the leakage of user sensitive information. By introducing a differential privacy mechanism, our model ensures the accuracy and reliability of data analysis results while adding random noise. This method not only reduces the risk caused by data leakage but also achieves effective processing of data while protecting user privacy. Compared to traditional privacy methods like data anonymization and homomorphic encryption, our approach offers significant advantages in terms of computational efficiency and scalability while maintaining high accuracy in data analysis. The proposed algorithm's efficacy is demonstrated through performance metrics such as accuracy (0.89), precision (0.85), and recall (0.88), outperforming other methods in balancing privacy and utility. As privacy protection regulations become increasingly stringent, enterprises and developers must take effective measures to deal with privacy risks. Our research provides an important reference for the application of privacy protection technology in the field of NLP, emphasizing the need to achieve a balance between technological innovation and user privacy. In the future, with the continuous advancement of technology, privacy protection will become a core element of data-driven applications and promote the healthy development of the entire industry.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "2024 5th International Conference on Machine Learning and Computer Application (ICMLCA)",
"language": "en"
},
{
"id": "openaire:10.3233/shti220983",
"title": "Development and Implementation of the Data Science Learning Platform for Research Physician",
"authors": [
"Lejla, Begic Fazlic",
"Marvin, Schacht",
"Marlies, Morgen",
"Anke, Schmeink",
"Robert, Lipp",
"Lukas, Martin",
"Thomas, Vollmer",
"Stefan, Winter",
"Guido, Dartmann"
],
"date": "2022-11-03",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3233/shti220983",
"pdfUrl": "",
"doi": "10.3233/shti220983",
"abstract": "Data analysis and their application are the unavoidable factors in the activities analyses in health care. Unfortunately, the acquisition of data from large available medical databases is a complex process and requires deep knowledge of computer science and especially knowledge of tools for data management. According to the European General Data Protection Regulation, the problem becomes much more complex. Recognizing these problems and difficulties, we have developed a Data Science Learning Platform (DSLP) that primarily targets practitioners and researchers but also the computer science students. Using our proposed tool chain together with the developed graphical user interface, data scientists and research physicians will be able to use available medical databases, apply and analyze different anonymization methods, analyze data according to the patient’s risk and quickly formulate new studies to target a disease in a complex data model. This article presents a clinical research discovery toolbox that implements and demonstrates tools for data anonymization, patient data visualization, NLP-tools for guideline search and data science learning tools.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::270794195681ea68c09be160155ad825",
"title": "Guidelines for Researchers on Personal Data Protection in Scientific Research Activities at Iscte",
"authors": [
"Iscte – Instituto Universitário de Lisboa"
],
"date": "2022-03-22",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.15064859",
"pdfUrl": "",
"doi": "10.5281/zenodo.15064859",
"abstract": "Iscte-Instituto Universitário de Lisboa (hereinafter Iscte) is assigned with carrying out scientific research and study cycles, including masters and doctorates, in which scientific or historical research activities are pursued.The processing of personal data for scientific research purposes is understood in a broad sense, covering, for example, technological development and demonstration, fundamental or applied research, historical research, research for genealogical purposes or research funded by the private sector.1The researchers as well as the lecturers, employees, students, and collaborators involved in research activities of Iscte are duty-bound to comply with ethical standards concerning respect for the privacy of participants in research work and the legislation on data protection in force.This document summarises Iscte’s perspective on the legislation on data protection for scientific and historical research, in particular the framework arising from the General Data Protection Regulation (GDPR) and Law 59/2019 of 08/08 – Implementing Law, in the Portuguese legal system, of the GDPR.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::68d1e6af78d9ab54b0e6ecadfe3f37fc",
"title": "Inspirations from EU financial law for privacy protection by information obligations in Active and Assisted Living technologies",
"authors": [
"Kuźmicz, Maksymilian"
],
"date": "2023-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.8200135",
"pdfUrl": "",
"doi": "10.5281/zenodo.8200135",
"abstract": "This paper shows how experiences from the area of EU financial law can be used to strengthen privacy protection in Active and Assisted Living (AAL), by fulfilling information obligations. Firstly, the importance of the information obligation in the fields of law, society, and economics is explained. A reluctance to accept new technology often comes from a lack of understanding thereof. In economics, it is assumed that people make informed choices, and that the main tool for consumer protection is the provision of information (the information paradigm). That is why the law requires us to provide information, sometimes making it a condition of a transaction’s validity. Two main EU legal acts vital for computer systems and assistive technology, ie, the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AI Act) proposed by the Commission in 2021, are analysed to identify information obligations: They specify different information obligations, including rules on informed consent, without which several systems and their functions cannot be used. The purpose of the requirement of informed consent is to provide data subjects with tools to protect their privacy, allowing them to decide how their personal data may be processed. The information obligation is similarly applied in the field of consumer protection. In this paper, I suggest verifying the development of regulations concerning consumer protection by information obligation in EU banking and investment law. After the crisis of 2008, a long legal trajectory occurred–from the detailed prospectus, through the simplified prospectus and the Key Investor Information Document (KIIDs), to the current standardised and shorter Key Information Document (KID). Changes were introduced, as a result of behavioural research into people’s perceptions and understanding. That experience may be useful in assisting technologies to fulfil the legal information obligations most effectively and, therefore, strengt",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.38035/jgsp.v3i4.548",
"title": "Toward Social Justice in Digital Transformation: Legal and Ethical Governance of Electronic Medical Records for Global Welfare",
"authors": [
"Ade Netra Kartika",
"Ahmad Redi"
],
"date": "2025-11-26",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.38035/jgsp.v3i4.548",
"pdfUrl": "",
"doi": "10.38035/jgsp.v3i4.548",
"abstract": "The accelerating digital transformation of healthcare across countries—driven by the adoption of Electronic Medical Records (EMR)—has reshaped the relationship between technology, ethics, and law. While EMR systems promise efficiency and interoperability, they also raise pressing issues of privacy, accountability, and equitable access. In developing contexts such as Indonesia, the challenge lies not only in technological implementation but also in ensuring that digital governance upholds the principles of social justice and human dignity. This study investigates how legal and ethical frameworks governing EMR in Indonesia align with global standards of justice and digital welfare. It aims to identify the normative gaps between regulation, ethics, and practice in digital health governance, proposing a regional framework for “digital justice.” Employing a qualitative legal-ethical approach, the study conducts comparative document analysis and case study evaluation of EMR regulations, including Indonesia’s Law No. 27/2022 on Personal Data Protection (Republic of Indonesia, 2022). These are benchmarked against international references such as the General Data Protection Regulation (GDPR), the WHO Digital Health Ethics Framework, and the OECD Principles on Data Governance. The comparative analysis reveals four thematic insights: (1) legal compliance and ethical governance; (2) digital inclusion and justice are hindered by structural disparities; (3) accountability mechanisms are underdeveloped; and (4) social justice principles are not yet institutionalized in digital health policy. The paper argues that sustainable digital transformation must integrate ethical equity, legal accountability, and participatory governance as interdependent pillars of “social justice in digital transformation.” The proposed model contributes to policy harmonization in Indonesia and reinforces the legitimacy of digital health governance within global welfare discourse.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1109/star53492.2022.9860029",
"title": "AI for Sport in the EU Legal Framework",
"authors": [
"Orlando, Alberto"
],
"date": "2022-07-06",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/star53492.2022.9860029",
"pdfUrl": "",
"doi": "10.1109/star53492.2022.9860029",
"abstract": "Artificial intelligence systems are used for a variety of reasons in sport. However, little has been explored about the legal challenges that can be directly linked to the use of AI systems in sports. This phenomenon must be framed within a legal framework in great turmoil, which has led national and supranational institutions to review privacy legislation in recent years and to attempt the first regulatory approaches in the field of AI. In particular, the EU is intervening heavily in these areas: the approval of the GDPR, which came into force in 2018, completely reformed the regulations on the protection of personal data; much more recently, in 2021, the European Commission published a proposal for a Regulation on AI (hereinafter, AI Act). Legal reflection on these issues is still in progress, but it is in an even more embryonic phase if we think about the impact of AI on the sporting phenomenon. In this context, we need to ask ourselves whether the current regulatory framework will hold up against the increasingly widespread and disparate uses of AI systems in the field of sport. In particular, compliance with the principles established by the GDPR must be assessed during all phases of the AI system's lifecycle. In this regard, there are problems relating to the accuracy of the data, the prevention and rectification of potential bias, the consent of the interested party, the principle of data minimization with respect to the purpose of the data processing, profiling and automated decision-making (Article 22). On the other hand, the uses of AI in the field of sport must be correctly framed in the regulatory framework proposed by the AI Act, with which the Commission has opted for a risk-based classification of AI systems (high, low and minimum), providing for different regimes of obligations and rights for the AI actors. The research aims to improve the advancement of knowledge for institutions, companies, associations, athletes and operators in the world of sport",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.2139/ssrn.5341233",
"title": "Model Inversion Attacks on Llama 3: Extracting PII from Large Language Models",
"authors": [
"Sivashanmugam, Sathesh P."
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.2139/ssrn.5341233",
"pdfUrl": "",
"doi": "10.2139/ssrn.5341233",
"abstract": "Large language models (LLMs) have transformed natural language processing, but their ability to memorize training data poses significant privacy risks. This paper investigates model inversion attacks on the Llama 3.2 model, a multilingual LLM developed by Meta. By querying the model with carefully crafted prompts, we demonstrate the extraction of personally identifiable information (PII) such as passwords, email addresses, and account numbers. Our findings highlight the vulnerability of even smaller LLMs to privacy attacks and underscore the need for robust defenses. We discuss potential mitigation strategies, including differential privacy and data sanitization, and call for further research into privacy-preserving machine learning techniques.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.36448/plr.v4i02.85",
"title": "PROTECTION OF INDONESIA’S PERSONAL DATA AFTER RATIFICATION OF PERSONAL DATA PROTECTION ACT",
"authors": [
"null Siti Yuniarti"
],
"date": "2022-11-23",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.36448/plr.v4i02.85",
"pdfUrl": "",
"doi": "10.36448/plr.v4i02.85",
"abstract": "The protection of Indonesia's personal data entered a new chapter with the signing of the Personal Data Protection Bill by the President on October 17, 2022. The presence of the Personal Data Protection Law (UU PDP) is a lex specialist of Indonesian personal data protection regulations. This study analyzes how the form of protection of Indonesian personal data after the enactment of the PDP Law by using components in the personal data protection ecosystem as parameters, namely data subjects, data controllers and data processors, data protection officers and personal data protection supervisory agencies. Using normative legal research methods, this study found that the regulation of the 4 components has been accommodated in principle in the PDP Law. The balance between the protection of individuals on the one hand and the public interest on the other is tried to be accommodated in the principles behind the PDP Law and the reduction of the implementation of some norms. The composition of the norms shows that the processing of personal data, especially the obligations of the data controller, is the focus of regulation. The role of a data protection officer to ensure regulatory compliance is complemented by a risk mitigation function. The existence of data protection as service is also accommodated in the PDP Law. The supervisory agency is given a series of authorities with detailed details of investigative authority. The PDP Law as a compact regulation requires various implementing regulations, including provisions issued by institutions and sectoral regulations. The support of understanding and strengthening of all parties in the personal data protection ecosystem absolutely needs to be carried out immediately as an effort to realize compliance by minimizing protection failures and unauthorized processing as a preventive measure. Preventive measures should be used as a key option in the data protection regime. Therefore, discussions regarding the protection of",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.37253/jlpt.v8i2.8827",
"title": "Personal Data Protection in Telemedicine: Comparison of Indonesian and European Union Law",
"authors": [
"Rina Shahrullah",
"F. Yudhi Priyo Amboro",
"Miftahul Jannah"
],
"date": "2024-01-11",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.37253/jlpt.v8i2.8827",
"pdfUrl": "",
"doi": "10.37253/jlpt.v8i2.8827",
"abstract": "Telemedicine allows patients to receive remote medical consultation, diagnosis, and treatment through a digital platform. However, with the development of telemedicine, personal data protection has become one of the main concerns. This research aims to compare the regulation of personal data protection in telemedicine services in Indonesia and the European Union. The type of research in this scientific article is Normative Juridical Research with a comparative legal approach. The data sources obtained in this paper are primary data and secondary data. The data collection method is a literature study. The data analysis method in this paper uses a qualitative approach. The results show that personal data protection in Indonesia is regulated by Law Number 27 of 2022 concerning Personal Data Protection (PDP Law). While in the European Union, Personal Data Protection is regulated in the General Data Protection Regulation (GDPR) which regulates the collection and use of personal data by organizations. Some similarities in personal data protection in both telemedicine in Indonesia and in the European Union are that the same consent requires telemedicine providers to obtain clear and explicit consent from patients. Both telemedicine providers must not disclose the patient's personal data to third parties without the patient's consent. Telemedicine providers to implement security measures to protect patient personal data. Both Indonesia and the European Union give patients the right to access, correct, delete, and limit the use of their personal data",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1093/ojls/gqae033",
"title": "The Three-Tier Structural Legal Deficit Undermining the Protection of Employees’ Personal Data in the Workplace",
"authors": [
"Einat Albin"
],
"date": "2024-11-02",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1093/ojls/gqae033",
"pdfUrl": "",
"doi": "10.1093/ojls/gqae033",
"abstract": "Abstract —Even though personal data protection is a fundamental right, and legislation and the courts aim to pursue it, in practice, employees have no meaningful protection of their personal data within the workplace and have few opportunities to act, individually or collectively, to ensure the security of their data. In this article, I argue that a central reason for this state of affairs is the intersection of labour law and personal data protection regulation that creates a three-tier structural legal deficit. The three tiers are: the basic structure of labour law that ensures employer prerogative to use new technologies that are based on datafication almost unlimitedly; the consumer orientation of personal data protection regulation under the General Data Protection Regulation; and lack of specific labour law tools to protect personal data. By building on the structural understanding of the law, and by unravelling the three tiers, the article proposes robust labour law tools to enhance the protection of employees’ personal data.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.3389/fninf.2014.00082",
"title": "Comment on “A simple tool for neuroimaging data sharingâ€",
"authors": [
"Haselgrove, Christian",
"Poline, Jean-Baptiste",
"Kennedy, David N."
],
"date": "2014-10-30",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.3389/fninf.2014.00082",
"pdfUrl": "",
"doi": "10.3389/fninf.2014.00082",
"abstract": "In our recent paper “A simple tool for neuroimaging data sharing,” we introduced a system for sharing DICOM data. Addressing anonymization, we mentioned DICOM Supplement 551, the National Cancer Institute deidentification profile, and the default deidentification profile in XNAT's DICOM Browser and noted the disagreement in these various anonymization profiles. While a careful analysis of anonymization (especially as applied to DICOM) was not in the scope of this work, we could also have mentioned further work from the DICOM Standards Committee, specifically Supplement 1422 (Clinical Trial De-identification Profiles) and Annex E (Attribute Confidentiality Profiles) of PS3.153 (Security and System Management Profiles), which provide well thought-out and detailed analyses and recommendations for anonymization of DICOM data by dedicated working groups. Also, in our observation of the current state of DICOM anonymization within the neuroimaging research community, we stated that no consensus could be found. Certainly most solutions in the neuroimaging research community do not follow the DICOM standard, preferring instead to design their own schemes that satisfy different levels of anonymization needed given each specific Institutional Review Board's (IRB) requirements and the nature of the specific data; the result is a lack of consensus in this particular community. This is an unfortunate reality and should not be construed to reflect negatively on the effort and the outcomes of the DICOM working groups, which are consensus solutions from the broader imaging community. Indeed, there are several tools that support the DICOM standards out of the box, among these dicom-anon4 (supporting PS3.15, Annex E), DICOM Anonymizer5 (PS3.15, Annex E), the CTP DICOM Anonymizer6 (Supplement 142), and gdcmanon7 (PS3.15, Annex E and Supplement 142). However, these tools have been developed for radiological or more general biomedical research applications and the authors have not ",
"topics": [
"data_anonymization",
"sector_healthcare"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "europepmc:41618956",
"title": "Emerging ethical duties in AI-mediated research: A case of data sovereignty in applying cross-national regulation.",
"authors": [
"Ayala R",
"Hervé-Fernández P."
],
"date": "2026-01-31",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1080/08989621.2026.2623487",
"pdfUrl": "",
"doi": "10.1080/08989621.2026.2623487",
"abstract": "Background
Artificial intelligence (AI) is reshaping research practices, yet its ethical implications remain under‑examined, particularly in cross‑national contexts.Objective
To explore how AI integration into environmental science complicates informed consent, privacy and data sovereignty, and to identify the ethical duties that follow for researchers.Case context
Drawing on a Chilean case study that adopts the European Union's General Data Protection Regulation (GDPR) as a normative framework, we focus on everyday AI‑mediated tools embedded in research infrastructures (e.g., transcription, cloud services, meeting assistants) and the tensions they introduce.Findings
AI intensifies -rather than replaces- ethical accountability, especially where legal protections are weak or infrastructures unequal. Algorithmic opacity constrains researcher autonomy and undermines data sovereignty.Conclusions
A governance approach grounded in data sovereignty and researcher autonomy is required to safeguard consent, privacy, and accountability in AI‑mediated research.Implications for policy and practice
We propose a revised model of ethical governance to support researchers working across fragmented regulations and opaque AI systems.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "Accountability in research",
"language": "en"
},
{
"id": "europepmc:41728730",
"title": "A Legal Perspective About \"Data Altruism Organization\" and Intermediaries Service Providers in European Health Data Space: Is a New Hero for Data Subject?",
"authors": [
"Yilmaz SS."
],
"date": "2025-10-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3233/shti251472",
"pdfUrl": "",
"doi": "10.3233/shti251472",
"abstract": "This book chapter focuses on the regulation of data altruism by organizations within the scope of \"European Health Data Space\" (EHDS) and \"Data Governance Act\" (\"DGA\") and turns to the organization of sharing rules when the personal data that finds the regulation of data subjects in the General Data Protection Regulation (\"GDPR\") becomes non-personal data. \"Data Altruism Organization\" (DAOs) are the organization of facilitating and strengthening the data sharing ecosystem and consent mechanism and systematize health improvement in the field of health data. In other words, explores the pivotal role of data subjects in the data economy, emphasizing the need for a framework that actively includes them to facilitate easier data utilization. As our understanding evolves, it becomes clear that strengthening the structure of \"Data Altruism Organization\" and data intermediary services is essential, particularly in light of \"General Data Protection Regulation\". GDPR\"s regulation of relationships between data controllers and data subjects. It is crucial to address the economic and informational asymmetries that exist between these parties, recognizing that while data subjects elevate their data's status as a protected right, existing systems often limit responses to harm through restitution. Focusing on the secondary use of health data, this chapter, discusses advancements and objectives concerning the \"Data Altruism Organization\" outlined in the \"Data Governance Act\" (\"DGA\"). It also examines the interactions between data subjects and data controllers within the \"European Health Data Space\" (EHDS), noting that the \"Data Governance Act\" (\"DGA\") significantly enhances data protection through these altruism organizations. This governance framework aims to ensure the responsible use of data collected by public bodies for the public good while addressing challenges related to commercial confidentiality, intellectual property rights, and personal data. The \"DGA\" guarantees secure ",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Studies in health technology and informatics",
"language": "en"
},
{
"id": "europepmc:41427491",
"title": "Waste Not, Want Not: How to Make Your Data Futureproof Through Good Data Sharing Practices.",
"authors": [
"Vitlov N",
"Vuković M",
"Bralić N",
"Marušić A."
],
"date": "2025-12-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1002/cpz1.70283",
"pdfUrl": "",
"doi": "10.1002/cpz1.70283",
"abstract": "Scientific progress relies on the generation, validation, and reuse of research data, yet standard practices and cultural, legal, and technological challenges have long limited data sharing. In the 21st century, growing volumes of data, higher transparency requirements, and concerns about reproducibility have pushed research data management to the forefront. This manuscript brings together three perspectives to provide an extensive overview of data sharing: theoretical foundations, ethical and normative frameworks, and practical implementation. First, it discusses the way research data differs across fields and formats, the distinction between primary and secondary data, and how metadata helps ensure data can be reused. It emphasizes how open data fosters transparency, reproducibility, accountability, and innovation, while also acknowledging that research data has historically been viewed as private intellectual property. Second, it explores the emergence of principles and ethical standards designed to enhance data quality and promote responsible use. Documentation standards, data management plans, and sharing of code and workflows have helped the FAIR (Findability, Accessibility, Interoperability, and Reusability) principles become a cornerstone for data sharing. Regulatory frameworks, such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), as well as mechanisms such as de-identification and Data Trusts, address legal and ethical issues, including privacy protection, licensing, and data governance. Finally, the third major topic discusses how these principles are implemented through infrastructure, incentives, and new technologies. It addresses the significance of cultural change and recognition systems, the impact of policies by journals and funders, and the role of repositories in preservation and interoperability. It also emphasizes the emergence of novel trends, such as artificial intelligence-driven metadata",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Current protocols",
"language": "en"
},
{
"id": "europepmc:40380638",
"title": "Synthetic Data and PETs for Privacy-Compliant mHealth Within the EHDS: A Viewpoint Analysis.",
"authors": [
"Capparelli F",
"de Ligio MR",
"Finocchiaro G."
],
"date": "2025-05-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3233/shti250531",
"pdfUrl": "",
"doi": "10.3233/shti250531",
"abstract": "The European Health Data Space (EHDS) is an initiative designed to harmonise health data sharing across Member States, with the overarching objective being to ensure compliance with the General Data Protection Regulation (GDPR). This paper examines synthetic data, generated via Variational Autoencoders (VAEs), and Privacy-Enhancing Technologies (PETs), such as Federated Learning, as solutions for privacy-preserving and interoperable mHealth systems. The utilisation of these tools is in alignment with the privacy-by-design principles outlined by the GDPR, thereby addressing the prevailing challenges associated with data sharing and regulatory compliance in the context of mHealth systems.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Studies in health technology and informatics",
"language": "en"
},
{
"id": "europepmc:PPR1009325",
"title": "Assessor View: Introducing Tool Support for Android Privacy Assessments",
"authors": [
"Khedkar M",
"Schlichtig M",
"Atakishiyev N",
"Bodden E."
],
"date": "2025-04-23",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.21203/rs.3.rs-6323701/v1",
"pdfUrl": "https://www.researchsquare.com/article/rs-6323701/latest.pdf",
"doi": "10.21203/rs.3.rs-6323701/v1",
"abstract": "Abstract Android apps collecting data from users must comply with legal frameworks toensure data protection. This requirement has become even more important since the implementation of the General Data Protection Regulation (GDPR) by the European Union in 2018. Moreover, with the proposed Cyber Resilience Act on the horizon, stakeholders will soon need to assess software against even more stringent security and privacy standards. Effective privacy assessments require collaboration among groups with diverse expertise to function effectively as acohesive unit. This paper addresses the need for an automated approach to improve the understanding of data protection in Android apps and enhance communication between the various parties involved in privacy assessments. We present Assessor View, a tool designed to bridge knowledge gaps and support more effective privacy assessments of Android applications. We conducted a user study with five legal and privacy experts. In the interview part of this study, we identified key challenges in conducting privacy assessments, including knowledge gaps, poor communication between legal and technical experts, the absence of automated privacy tools, and the delayed involvement of privacy professionals. The user study results indicate that the GDPR warnings and guidance provided by Assessor View are valuable to DPOs and privacy experts, and its design is particularly well suited for these stakeholders. Our findings indicate that Assessor View represents a significant step toward improving communication between legal and technical experts and automating privacy assessments.
",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "europepmc:39766917",
"title": "Federated Learning: Breaking Down Barriers in Global Genomic Research.",
"authors": [
"Calvino G",
"Peconi C",
"Strafella C",
"Trastulli G",
"Megalizzi D",
"Andreucci S",
"Cascella R",
"Caltagirone C",
"Zampatti S",
"Giardina E."
],
"date": "2024-12-22",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3390/genes15121650",
"pdfUrl": "https://www.mdpi.com/2073-4425/15/12/1650/pdf?version=1734860130",
"doi": "10.3390/genes15121650",
"abstract": "Recent advancements in Next-Generation Sequencing (NGS) technologies have revolutionized genomic research, presenting unprecedented opportunities for personalized medicine and population genetics. However, issues such as data silos, privacy concerns, and regulatory challenges hinder large-scale data integration and collaboration. Federated Learning (FL) has emerged as a transformative solution, enabling decentralized data analysis while preserving privacy and complying with regulations such as the General Data Protection Regulation (GDPR). This review explores the potential use of FL in genomics, detailing its methodology, including local model training, secure aggregation, and iterative improvement. Key challenges, such as heterogeneous data integration and cybersecurity risks, are examined alongside regulations like GDPR. In conclusion, successful implementations of FL in global and national initiatives demonstrate its scalability and role in supporting collaborative research. Finally, we discuss future directions, including AI integration and the necessity of education and training, to fully harness the potential of FL in advancing precision medicine and global health initiatives.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Genes",
"language": "en"
},
{
"id": "europepmc:40380619",
"title": "Attitudes of Developers Towards Privacy in Personal Health Applications.",
"authors": [
"Flanagan L",
"Poikela M."
],
"date": "2025-05-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3233/shti250512",
"pdfUrl": "",
"doi": "10.3233/shti250512",
"abstract": "In a world of rapidly expanding digital health technologies (eHealth), the development of technology often outpaces the protection of individuals' rights to privacy about their health data. In this paper, we discuss attitudes towards privacy from the perspective of developers, Information Security Officers and management, which we contextualize to eHealth, as well as discuss ways to improve privacy protection through education, regulatory improvements, documentation changes, and privacy-enhancing technology (PETs). The General Data Protection Regulation mandates technologies be developed with private-by-design philosophy. However, the studies we review show that the implementation of this mandate is still lacking, despite the importance of its implementation for eHealth. We conclude by summarising the main barriers to the protection of privacy in technology, as well as suggest actions to be taken, including by whom, towards addressing these issues.",
"topics": [
"privacy_engineering",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Studies in health technology and informatics",
"language": "en"
},
{
"id": "europepmc:PPR1018350",
"title": "Impact of EU Laws on the Adoption of AI and IoT in Advanced Building Energy Management Systems: A Review of Regulatory Barriers, Technological Challenges and Economic Opportunities",
"authors": [
"Jørgensen BN",
"Ma ZG."
],
"date": "2025-05-09",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.20944/preprints202505.0702.v1",
"pdfUrl": "https://www.preprints.org/frontend/manuscript/cb7ed49dced5c184081f70061495baef/download_pub",
"doi": "10.20944/preprints202505.0702.v1",
"abstract": "The integration of Artificial Intelligence (AI) and the Internet of Things (IoT) in Building Energy Management Systems (BEMS) offers transformative potential for improving energy efficiency, enhancing occupant comfort, and supporting grid stability. However, the adoption of these technologies in the European Union (EU) is significantly influenced by a complex regulatory landscape, including the EU AI Act, the General Data Protection Regulation (GDPR), the EU Cybersecurity Act, and the Energy Performance of Buildings Directive (EPBD). This review systematically examines the legal, technological, and economic implications of these regulations on AI- and IoT-driven BEMS. First, we identify legal and regulatory barriers that may hinder innovation, such as data protection constraints, cybersecurity compliance, liability concerns, and interoperability requirements. Second, we explore technological challenges in designing regulatory-compliant AI and IoT solutions, focusing on data privacy-preserving architectures (e.g., edge computing vs. cloud processing), explainability requirements for AI decision-making, and cybersecurity resilience. Finally, we highlight the economic opportunities that arise from regulatory alignment, demonstrating how compliant AI and IoT-based BEMS can unlock energy savings, operational efficiencies, and new business models in smart buildings. By synthesizing current research and policy developments, this review provides a comprehensive framework for understanding the intersection of regulatory requirements and technological innovation in AI-driven building management. We discuss strategies to navigate regulatory constraints while leveraging AI and IoT for energy-efficient, intelligent building operations. The insights presented aim to guide researchers, policymakers, and industry stakeholders in advancing regulatory-compliant BEMS that balance innovation, security, and sustainability.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "europepmc:40588977",
"title": "Privacy-Preserving Opt-Out from Homomorphically Encrypted Clinical Trials.",
"authors": [
"Puskaric M",
"Gusinow R",
"Górska A",
"Hasenauer J."
],
"date": "2025-06-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3233/shti250771",
"pdfUrl": "",
"doi": "10.3233/shti250771",
"abstract": "Data protection regulations, such as the GDPR, ensure individuals' rights regarding processing of their personal data, including the 'right to be forgotten,' which mandates the opt-out and deletion of personal data from datasets at any stage. Homomorphic encryption enables arithmetic operations on encrypted numerical vectors while keeping the data and intermediate results hidden throughout the analysis process. This paper presents an implementation of the right to be forgotten using homomorphic encryption, designed for a real-world use case involving the collection and storage of clinical data in an international collaboration. We introduce methods for structuring data as collections of encrypted vectors and propose algorithms for privacy-preserving opt-out and verifiable data deletion. These algorithms are implemented and tested in a software prototype, with a performance analysis of their computational efficiency. Our approach provides a framework for patient withdrawal at any stage of a clinical trial, balancing the need for data privacy with the computational constraints of homomorphic encryption by structuring clinical datasets into encrypted vector collections.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Studies in health technology and informatics",
"language": "en"
},
{
"id": "europepmc:39896036",
"title": "Blockchain enabled policy-based access control mechanism to restrict unauthorized access to electronic health records.",
"authors": [
"Yaqub N",
"Zhang J",
"Khalid MI",
"Wang W",
"Helfert M",
"Ahmed M",
"Kim J."
],
"date": "2025-01-23",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.7717/peerj-cs.2647",
"pdfUrl": "https://europepmc.org/articles/PMC11784709?pdf=render",
"doi": "10.7717/peerj-cs.2647",
"abstract": "Electronic health record transmission and storage involve sensitive information, requiring robust security measures to ensure access is limited to authorized personnel. In the existing state of the art, there is a growing need for efficient access control approaches for the secure accessibility of patient health data by sustainable electronic health records. Locking medical data in a healthcare center forms information isolation; thus, setting up healthcare data exchange platforms is a driving force behind electronic healthcare centers. The healthcare entities access rights like subject, controller, and requester are defined and regulated by access control policies as defined by the General Data Protection Regulation (GDPR). In this work, we have introduced a blend of policy-based access control (PBAC) system backed by blockchain technology, where smart contracts govern the intrinsic part of security and privacy. As a result, any Subject can know at any time who currently has the right to access his data. The PBAC grants access to electronic health records based on predefined policies. Our proposed PBAC approach employs policies in which the subject, controller, and requester can grant access, revoke access, and check logs and actions made in a particular healthcare system. Smart contracts dynamically enforce access control policies and manage access permissions, ensuring that sensitive data is available only to authorized users. Delineating the proposed access control system and comparing it to other systems demonstrates that our approach is more adaptable to various healthcare data protection scenarios where there is a need to share sensitive data simultaneously and a robust need to safeguard the rights of the involved entities.",
"topics": [
"gdpr_compliance",
"sector_healthcare"
],
"painPointTracks": [
"Enforcement",
"Health & Genomic PII"
],
"relevanceScore": 0.55,
"venue": "PeerJ. Computer science",
"language": "en"
},
{
"id": "europepmc:40200447",
"title": "Data Governance in Healthcare AI: Navigating the EU AI Act's Requirements.",
"authors": [
"Kalodanis K",
"Feretzakis G",
"Rizomiliotis P",
"Verykios VS",
"Papapavlou C",
"Koutsikos I",
"Anagnostopoulos D."
],
"date": "2025-04-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.3233/shti250050",
"pdfUrl": "",
"doi": "10.3233/shti250050",
"abstract": "The integration of Artificial Intelligence (AI) into healthcare has the potential to revolutionize patient care, diagnostics, and treatment planning. However, this integration also introduces significant challenges related to data governance, privacy, and compliance with emerging regulations. The European Union's (EU) AI Act proposes a comprehensive regulatory framework aimed at ensuring that AI systems are trustworthy and respect fundamental rights. This paper provides an in-depth analysis of the data governance requirements stipulated by the EU AI Act specifically within the context of healthcare AI. Furthermore, it explores strategies for compliance, examines the interplay with existing regulations such as the General Data Protection Regulation (GDPR), and addresses the ethical considerations inherent in deploying AI in healthcare settings.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Studies in health technology and informatics",
"language": "en"
},
{
"id": "europepmc:PPR985457",
"title": "De-identification when making datasets FAIR: Two worked examples from the behavioral and social sciences",
"authors": [
"van Ravenzwaaij D",
"de Jong M",
"Hoekstra R",
"Scheibe S",
"Span MM",
"Wessel I",
"Heininga VE."
],
"date": "2025-03-04",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.31234/osf.io/acpm3_v2",
"pdfUrl": "https://doi.org/10.31234/osf.io/acpm3_v2",
"doi": "10.31234/osf.io/acpm3_v2",
"abstract": "In recent years, the advancement of open science has led to data sharing becoming more common practice. Data availability has clear merits for science as it opens up possibilities for re-use of datasets by others, leading to less redundancy, more efficiency, and more transparency. The ideal is for scientific data to be as open as possible and FAIR: Findable, Accessible, Interoperable, and Reusable. Parallel to this development, recent times have seen more stringent guidelines with respect to data privacy, culminating in the General Data Protection Regulation law, or GDPR. Navigating the balance between protecting participants’ privacy and making one's dataset as open as possible can be challenging for researchers. In this paper, we provide two worked examples with real datasets from the behavioral and social sciences on how to be as open as possible and as closed as necessary, with the goal of maximally facilitating science while minimizing the risk of participant identification.
",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "europepmc:41586438",
"title": "Decentralizing the future: Value creation in Web 3.0 and the Metaverse.",
"authors": [
"Perboli G",
"Merlo F",
"Vandoni C."
],
"date": "2025-01-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.12688/openreseurope.20906.2",
"pdfUrl": "https://europepmc.org/articles/PMC12828255?pdf=render",
"doi": "10.12688/openreseurope.20906.2",
"abstract": "The emergence of Web 3.0 and the Metaverse marks a transformative shift in the evolution of the internet and digital ecosystems. This paper explores the foundational principles of decentralization, user autonomy, and data transparency that underpin Web 3.0 technologies, including blockchain, smart contracts, and digital wallets. We analyze how these innovations are reshaping business models, enabling new forms of value creation, and redefining digital ownership and governance. In parallel, we examine the Metaverse as a virtual, immersive environment integrating Web 3.0 infrastructure, and its potential to revolutionize sectors such as logistics, education, finance, and data management. The study also highlights the critical role of a holistic framework encompassing technological, economic, and legal pillars. A special focus is given to data provenance, privacy-preserving computation, and the need for coherent regulatory strategies in light of GDPR, the AI Act, and the Data Act ( European Parliament, 2016; European Parliament, 2023; European Parliament, 2024). Finally, we identify emerging challenges related to NFT authenticity, system sustainability, and user experience, proposing a multidisciplinary and lean governance approach to guide future developments.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "pubmed:37229678",
"title": "[Privacy and epidemiology: let's find a shared solution.].",
"authors": [
"Bisceglia, Lucia",
"Caranci, Nicola",
"Giorgi Rossi, Paolo",
"Zengarini, Nicolás"
],
"date": "2023-06",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1701/4042.40224",
"pdfUrl": "",
"doi": "10.1701/4042.40224",
"abstract": "During the pandemic period, Italian epidemiologists managed to monitor the situation despite fragmented and often low-quality data flows, comparing themselves to other countries (such as England and Israel) that were able to provide valuable indications in very short times thanks to the availability of a large amount of interconnected data at the national level. In the same months, the Italian Data Protection Authority launched several investigations that triggered an immediate stiffening of the mechanisms for accessing data by epidemiological structures at both regional and company levels, leading to a significant limitation in the conduct of epidemiological investigations, and in some cases the complete suspension of important projects. The interpretation of the General data protection regulation (Gdpr) was found to be subjective and heterogeneous among different institutions. The path to legitimizing data processing appears obscure and subject to the sensitivity of the different actors involved in the process within companies and regions. Apparently, only economic reporting is unanimously considered the primary and legitimate use of data. The work of Italian epidemiologists has been called into question to the point of making it practically impossible to carry out their institutional duties, even though they are an integral part of the National health service's (Nhs) function to promote and ensure health and well-being for the population. Today, it is necessary to immediately initiate a path to identify shared solutions among the various actors at both the central and local levels, which allow epidemiological structures and professionals to carry out their tasks with serenity, while ensuring data protection. The obstacles to conducting epidemiological studies are not a problem of individual operators or individual epidemiology structures, but a block to the production of knowledge and, ultimately, to the processes of improving the Nhs.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Recenti progressi in medicina",
"language": "en"
},
{
"id": "pubmed:37064041",
"title": "The application of data altruism in clinical research through empirical and legal analysis lenses.",
"authors": [
"Lalova-Spinks, Teodora",
"Meszaros, Janos",
"Huys, Isabelle"
],
"date": "2023-03-30",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1016/j.clsr.2020.105412",
"pdfUrl": "",
"doi": "10.1016/j.clsr.2020.105412",
"abstract": "BACKGROUND: The legal framework for clinical research in the EU is complex and the lack of harmonization of the relevant legal and ethical rules remains one of the main challenges for stakeholders in the field. The recently adopted Data Governance Act (DGA) and the proposal for a European Health Data Space (EHDS) promise to solve the existing challenges with respect to access to and (re)use of personal data for research, but also risk to further complexify the field. The DGA introduced a novel mechanism - data altruism. Data altruism is understood as the voluntary sharing of personal and non-personal data, based on the consent of data subjects or the permission of natural and legal persons, without seeking a reward and for objectives of general interest. This study aimed to gain insights into the opinion of clinical research stakeholders on data altruism, and to critically discuss key issues pertaining to the application of data altruism from a legal point of view. METHODS: Semi-structured interviews with (1) data protection officers (DPOs) and legal experts working with commercial and academic sponsors of clinical trials, (2) investigators, and (3) members of research ethics committees. Data underwent framework analysis. The legal discussion was comprised of legal doctrinal research with focus on the DGA, EHDS proposal, and the interplay with the EU General Data Protection Regulation (GDPR). RESULTS: Fourteen experts took part in the interviews, more than half of which were DPOs/legal experts. Interviewees were based in seven EU Member states and the United Kingdom. The majority of participants were critical towards the data altruism mechanism and pointed out challenges and risks associated with its application. CONCLUSION: Although data altruism holds the potential to facilitate data sharing, its application in clinical research at the moment is still riddled with uncertainties. The interplay of the DGA rules with the provisions of the GDPR and the EHDS proposal a",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Frontiers in medicine",
"language": "en"
},
{
"id": "pubmed:36995757",
"title": "mHealth Systems Need a Privacy-by-Design Approach: Commentary on \"Federated Machine Learning, Privacy-Enhancing Technologies, and Data Protection Laws in Medical Research: Scoping Review\".",
"authors": [
"Tewari, Ambuj"
],
"date": "2023-03-30",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.48550/arXiv.2302.05552",
"pdfUrl": "",
"doi": "10.48550/arXiv.2302.05552",
"abstract": "Brauneck and colleagues have combined technical and legal perspectives in their timely and valuable paper \"Federated Machine Learning, Privacy-Enhancing Technologies, and Data Protection Laws in Medical Research: Scoping Review.\" Researchers who design mobile health (mHealth) systems must adopt the same privacy-by-design approach that privacy regulations (eg, General Data Protection Regulation) do. In order to do this successfully, we will have to overcome implementation challenges in privacy-enhancing technologies such as differential privacy. We will also have to pay close attention to emerging technologies such as private synthetic data generation.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Journal of medical Internet research",
"language": "en"
},
{
"id": "pubmed:35696847",
"title": "Position paper on management of personal data in environment and health research in Europe.",
"authors": [
"Eva, Govarts",
"Liese, Gilles",
"Stephanie, Bopp",
"Petr, Holub",
"Leslie, Matalonga",
"Roel, Vermeulen",
"Martine, Vrijheid",
"Sergi, Beltran",
"Mette, Hartlev",
"Sarah, Jones",
"Laura, Rodriguez Martin",
"Arnout, Standaert",
"Morris A, Swertz",
"Jan, Theunis",
"Xenia, Trier",
"Nina, Vogel",
"Koert, Van Espen",
"Sylvie, Remy",
"Greet, Schoeters"
],
"date": "2022-06-06",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1016/j.envint.2022.107334",
"pdfUrl": "",
"doi": "10.1016/j.envint.2022.107334",
"abstract": "Management of datasets that include health information and other sensitive personal information of European study participants has to be compliant with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679). Within scientific research, the widely subscribed'FAIR' data principles should apply, meaning that research data should be findable, accessible, interoperable and re-usable. Balancing the aim of open science driven FAIR data management with GDPR compliant personal data protection safeguards is now a common challenge for many research projects dealing with (sensitive) personal data. In December 2020 a workshop was held with representatives of several large EU research consortia and of the European Commission to reflect on how to apply the FAIR data principles for environment and health research (E&H). Several recent data intensive EU funded E&H research projects face this challenge and work intensively towards developing solutions to access, exchange, store, handle, share, process and use such sensitive personal data, with the aim to support European and transnational collaborations. As a result, several recommendations, opportunities and current limitations were formulated. New technical developments such as federated data management and analysis systems, machine learning together with advanced search software, harmonized ontologies and data quality standards should in principle facilitate the FAIRification of data. To address ethical, legal, political and financial obstacles to the wider re-use of data for research purposes, both specific expertise and underpinning infrastructure are needed. There is a need for the E&H research data to find their place in the European Open Science Cloud. Communities using health and population data, environmental data and other publicly available data have to interconnect and synergize. To maximize the use and re-use of environment and health data, a dedicated supporting European infrastructure effort, such as ",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Environment international",
"language": "en"
},
{
"id": "https://openalex.org/W4285744096",
"title": "The Issue of Proxies and Choice Architectures. Why EU Law Matters for Recommender Systems",
"authors": [
"Mireille Hildebrandt"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3389/frai.2022.789076",
"pdfUrl": "https://www.frontiersin.org/articles/10.3389/frai.2022.789076/pdf",
"doi": "https://doi.org/10.3389/frai.2022.789076",
"abstract": "Recommendations are meant to increase sales or ad revenue, as these are the first priority of those who pay for them. As recommender systems match their recommendations with inferred preferences, we should not be surprised if the algorithm optimizes for lucrative preferences and thus co-produces the preferences they mine. This relates to the well-known problems of feedback loops, filter bubbles, and echo chambers. In this article, I discuss the implications of the fact that computing systems necessarily work with proxies when inferring recommendations and raise a number of questions about whether recommender systems actually do what they are claimed to do, while also analysing the often-perverse economic incentive structures that have a major impact on relevant design decisions. Finally, I will explain how the choice architectures for data controllers and providers of AI systems as foreseen in the EU's General Data Protection Regulation (GDPR), the proposed EU Digital Services Act (DSA) and the proposed EU AI Act will help to break through various vicious circles, by constraining how people may be targeted (GDPR, DSA) and by requiring documented evidence of the robustness, resilience, reliability, and the responsible design and deployment of high-risk recommender systems (AI Act).",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Frontiers in Artificial Intelligence",
"language": "en"
},
{
"id": "pubmed:34992854",
"title": "Effective communication between hospital staff and patients in compliance with personal data protection regulations.",
"authors": [
"Mocydlarz-Adamcewicz, Mirosława"
],
"date": "2021-12-30",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1016/j.maturitas.2018.04.008",
"pdfUrl": "",
"doi": "10.1016/j.maturitas.2018.04.008",
"abstract": "Secure communication between patients and health care facilities is especially important In 2016, the European Union (EU) introduced a new regulation - the General Data Protection Regulation (GDPR), applicable in all EU member states - aimed at improving protection of personal data. The GDPR provides broad guidelines on data protection, but generally lacks specific details. Consequently, although member states must comply with the GDPR, there is some flexibility to develop new regulations to suit national characteristics and practices, especially in key economic sectors, such as health care. The aim of the present article is to discuss the benefits and limitations of legal provisions governing the patient identification (both in-person and remotely). This analysis is based on Polish laws that were recently passed to comply with the GDPR. In some cases, these data protection regulations may be unnecessarily strict, making routine care more difficult than intended by the GDPR. National legislation in Poland imposes strict data protection measures, such as prohibiting the public display of patient names or calling out the patient's name in public. However, after health care personnel around the country criticised many of these measures, the law will be modified to address those concerns. For example, the patient's name can be displayed on a wrist band and on containers with the patient's medicines. Nonetheless, numerous questions still need to be resolved to adapt the general data protection rules to ensure the effective operation of the hospital to avoid problems related to accurate patient identification.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Reports of practical oncology and radiotherapy : journal of Greatpoland Cancer Center in Poznan and Polish Society of Radiation Oncology",
"language": "en"
},
{
"id": "pubmed:34903021",
"title": "Federated personalized random forest for human activity recognition.",
"authors": [
"Liu, Songfeng",
"Wang, Jinyan",
"Zhang, Wenliang"
],
"date": "2021-11-22",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.3934/mbe.2022044",
"pdfUrl": "",
"doi": "10.3934/mbe.2022044",
"abstract": "User data usually exists in the organization or own local equipment in the form of data island. It is difficult to collect these data to train better machine learning models because of the General Data Protection Regulation (GDPR) and other laws. The emergence of federated learning enables users to jointly train machine learning models without exposing the original data. Due to the fast training speed and high accuracy of random forest, it has been applied to federated learning among several data institutions. However, for human activity recognition task scenarios, the unified model cannot provide users with personalized services. In this paper, we propose a privacy-protected federated personalized random forest framework, which considers to solve the personalized application of federated random forest in the activity recognition task. According to the characteristics of the activity recognition data, the locality sensitive hashing is used to calculate the similarity of users. Users only train with similar users instead of all users and the model is incrementally selected using the characteristics of ensemble learning, so as to train the model in a personalized way. At the same time, user privacy is protected through differential privacy during the training stage. We conduct experiments on commonly used human activity recognition datasets to analyze the effectiveness of our model.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Mathematical biosciences and engineering : MBE",
"language": "en"
},
{
"id": "pubmed:37645179",
"title": "Record linkage of population-based cohort data from minors with national register data: a scoping review and comparative legal analysis of four European countries.",
"authors": [
"Doetsch, Julia Nadine",
"Dias, Vasco",
"Indredavik, Marit S",
"Reittu, Jarkko",
"Devold, Randi Kallar",
"Teixeira, Raquel",
"Kajantie, Eero",
"Barros, Henrique"
],
"date": "2021-09-27",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1093/bmb/ldy038",
"pdfUrl": "",
"doi": "10.1093/bmb/ldy038",
"abstract": "Background : The GDPR was implemented to build an overarching framework for personal data protection across the EU/EEA. Linkage of data directly collected from cohort participants, potentially serving as a prominent tool for health research, must respect data protection rules and privacy rights. Our objective was to investigate law possibilities of linking cohort data of minors with routinely collected education and health data comparing EU/EEA member states. Methods : A legal comparative analysis and scoping review was conducted of openly accessible published laws and regulations in EUR-Lex and national law databases on GDPR's implementation in Portugal, Finland, Norway, and the Netherlands and its connected national regulations purposing record linkage for health research that have been implemented up until April 30, 2021. Results: The GDPR does not ensure total uniformity in data protection legislation across member states offering flexibility for national legislation. Exceptions to process personal data, e.g., public interest and scientific research, must be laid down in EU/EEA or national law. Differences in national interpretation caused obstacles in cross-national research and record linkage: Portugal requires written consent and ethical approval; Finland allows linkage mostly without consent through the national Social and Health Data Permit Authority; Norway when based on regional ethics committee's approval and adequate information technology safeguarding confidentiality; the Netherlands mainly bases linkage on the opt-out system and Data Protection Impact Assessment. Conclusions: Though the GDPR is the most important legal framework, national legislation execution matters most when linking cohort data with routinely collected health and education data. As national interpretation varies, legal intervention balancing individual right to informational self-determination and public good is gravely needed for health research. More harmonization across EU/",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Open research Europe",
"language": "en"
},
{
"id": "pubmed:34217435",
"title": "Telehealth in Multidisciplinary Target Delineation for Radiotherapy During the COVID-19 Pandemic. A Review and a Case.",
"authors": [
"Jensen, Kenneth",
"Dalby, Rikke Beese",
"Bouchelouche, Kirsten",
"Pedersen, Erik Morre",
"Kalmar, Stefan"
],
"date": "2021-06-16",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1053/j.semnuclmed.2021.06.002",
"pdfUrl": "",
"doi": "10.1053/j.semnuclmed.2021.06.002",
"abstract": "Like all other medical specialties, radiotherapy has been deeply influenced by the COVID-19 pandemic. The pandemic has had severe influence on the entire patient trajectory in oncology, from diagnosis to treatment and follow-up. Many examples of how to deal with patient and staff safety, shortness of staff and other resources and the quest to continue high-quality, evidence-based treatment have been presented. The use of telemedicine and telehealth is frequently presented as a part of the solution to overcome these challenges. Some of the available presented solutions will only apply in an acute, local setting, whereas others might inspire the community to improve quality and cost-effectiveness of radiotherapy as well as knowledge sharing in the future. Some of the unresolved issues in many of the available technical solutions are related to data security and public regulation, for example, GDPR (General Data Protection Regulation) in the EU and HIPAA compliance (Health Insurance Portability and Accountability Act) in the USA. Using a solution that involves a supplier's server in a non-EU country is problematic within the EU. In this paper we shortly review the influence of COVID-19 on radiotherapy. We describe some of the possible solutions for telehealth in target delineation - a crucial part of high-quality radiotherapy, which often requires multidisciplinary effort, hands-on corporation, and high-quality multimodal imaging. Hereafter, our own technical solution will be presented as a case.",
"topics": [
"gdpr_compliance",
"sector_healthcare"
],
"painPointTracks": [
"Enforcement",
"Health & Genomic PII"
],
"relevanceScore": 0.55,
"venue": "Seminars in nuclear medicine",
"language": "en"
},
{
"id": "pubmed:33802673",
"title": "Identification of IoT Actors.",
"authors": [
"Hadzovic, Suada",
"Mrdovic, Sasa",
"Radonjic, Milutin"
],
"date": "2021-03-17",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1109/JIOT.2020.2973662",
"pdfUrl": "",
"doi": "10.1109/JIOT.2020.2973662",
"abstract": "The Internet of Things (IoT) is a leading trend with numerous opportunities accompanied by advantages as well as disadvantages. Parallel with IoT development, significant privacy and personal data protection challenges are also growing. In this regard, the General Data Protection Regulation (GDPR) is often considered the world's strongest set of data protection rules and has proven to be a catalyst for many countries around the world. The concepts and interaction of the data controller, the joint controllers, and the data processor play a key role in the implementation of the GDPR. Therefore, clarifying the blurred IoT actors' relationships to determine corresponding responsibilities is necessary. Given the IoT transformation reflected in shifting computing power from cloud to the edge, in this research we have considered how these computing paradigms are affecting IoT actors. In this regard, we have introduced identification of IoT actors according to a new five-computing layer IoT model based on the cloud, fog, edge, mist, and dew computing. Our conclusion is that identifying IoT actors in the light of the corresponding IoT data manager roles could be useful in determining the responsibilities of IoT actors for their compliance with data protection and privacy rules.",
"topics": [
"gdpr_compliance",
"data_anonymization",
"power_knowledge_asymmetry",
"linkability_tracking",
"data_broker_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Data Brokers",
"Enforcement",
"Re-identification",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "Sensors (Basel, Switzerland)",
"language": "en"
},
{
"id": "pubmed:33755313",
"title": "The Data Governance Act and the EU's move towards facilitating data sharing.",
"authors": [
"Shabani, Mahsa"
],
"date": "2021-03",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1007/978-3-030-04363-6_9",
"pdfUrl": "",
"doi": "10.1007/978-3-030-04363-6_9",
"abstract": "The implementation of the EU General Data Protection Regulation (GDPR) has had significant impacts on biomedical research, often complicating data sharing among researchers. The recently announced proposal for a new EU Data Governance Act is a promising step towards facilitating data sharing, if it can interplay well with the GDPR.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Molecular systems biology",
"language": "en"
},
{
"id": "pubmed:33136543",
"title": "A Visualization Interface to Improve the Transparency of Collected Personal Data on the Internet.",
"authors": [
"Schufrin, Marija",
"Reynolds, Steven Lamarr",
"Kuijper, Arjan",
"Kohlhammer, Jorn"
],
"date": "2021-01-28",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1109/TVCG.2020.3028946",
"pdfUrl": "",
"doi": "10.1109/TVCG.2020.3028946",
"abstract": "Online services are used for all kinds of activities, like news, entertainment, publishing content or connecting with others. But information technology enables new threats to privacy by means of global mass surveillance, vast databases and fast distribution networks. Current news are full of misuses and data leakages. In most cases, users are powerless in such situations and develop an attitude of neglect for their online behaviour. On the other hand, the GDPR (General Data Protection Regulation) gives users the right to request a copy of all their personal data stored by a particular service, but the received data is hard to understand or analyze by the common internet user. This paper presents TransparencyVis - a web-based interface to support the visual and interactive exploration of data exports from different online services. With this approach, we aim at increasing the awareness of personal data stored by such online services and the effects of online behaviour. This design study provides an online accessible prototype and a best practice to unify data exports from different sources.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "IEEE transactions on visualization and computer graphics",
"language": "en"
},
{
"id": "pubmed:31337762",
"title": "Estimating the success of re-identifications in incomplete datasets using generative models.",
"authors": [
"Rocher, Luc",
"Hendrickx, Julien M",
"de Montjoye, Yves-Alexandre"
],
"date": "2019-07-23",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1198/016214507000001328",
"pdfUrl": "",
"doi": "10.1198/016214507000001328",
"abstract": "While rich medical, behavioral, and socio-demographic data are key to modern data-driven research, their collection and use raise legitimate privacy concerns. Anonymizing datasets through de-identification and sampling before sharing them has been the main tool used to address those concerns. We here propose a generative copula-based method that can accurately estimate the likelihood of a specific person to be correctly re-identified, even in a heavily incomplete dataset. On 210 populations, our method obtains AUC scores for predicting individual uniqueness ranging from 0.84 to 0.97, with low false-discovery rate. Using our model, we find that 99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes. Our results suggest that even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release-and-forget model.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Nature communications",
"language": "en"
},
{
"id": "pubmed:30922290",
"title": "Responsible data sharing in international health research: a systematic review of principles and norms.",
"authors": [
"Kalkman, Shona",
"Mostert, Menno",
"Gerlinger, Christoph",
"van Delden, Johannes J M",
"van Thiel, Ghislaine J M W"
],
"date": "2019-03-28",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1377/hlthaff.2017.1558",
"pdfUrl": "",
"doi": "10.1377/hlthaff.2017.1558",
"abstract": "BACKGROUND: Large-scale linkage of international clinical datasets could lead to unique insights into disease aetiology and facilitate treatment evaluation and drug development. Hereto, multi-stakeholder consortia are currently designing several disease-specific translational research platforms to enable international health data sharing. Despite the recent adoption of the EU General Data Protection Regulation (GDPR), the procedures for how to govern responsible data sharing in such projects are not at all spelled out yet. In search of a first, basic outline of an ethical governance framework, we set out to explore relevant ethical principles and norms. METHODS: We performed a systematic review of literature and ethical guidelines for principles and norms pertaining to data sharing for international health research. RESULTS: We observed an abundance of principles and norms with considerable convergence at the aggregate level of four overarching themes: societal benefits and value; distribution of risks, benefits and burdens; respect for individuals and groups; and public trust and engagement. However, at the level of principles and norms we identified substantial variation in the phrasing and level of detail, the number and content of norms considered necessary to protect a principle, and the contextual approaches in which principles and norms are used. CONCLUSIONS: While providing some helpful leads for further work on a coherent governance framework for data sharing, the current collection of principles and norms prompts important questions about how to streamline terminology regarding de-identification and how to harmonise the identified principles and norms into a coherent governance framework that promotes data sharing while securing public trust.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "BMC medical ethics",
"language": "en"
},
{
"id": "pubmed:30273938",
"title": "[Obstacles in Secondary Analysis of Routine Data From Primary Care].",
"authors": [
"Hauswaldt, Johannes",
"Kempter, Valérie",
"Himmel, Wolfgang",
"Hummers, Eva"
],
"date": "2018-10-01",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1055/a-0668-5817",
"pdfUrl": "",
"doi": "10.1055/a-0668-5817",
"abstract": "BACKGROUND: Routinely recorded data from everyday ambulatory medical care are urgently needed for health services and systems research, but this faces major limitations in Germany. In 2018, European General Data Protection Regulation (GDPR) and new German Federal Data Protection Act (FDPA) become effective. Via simulated real-life scenarios it may be possible to find out if access to and utilization of routine data for research becomes easier or faces additional obstacles. METHODS: General practitioners, information scientists, data trustees and privacy protection experts create concepts, processes and standards for lawful handling of routinely recorded data for secondary research and study their feasibility in 2 scenarios (anonymous and pseudonymous data utilization). From the point of view of technical assessment and privacy protection, technical and organizational obstacles are presented as well as the legal framework. RESULTS: Outdated software interface, insufficient maintenance by software vendors, burdens associated with organization and cost as well as poor IT standards place obstacles to systematic and longitudinal use of healthcare routine data. Future pan-European law for privacy protection will allow research utilization of ambulatory data in principle. However, there are persisting conflicts between individual (fundamental right of privacy protection) and public interests (research for quality and efficiency of public spending; European market's free exchange of goods and services). This becomes evident especially when using routine data via pseudonymization. DISCUSSION: Neither insurmountable hurdles by privacy protecting law nor a threat from Big Data are currently the major obstacles to secondary utilization of routine data but real-life problems at the technology and operational level. GDPR and FDPA that have become into effect in May 2018 have improved European legal unity and transparency of patients' interests. Tension between privacy protection ",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Gesundheitswesen (Bundesverband der Arzte des Offentlichen Gesundheitsdienstes (Germany))",
"language": "en"
},
{
"id": "pubmed:41181569",
"title": "FAME: A privacy-preserving dual-stage deep learning framework for breast ultrasound imaging using federated transfer and synthetic learning.",
"authors": [
"Raheem, Abdul",
"Yang, Zhen",
"Alluhaidan, Ala Saleh",
"Manan, Malik Abdul",
"Ahmed, Shahzad",
"Sabah, Fahad",
"Ahmad, Sadique"
],
"date": "2025-10-30",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1007/978-3-319-67434-6",
"pdfUrl": "",
"doi": "10.1007/978-3-319-67434-6",
"abstract": "BACKGROUND: Automated breast ultrasound analysis is hindered by limited annotated data, institutional heterogeneity, and strict privacy regulations. This study proposes FAME (Federated Attention-guided Multi-task Ensemble Network), a privacy-preserving and data-efficient framework for joint segmentation and classification of breast ultrasound images in decentralized clinical environments. METHODS: Federated Attention-guided Multi-task Ensemble Network integrates Federated Transfer Learning with class-specific synthetic data generation via Auxiliary Classifier Generative Adversarial Networks to enhance training under data scarcity. Segmentation is performed using a Multi Attention U-Net (MAU-Net), while classification employs a dual-stage ensemble of ResNet50V2, NASNetLarge, and MAU-Net, followed by a meta-classifier. Privacy is preserved through Differential Privacy with Gaussian noise injection and Secure Aggregation for interclient model update protection. The model was trained and validated on the Breast Ultrasound Image (BUSI) dataset (780 images: 80% training, 10% validation, 10% testing) and further evaluated on independent test sets from the Breast Ultrasound Classification (BUSC) (407 images) and UDIAT (163 images) datasets. Statistical significance was assessed using paired t -tests against baseline models, and 95% confidence intervals were reported for all metrics. RESULTS: On the BUSI test set, FAME achieved 98.70 ± 0.27% accuracy, 96.82 ± 0.53% F1-score, and 0.978 area under the curve (AUC). On UDIAT, it reached 98.14 ± 0.31% accuracy, 94.04 ± 0.75% F1-score, and 0.960 AUC, while on BUSC, it achieved 96.92 ± 0.27% accuracy, 90.32 ± 0.80% F1-score, and 0.950 AUC. For segmentation, Dice Scores were 89.72 ± 0.53% (BUSI), 93.09 ± 0.49% (BUSC), and 87.98 ± 0.57% (UDIAT), consistently surpassing state-of-the-art baselines. Synthetic augmentation improved performance on underrepresented malignant cases and enhanced generalization under non-IID client data dist",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Digital health",
"language": "en"
},
{
"id": "pubmed:38905988",
"title": "Responsible AI for cardiovascular disease detection: Towards a privacy-preserving and interpretable model.",
"authors": [
"Ferdowsi, Mahbuba",
"Hasan, Md Mahmudul",
"Habib, Wafa"
],
"date": "2024-06-17",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1016/j.cmpb.2024.108289",
"pdfUrl": "",
"doi": "10.1016/j.cmpb.2024.108289",
"abstract": "BACKGROUND AND OBJECTIVE: Cardiovascular disease (CD) is a major global health concern, affecting millions with symptoms like fatigue and chest discomfort. Timely identification is crucial due to its significant contribution to global mortality. In healthcare, artificial intelligence (AI) holds promise for advancing disease risk assessment and treatment outcome prediction. However, machine learning (ML) evolution raises concerns about data privacy and biases, especially in sensitive healthcare applications. The objective is to develop and implement a responsible AI model for CD prediction that prioritize patient privacy, security, ensuring transparency, explainability, fairness, and ethical adherence in healthcare applications. METHODS: To predict CD while prioritizing patient privacy, our study employed data anonymization involved adding Laplace noise to sensitive features like age and gender. The anonymized dataset underwent analysis using a differential privacy (DP) framework to preserve data privacy. DP ensured confidentiality while extracting insights. Compared with Logistic Regression (LR), Gaussian Naïve Bayes (GNB), and Random Forest (RF), the methodology integrated feature selection, statistical analysis, and SHapley Additive exPlanations (SHAP) and Local Interpretable Model-agnostic Explanations (LIME) for interpretability. This approach facilitates transparent and interpretable AI decision-making, aligning with responsible AI development principles. Overall, it combines privacy preservation, interpretability, and ethical considerations for accurate CD predictions. RESULTS: Our investigations from the DP framework with LR were promising, with an area under curve (AUC) of 0.848 ± 0.03, an accuracy of 0.797 ± 0.02, precision at 0.789 ± 0.02, recall at 0.797 ± 0.02, and an F1 score of 0.787 ± 0.02, with a comparable performance with the non-privacy framework. The SHAP and LIME based results support clinical findings, show a commitment to transparent and inter",
"topics": [
"data_anonymization",
"ai_governance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Computer methods and programs in biomedicine",
"language": "en"
},
{
"id": "pubmed:37836907",
"title": "Secure and Privacy-Preserving Intrusion Detection and Prevention in the Internet of Unmanned Aerial Vehicles.",
"authors": [
"Ntizikira, Ernest",
"Lei, Wang",
"Alblehai, Fahad",
"Saleem, Kiran",
"Lodhi, Muhammad Ali"
],
"date": "2023-09-25",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1007/978-3-030-25109-3_9",
"pdfUrl": "",
"doi": "10.1007/978-3-030-25109-3_9",
"abstract": "In smart cities, unmanned aerial vehicles (UAVS) play a vital role in surveillance, monitoring, and data collection. However, the widespread integration of UAVs brings forth a pressing concern: security and privacy vulnerabilities. This study introduces the SP-IoUAV (Secure and Privacy Preserving Intrusion Detection and Prevention for UAVS) model, tailored specifically for the Internet of UAVs ecosystem. The challenge lies in safeguarding UAV operations and ensuring data confidentiality. Our model employs cutting-edge techniques, including federated learning, differential privacy, and secure multi-party computation. These fortify data confidentiality and enhance intrusion detection accuracy. Central to our approach is the integration of deep neural networks (DNNs) like the convolutional neural network-long short-term memory (CNN-LSTM) network, enabling real-time anomaly detection and precise threat identification. This empowers UAVs to make immediate decisions in dynamic environments. To proactively counteract security breaches, we have implemented a real-time decision mechanism triggering alerts and initiating automatic blacklisting. Furthermore, multi-factor authentication (MFA) strengthens access security for the intrusion detection system (IDS) database. The SP-IoUAV model not only establishes a comprehensive machine framework for safeguarding UAV operations but also advocates for secure and privacy-preserving machine learning in UAVS. Our model's effectiveness is validated using the CIC-IDS2017 dataset, and the comparative analysis showcases its superiority over previous approaches like FCL-SBL, RF-RSCV, and RBFNNs, boasting exceptional levels of accuracy (99.98%), precision (99.93%), recall (99.92%), and F -Score (99.92%).",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Sensors (Basel, Switzerland)",
"language": "en"
},
{
"id": "pubmed:35259124",
"title": "Privacy-Preserving Federated Learning for Internet of Medical Things Under Edge Computing.",
"authors": [
"Wang, Ruijin",
"Lai, Jinshan",
"Zhang, Zhiyang",
"Li, Xiong",
"Vijayakumar, Pandi",
"Karuppiah, Marimuthu"
],
"date": "2023-02-03",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1109/JBHI.2022.3157725",
"pdfUrl": "",
"doi": "10.1109/JBHI.2022.3157725",
"abstract": "Edge intelligent computing is widely used in the fields, such as the Internet of Medical Things (IoMT), which has advantages, including high data processing efficiency, strong real-time performance and low network delay. However, there are many problems including privacy disclosure, limited calculation force, as well as scheduling and coordination issues. Federated learning can greatly improves training efficiency. However, due to the sensitive nature of the healthcare data, the aforementioned approach of transferring the patient's data to the servers may create serious security and privacy issues. Therefore, this article proposes a Privacy Protection Scheme for Federated Learning under Edge Computing (PPFLEC). First of all, we propose a lightweight privacy protection protocol based on a shared secret and weight mask, which is based on a random mask scheme of secret sharing. It is more accurate and efficient than,homomorphic encryption. It can not only protect gradient privacy without losing model accuracy, but also resist equipment dropping and collusion attacks between devices. Second, we design an algorithm based on a digital signature and hash function, which achieves the integrity and consistency of the message, as well as resisting replay attacks. Finally, we propose a periodic average training strategy, compared with differential privacy to prove that our scheme is 40 % faster in efficiency than in deferential privacy. Meanwhile, compared with federated learning, we can achieve the same efficiency under the condition of ensuring safety. Therefore, our scheme can work well in unstable edge computing environments such as smart healthcare.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "IEEE journal of biomedical and health informatics",
"language": "en"
},
{
"id": "doaj:6da6c5cef1214ec5b3c6b0b7c5c7395d",
"title": "De-Identification of Electronic Health Records Using Deep Learning and Transformers",
"authors": [
"Fatih Dilmaç",
"Adil Alpkocak"
],
"date": "2026",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2076-3417/16/4/1692",
"pdfUrl": "",
"doi": "10.3390/app16041692",
"abstract": "Adoption of electronic health records (EHRs) has significantly advanced healthcare by enabling extensive data storage and analysis for clinical decisions and research. However, sensitive personally identifiable information (PII) within EHRs presents major challenges concerning patient privacy, data security, and regulatory compliance. Effective automated de-identification techniques for detecting and removing protected health information (PHI) are thus essential. This study presents one of the first focused studies on Turkish EHR de-identification, comparing traditional sequence-based neural architectures with advanced transformer-based large language models (LLMs) for PHI detection. We introduce and publicly release a manually annotated benchmark dataset of TEHRs, covering diverse PHI types, supporting further research in Turkish clinical text. Two methodologies were evaluated: bidirectional long short-term memory (BiLSTM) models (with and without Conditional Random Fields (CRFs)) and six fine-tuned pre-trained LLMs. Experiments demonstrated the superior performance of transformer-based LLMs, achieving a macro F1 score of 92.20%, significantly outperforming traditional methods. Among sequence-based models, BiLSTM + CRF attained an 83.00% F1 score, exceeding the baseline BiLSTM 78.40%. Results highlight the potential of transformer-based models for privacy-preserving Turkish clinical text and underscore the importance of annotated benchmark datasets.",
"topics": [
"sector_healthcare",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.55,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "doaj:183940859d8d44289b80a08dcc6ca954",
"title": "Toward a European tort law of data protection: The case law of the Court of Justice of the European Union and its impact on national tort laws",
"authors": [
"Novović Miloš",
"Bubalo Lana"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://scindeks-clanci.ceon.rs/data/pdf/2217-2815/2025/2217-28152501028N.pdf",
"pdfUrl": "https://scindeks-clanci.ceon.rs/data/pdf/2217-2815/2025/2217-28152501028N.pdf",
"doi": "10.5937/pravzap16-58123",
"abstract": "The paper examines the provisions governing non-material damage resulting from violations of the right to personal data protection under the General Data Protection Regulation (GDPR), as well as their interpretation in the case law of the Court of Justice of the European Union (CJEU). Particular attention is devoted to judgments in which the Court develops autonomous, yet insufficiently precise, legal concepts, thereby creating legal uncertainty and complicating the application of relevant provisions at the national level. Although the CJEU has entrusted national courts with the assessment of damages, the paper emphasizes that in practice it is impossible to fully separate the conditions for awarding damages from the process of determining the amount of compensation.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Pravni Zapisi",
"language": "en"
},
{
"id": "doaj:1a3b57accb864dd6984687ed0238411e",
"title": "The Strategic Role of the Commercial Court in Resolving Digital Company Bankruptcy Disputes",
"authors": [
"Nanda Dwi Rizkia",
"Hardi Fardiansyah",
"Danil Danil",
"Lilis Suryani",
"Tora Yuliana",
"Kevin M Riverra"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://fhukum.unpatti.ac.id/jurnal/ballrev/article/view/3056",
"pdfUrl": "",
"doi": "10.47268/ballrev.v6i2.3056",
"abstract": "Introduction: The digital economy has transformed legal structures, especially in insolvency law, where digital companies often treat personal data as a core asset. However, Law Number 37 of 2004 on Bankruptcy and Suspension of Debt Payment Obligations lacks specific provisions regarding personal data, while Law Number 27 of 2022 on Personal Data Protection does not address how data should be treated in bankruptcy. This regulatory gap risks the exploitation of personal data by creditors or curators, potentially violating constitutional rights.\n\nPurposes of the Research: This study aims to examine the legal consequences of the absence of clear regulations on personal data in bankruptcy cases and propose legal solutions to protect data subjects’ rights within digital insolvency proceedings.\n\nMethods of the Research: The research employs a normative juridical approach, combining statutory and conceptual analyses. It examines relevant Indonesian laws and draws comparisons with the European Union’s General Data Protection Regulation (GDPR) to understand international best practices. Legal materials are analyzed qualitatively.\nResults Main Findings of the Research: The study proposes recognizing personal data as a sui generis legal object in bankruptcy proceedings, requiring distinct legal treatment and safeguards. It highlights the role of the Commercial Court in protecting data subjects’ rights and suggests amending the UUK-PKPU, issuing Supreme Court guidelines, and promoting interagency coordination. This research contributes a normative model to integrate personal data protection within Indonesia’s digital insolvency framework, ensuring constitutional rights remain upheld in the digital era.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Batulis Civil Law Review",
"language": "en"
},
{
"id": "doaj:1ce30d77e734406f8b749bab062c0b7a",
"title": "Differentially private de-identifying textual medical document is compliant with challenging NLP analyses: Example of privacy-preserving ICD-10 code association",
"authors": [
"Yakini Tchouka",
"Jean-François Couchot",
"David Laiymani",
"Philippe Selles",
"Azzedine Rahmani"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "http://www.sciencedirect.com/science/article/pii/S2667305324000905",
"pdfUrl": "",
"doi": "10.1016/j.iswa.2024.200416",
"abstract": "Medical research plays a crucial role within scientific research. Technological advancements, especially those related to the rise of machine learning, pave the way for the exploration of medical issues that were once beyond reach. Unstructured textual data, such as correspondence between doctors, operative reports, etc., often serve as a starting point for many medical applications.However, for obvious privacy reasons, researchers do not legally have the right to access these documents as long as they contain sensitive data, as defined by regulations like GDPR (General Data Protection Regulation) or HIPAA (Health Insurance Portability and Accountability Act). De-identification, meaning the detection, removal or substitution of all sensitive information, is therefore a necessary step to facilitate the sharing of these data between the medical field and research. Over the past decade, various approaches have been proposed to de-identify medical textual data. However, while entity detection is a well-known task in the natural language processing field, it presents some specific challenges in the medical context. Moreover, existing substitution methods proposed in the literature often pay little attention to the medical relevance of de-identified data or are not very resilient to attacks.This paper addresses these challenges. Firstly, an efficient system for detecting sensitive entities in French medical data and then accurately substitute them was implemented. Secondly, robust strategies for generating substitutes that incorporate the medical utility of the data were provided, thereby minimizing the difference in utility between the original and de-identified data, and that mathematically ensure privacy protection. Thirdly, the utility of the de-identification system in a context of ICD-10 code association was evaluated. Finally, various systems developed to tackle ICD-10 code association were presented while providing a state-of-the-art model in French.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Intelligent Systems with Applications",
"language": "en"
},
{
"id": "doaj:1e1acdd1266e4f41bd5481664d4b00ce",
"title": "Synthetic data protection: Towards a paradigm change in data regulation?",
"authors": [
"Ana Beduschi"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1177/20539517241231277",
"pdfUrl": "",
"doi": "10.1177/20539517241231277",
"abstract": "Synthetic data generated through machine learning algorithms from original real-world data is gaining prominence across sectors due to their potential to provide privacy-preserving alternatives to traditional data sources. However, recent studies have raised concerns about the re-identification risks of synthetic data. This article examines the legal challenges surrounding synthetic data protection, with a focus on the European Union's General Data Protection Regulation (GDPR). After briefly explaining the methods of synthetic data generation and discussing their potential for privacy preservation, the article analyses the shortcomings of the personal/non-personal dualist approach under the GDPR. It then assesses the possibility of a paradigm change in data protection legislation, moving beyond this binary categorisation. The article argues in favour of establishing clear guidelines for the generation and processing of synthetic data, prioritising the principles of transparency, accountability and fairness.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Big Data & Society",
"language": "en"
},
{
"id": "doaj:79102205260248cb8efb7a702e7ae4a7",
"title": "Toward owner governance in genomic data privacy with Governome",
"authors": [
"Jingcheng Zhang",
"Yekai Zhou",
"Yingxuan Ren",
"Man Ho Au",
"Ka-Ho Chow",
"Lei Chen",
"Yanmin Zhao",
"Junhao Su",
"Ruibang Luo"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "http://www.sciencedirect.com/science/article/pii/S2667237525002073",
"pdfUrl": "",
"doi": "10.1016/j.crmeth.2025.101171",
"abstract": "Summary: Advancements in sequencing technologies grant individuals unprecedented access to their genomic data. However, existing data management systems or protocols are inadequate in privacy protection, limiting individuals’ control over their genomic information, hindering data sharing, and posing challenges for biomedical research. Therefore, demand exists for an owner-governed system fulfilling owner authority, life cycle data encryption, and verifiability simultaneously. Here, we realized Governome, an owner-governed data management system empowering individuals with real-time control over their genomic data. Governome leverages a blockchain to manage transactions and permissions, granting data owners dynamic permission management with full transparency on data usage. It uses homomorphic encryption and zero-knowledge proofs to enable genomic data storage and computation in an encrypted and verifiable form throughout its life cycle. Governome can support versatile genomic applications. We implemented and tested individual variant query, cohort study, genome-wide association study (GWAS) analysis, and forensics on 2,504 1000 Genomes Project (1kGP) genomes, demonstrating its robustness and scalability. Governome is open-source at https://github.com/HKU-BAL/Governome. Motivation: In recent years, the proliferation of advanced sequencing technologies has made personal genomic data more accessible than ever before. This accessibility, while beneficial, raises significant concerns regarding data privacy, security, and ownership. Traditional data management systems often fall short of protecting individuals’ genomic information, leading to potential misuse and privacy breaches. Out of such concerns, our research introduces Governome, a system that empowers individuals with comprehensive control over their genomic data. Governome ensures that data remain secure, private, and verifiable by leveraging blockchain technology, homomorphic encryption, and zero-knowledge proof. This system protects data integrity and allows for dynamic permission management, providing owners with full transparency over data usage.",
"topics": [
"privacy_engineering",
"sector_healthcare"
],
"painPointTracks": [
"Health & Genomic PII",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Cell Reports: Methods",
"language": "en"
},
{
"id": "doaj:a73034265551465fa025b9d28b46ecf7",
"title": "A Survey of Differential Privacy Techniques for Federated Learning",
"authors": [
"Wang Xin",
"Li Jiaqian",
"Ding Xueshuang",
"Zhang Haoji",
"Sun Lianshan"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/10818489/",
"pdfUrl": "",
"doi": "10.1109/access.2024.3523909",
"abstract": "The problem of data privacy protection in the information age deserves people’s attention. As a distributed machine learning technology, federated learning can effectively solve the problem of privacy security and data silos. Differential privacy(DP) technology is applied in federated learning(FL). By adding noise to raw data and model parameters, it can further enhance the degree of data privacy protection. Over the years, differential privacy technology based on federated learning framework has been developed, which is divided into central differential privacy federated learning(CDPFL) and local differential privacy federated learning(LDPFL). Although differential privacy may reduce the accuracy and convergence of federated learning models while protecting data privacy, researchers have proposed a variety of optimization methods to balance privacy protection and model performance. This paper comprehensively expounds the research status of differential privacy techniques based on the federated learning framework, first providing detailed introductions to federated learning and differential privacy technologies, and then summarizing the development status of two types of federated learning differential privacy(DPFL) techniques respectively; for CDPFL, the paper divides the discussion into first proposal of CDP and typical application examples, the impact of Gaussian mechanisms on model accuracy, optimization based on asynchronous differential privacy, and insights from other scholars; for LDPFL, the paper divides the discussion into first proposal of LDP and typical application examples, processing multidimensional data and improving model accuracy, existing methods and optimization for reducing communication costs, balancing privacy protection and data usability, LDPFL based on the Shuffle model, and insights from other scholars; following this, the paper addresses and summarizes the unique challenges introduced by incorporating differential privacy into federated learning and proposes solutions; finally, based on a summary of existing optimization techniques, the paper outlines future directions and specifically discusses three research ideas for enhancing the optimization effects of federated differential privacy: advanced optimization strategies combining Bayesian methods and the Alternating Direction Method of Multipliers (ADMM), integrating lattice homomorphic encryption techniques from cryptography to achieve more efficient differential privacy protection in federated learning, and exploring the application of zero-knowledge proof techniques in federated learning for privacy protection.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "doaj:26bb01b8d16e42a1961fe8cfd0714a56",
"title": "ABOUT DATA PROTECTION STANDARDS AND INTELLECTUAL PROPERTY REGULATION IN THE DIGITAL ECONOMY: KEY ISSUES FOR UKRAINE",
"authors": [
"Tetiana Voloshanivska",
"Liudmyla Yankova",
"Oleksandr Tarasenko"
],
"date": "2022",
"platform": "doaj",
"sourceUrl": "http://baltijapublishing.lv/index.php/issue/article/view/1919",
"pdfUrl": "",
"doi": "10.30525/2256-0742/2022-8-4-40-49",
"abstract": "Changes that are constantly taking place in the digital economy cause increasing instability of legislation in the field of data protection and security. For example, in Ukraine, under martial law, there is an urgent need to adapt the legal regulation to European data protection standards (in terms of personal data processing). First of all, the correlation between EU law, national law of the EU Member States and national legislation of the EU candidate countries results in the principle of direct effect of EU law. In addition, EU data protection law has become an essential source for EU Member States in regulating artificial intelligence (AI), e-commerce and the Internet of Things (IoT). The article considers the specific topic of the conditions of approximation of international norms and legislation of Ukraine to EU law, trying to answer the questions of personal data protection in the conditions of martial law that have arisen. This work is based on a comparative analysis of the General Data Protection Regulation 2016/679 and internal data protection rules in Ukraine. At present, the research purpose of the article is to reveal the fact that data protection is a specific category of procedural law based on the principles of intellectual property law regarding data access rights and data ownership rights in the digital economy.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Baltic Journal of Economic Studies",
"language": "en"
},
{
"id": "https://openalex.org/W4293152454",
"title": "Argumentation approaches for explanaible AI in medical informatics",
"authors": [
"Luciano Caroprese",
"Eugenio Vocaturo",
"Ester Zumpano"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1016/j.iswa.2022.200109",
"pdfUrl": "https://doi.org/10.1016/j.iswa.2022.200109",
"doi": "https://doi.org/10.1016/j.iswa.2022.200109",
"abstract": "Artificial Intelligence algorithms are powerful in performing accurate predictions, but they are often considered black boxes as they do not provide any explanation about how outputs are derived from inputs or why a decision is taken. Therefore, urgent is the need of a completely transparent and eXplainable Artificial Intelligence (XAI) as also recognized by the explicit inclusion of the right to explanation in the General Data Protection Regulation (GDPR). There has been much study on diagnosis, decision support, and interpretability, and there is significant interest in the development of Explainable AI in the realm of medicine. Interpretability in the medical field is not just an intectual curiosity, but a key factor. Medical choices impact the life of patients, and include risk and responsibility for the clinicians. This proposal investigates the benefit of using logic approaches for eXplainable AI by evidencing how their natural characteristics of explainability and expressiveness help in the design of ethical, explainable and justified intelligent systems. More specifically, the paper focuses on a detailed topic related to the use of argumentation theory in Medical Informatics by overviewing existing approaches in the literature. The overview categorizes approaches on the basis of the specific purpose the argumentation is used for, into the following categories: Argumentation for Medical Decision Making, Argumentation for Medical Explanations and Argumentation for Medical Dialogues.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "Intelligent Systems with Applications",
"language": "en"
},
{
"id": "doaj:479d87f4f4c24ec695cd9652980e6fa1",
"title": "The EU AI Act’s Impacts on Digital Health",
"authors": [
"Djeffal Christian",
"Mehl Philipp",
"Müller Verena"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1515/cdbme-2024-2046",
"pdfUrl": "",
"doi": "10.1515/cdbme-2024-2046",
"abstract": "The European Artificial Intelligence Act (AI Act) has profound implications for technological innovation in the medical and health care sector, transcending the boundaries of existing legal frameworks such as the Medical Device Regulation (MDR) and the General Data Protection Regulation (GDPR). This paper examines basic regulatory choices of the AI Act relevant for the field of digital health innovations by contextualizing its main goals, key obligations, and addressed actors. In light of these considerations, we present a scoping literature review that identifies potential regulatory challenges for stakeholders engaged in research, innovation and healthcare. Building on this, we point to concepts and methodologies to overcome such challenges in a way fostering innovation while realizing key constitutional and societal interests at the same time.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Current Directions in Biomedical Engineering",
"language": "en"
},
{
"id": "doaj:651141b6ba364d11b4196dc58d343ba3",
"title": "When Is a Decision Automated? A Taxonomy for a Fundamental Rights Analysis",
"authors": [
"Francesca Palmiotto"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://www.cambridge.org/core/product/identifier/S2071832223001128/type/journal_article",
"pdfUrl": "",
"doi": "10.1017/glj.2023.112",
"abstract": "This Article addresses the pressing issues surrounding the use of automated systems in public decision-making, specifically focusing on migration, asylum, and mobility. Drawing on empirical data, this Article examines the potential and limitations of the General Data Protection Regulation and the Artificial Intelligence Act in effectively addressing the challenges posed by automated decision-making (ADM). The Article argues that the current legal definitions and categorizations of ADM fail to capture the complexity and diversity of real-life applications where automated systems assist human decision-makers rather than replace them entirely. To bridge the gap between ADM in law and practice, this Article proposes to move beyond the concept of “automated decisions” and complement the legal protection in the GDPR and AI Act with a taxonomy that can inform a fundamental rights analysis. This taxonomy enhances our understanding of ADM and allows to identify the fundamental rights at stake and the sector-specific legislation applicable to ADM. The Article calls for empirical observations and input from experts in other areas of public law to enrich and refine the proposed taxonomy, thus ensuring clearer conceptual frameworks to safeguard individuals in our increasingly algorithmic society.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "German Law Journal",
"language": "en"
},
{
"id": "doaj:67f6aa12cf224486951ff2484a9e7864",
"title": "The challenge of wearable neurodevices for workplace monitoring: an EU legal perspective",
"authors": [
"Ekaterina Muhl"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://www.frontiersin.org/articles/10.3389/fhumd.2024.1473893/full",
"pdfUrl": "",
"doi": "10.3389/fhumd.2024.1473893",
"abstract": "This paper explores the emerging practice of workplace surveillance by using neurotechnologies, particularly wearable neurodevices, to monitor employees’ cognitive abilities, concentration levels, and emotional responses. It aims to assess the legality of such practices within the framework of EU law, focusing on the General Data Protection Regulation (GDPR) and the EU Artificial Intelligence Act (AI Act) by providing a detailed analysis of recent EU legislation in the context of the implementation of neurosurveillance at the workplace. Furthermore, the paper discusses whether current regulations adequately address the use of neurotechnologies in the workplace or are overly restrictive. It raises the question of ensuring sufficient flexibility in the regulations to allow for legitimate implementations of neurotechnologies in the labour field for workers’ safety while protecting workers’ rights. Overall, the paper offers insights into the intersection of neurotechnology advancements and labour relations and stimulates critical discussion about the fair balance between innovation and workers’ rights.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Frontiers in Human Dynamics",
"language": "en"
},
{
"id": "doaj:6bcce27d62e74c86bd3f209c1cb6b201",
"title": "THE RIGHT TO EXPLANATION IN THE PROCESSING OF PERSONAL DATA WITH THE USE OF AI SYSTEMS",
"authors": [
"Eleftheria Papadimitriou"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "https://ijlcw.emnuvens.com.br/revista/article/view/53",
"pdfUrl": "",
"doi": "10.54934/ijlcw.v2i2.53",
"abstract": "Transparency is one of the basic principles enshrined in the General Data Protection Regulation (GDRP). Achieving transparency in automated decision-making processing especially when artificial intelligence (AI) is involved is a challenging task on many aspects. The opaqueness of AI systems that usually is referred as the “black-box” phenomenon is the main problem in having explainable and accountable AI. Computer scientists are working on explainable AI (XAI) technics in order to make AI more trustworthy. On the same vein, thus from a different perspective, the European legislator provides in the GDPR with a right to information when automated decision-making processing takes place. The data subject has the right to be informed on the logic involved and to challenge the automated decision-making. GDPR introduces, therefore, a sui generis right to explanation in automated decision-making process. Under this light, the paper analyzes the legal basis of this right and the technical barriers involved.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "International Journal of Law in Changing World",
"language": "en"
},
{
"id": "doaj:765e999803f347e3be89fae9c0a1256e",
"title": "Black box algorithms and the rights of individuals: no easy solution to the “explainability” problem",
"authors": [
"Jarek Gryz",
"Marcin Rojszczak"
],
"date": "2021",
"platform": "doaj",
"sourceUrl": "https://policyreview.info/node/1564",
"pdfUrl": "",
"doi": "10.14763/2021.2.1564",
"abstract": "Over the last few years, the interpretability of classification models has been a very active area of research. Recently, the concept of interpretability was given a more specific legal context. In 2016, the EU adopted the General Data Protection Regulation (GDPR), containing the right to explanation for people subjected to automated decision-making (ADM). The regulation itself is very reticent about what such a right might imply. As a result, since the introduction of the GDPR there has been an ongoing discussion about not only the need to introduce such a right, but also about its scope and practical consequences in the digital world. While there is no doubt that the right to explanation may be very difficult to implement due to technical challenges, any difficulty in explaining how algorithms work cannot be considered a sufficient reason to completely abandon this legal safeguard.\r\nThe aim of this article is twofold. First, to demonstrate that the interpretability of “black box” machine learning algorithms is a challenging technical problem for which no solutions have been found. Second, to demonstrate how the explanation task should instead be completed using well-known and well-trialled IT solutions, such as event logging or statistical analysis of the algorithm. Based on the evidence exposed in this paper, the authors find that the most effective solution would be to benchmark the automated decision-making algorithms using certification frameworks, thus balancing the need to ensure adequate protection of individuals’ rights with the understandable expectations of AI technology providers to have their intellectual property rights protected.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "Internet Policy Review",
"language": "en"
},
{
"id": "doaj:80fc1fdef59440f4892f4789628b2893",
"title": "Reflections on the data protection compliance of AI systems under the EU AI Act",
"authors": [
"Balázs Hohmann",
"Gergő Kollár"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.tandfonline.com/doi/10.1080/23311886.2025.2560654",
"pdfUrl": "",
"doi": "10.1080/23311886.2025.2560654",
"abstract": "The European Union’s Artificial Intelligence Act (AI Act) establishes a novel regulatory framework for AI systems, with far-reaching implications for data protection compliance. This study critically analyses the regulatory environment created by the Act and its interaction with the General Data Protection Regulation (GDPR), addressing whether it provides clearer compliance pathways or introduces additional burdens for developers. Using comparative legal analysis, the research finds that the AI Act supplements the GDPR through a risk-based approach that subjects high-risk AI systems to specific obligations. Key concerns include algorithmic opacity, bias, and legal uncertainty in profiling and automated decision-making. The analysis shows that the AI Act attempts to mitigate these risks by strengthening requirements on risk assessment, human oversight, and data governance. While the Act broadly aligns with GDPR principles such as transparency, fairness, and accountability, it also introduces new procedural and documentation duties that may increase compliance complexity. Overall, the study concludes that the AI Act constitutes a complementary yet stricter regulatory layer for AI-driven data processing, balancing innovation with fundamental rights protection and requiring joint interpretation with the GDPR to ensure coherent application.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Cogent Social Sciences",
"language": "en"
},
{
"id": "doaj:56054bd0621a4bfbb09cda33390d602e",
"title": "DATA BREACHES EXIT STRATEGY: A COMPARATIVE ANALYSIS OF DATA PRIVACY LAWS",
"authors": [
"Nur Adlin Hanisah Shahul Ikram"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://mjsl.usim.edu.my/index.php/jurnalmjsl/article/view/458",
"pdfUrl": "",
"doi": "10.33102/mjsl.vol12no1.458",
"abstract": "Data has become highly valuable in the era of digitalisation and is the main target of cybercriminals. Cybercriminals steal data by exploiting system vulnerabilities. The rise of catastrophic data breach incidents affects business operations, reputation and legal standing, leading to business disruptions, financial loss and reputation damage. These incidents have raised data security concerns. The frequent incident is partly due to insufficient security measures in place. This article employs doctrinal research focusing on legal principles based on legislation to analyse Malaysia’s legal framework for protecting personal data in Malaysia and a comparison with other jurisdictions, i.e. the European Union General Data Protection Regulation (GDPR), the Singapore Personal Data Protection Act 2012 and the China Personal Information Protection Law (PIPL). The findings show that Malaysia’s data protection laws fall short of the international norm in some areas. This article suggests that Malaysian policymakers may amend the Personal Data Protection Act 2010 to align with international data protection standards to strengthen data security measures in preventive, detective and responsive data breaches. Consequently, this article provides an analysis of data protection laws in Malaysia and compares them with other advanced jurisdictions. It offers valuable insights into the challenges and opportunities involved in safeguarding personal data, the legal framework, and organisational strategies related to data privacy and security.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Malaysian Journal of Syariah and Law",
"language": "en"
},
{
"id": "doaj:20c57fa7820f46d69fbcb582d40bfcbe",
"title": "Scalable Secure Privacy-Preserving Record Linkage (PPRL) Methods Using Cloud-based Infrastructure",
"authors": [
"Toan Ong",
"Ibrahim Lazrig",
"Indrajit Ray",
"Indrakshi Ray",
"Michael Kahn"
],
"date": "2018",
"platform": "doaj",
"sourceUrl": "https://ijpds.org/article/view/638",
"pdfUrl": "",
"doi": "10.23889/ijpds.v3i4.638",
"abstract": "Introduction\nBloom Filters (BFs) are a scalable solution for probabilistic privacy-preserving record linkage but BFs can be compromised. Yao’s garbled circuits (GCs) can perform secure multi-party computation to compute the similarity of two BFs without a trusted third party. The major drawback of using BFs and GCs together is poor efficiency.\n\r\n\nObjectives and Approach\nWe evaluated the feasibility of BFs+GCs using high capacity compute engines and implementing a novel parallel processing framework in Google Cloud Compute Engines (GCCE). In the Yao’s two-party secure computation protocol, one party serves as the generator and the other party serves as the evaluator. To link data in parallel, records from both parties are divided into chunks. Linkage between every two chunks in the same block is processed by a thread. The number of threads for linkage depends on available computing resources. We tested the parallelized process in various scenarios with variations in hardware and software configurations.\n\r\n\nResults\nTwo synthetic datasets with 10K records were linked using BFs+GCs on 12 different software and hardware configurations which varied by: number of CPU cores (4 to 32), memory size (15GB – 28.8GB), number of threads (6-41), and chunk size (50-200 records). The minimum configuration (4 cores; 15GB memory) took 8,062.4s to complete whereas the maximum configuration (32 cores; 28.8GB memory) took 1,454.1s. Increasing the number of threads or changing the chunk size without providing more CPU cores and memory did not improve the efficiency. Efficiency is improved on average by 39.81% when the number of cores and memory on the both sides are doubled. The CPU utilization is maximized (near 100% on both sides) when the computing power of the generator is double the evaluator.\n\r\n\nConclusion/Implications\nThe PPRL runtime of BFs+GCs was greatly improved using parallel processing in a cloud-based infrastructure. A cluster of GCCEs could be leveraged to reduce the runtime of data linkage operations even further. Scalable cloud-based infrastructures can overcome the trade-off between security and efficiency, allowing computationally complex methods to be implemented.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "International Journal of Population Data Science",
"language": "en"
},
{
"id": "doaj:130f2ae197604eafb258742cfc8b936a",
"title": "An Improved Federated Learning-Assisted Data Aggregation Scheme for Smart Grids",
"authors": [
"Bo Pang",
"Hui-Hui Liang",
"Ling-Hao Zhang",
"Yu-Fei Teng",
"Zheng-Wei Chang",
"Ze-Wei Liu",
"Chun-Qiang Hu",
"Wen-Hao Mou"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2076-3417/13/17/9813",
"pdfUrl": "",
"doi": "10.3390/app13179813",
"abstract": "In the context of rapid advancements in artificial intelligence (AI) technology, new technologies, such as federated learning and edge computing, have been widely applied in the power Internet of Things (PIoT). When compared to the traditional centralized training approach, conventional federated learning (FL) significantly enhances privacy protection. Nonetheless, the approach poses privacy concerns, such as inferring other users’ training data through the global model or user-transferred parameters. In light of these challenges, this research paper introduces a novel privacy-preserving data aggregation scheme for the smart grid, bolstered by an improved FL technique. The secure multi-party computation (SMC) and differential privacy (DP) are skillfully combined with FL to combat inference attacks during both the learning process and output inference stages, thus furnishing robust privacy assurances. Through this approach, a trusted third party can securely acquire model parameters from power data holders and securely update the global model in an aggregated way. Moreover, the proposed secure aggregation scheme, as demonstrated through security analysis, achieves secure and reliable data aggregation in the electric PIoT environment. Finally, the experimental analysis shows that the proposed scheme effectively performs federated learning tasks, achieving good model accuracy and shorter execution times.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "doaj:562c1e1c946f41f09d3c87ceb880280a",
"title": "Comprehensive Study of Personal Data Protection in Iran's Legal System and European General Data Protection Regulations",
"authors": [
"Fatemeh Ghanad",
"Elham Sharif"
],
"date": "2021",
"platform": "doaj",
"sourceUrl": "http://mtlj.usc.ac.ir/article_143866_7d604423ef4801e8fab9ca45e5a26ea6.pdf?lang=en",
"pdfUrl": "",
"doi": "10.22133/clj.2021.244608.1020",
"abstract": "Protecting the privacy of individuals has always been considered a global principle by international institutions and has been stipulated in many international documents. Nowadays, lawmakers have considered personal data more than ever due to the fast pace of the technology and consequently the availability of personal data in cyberspace, their ease of transfer, and the convenience of their processing.\r\nThe EU has been a frontrunner and, as a comprehensive alternative to the EU Data Protection Act, set out the International Document of General Data Protection Regulations (GDPR) in April 2016, which was approved and implemented by the European Parliament on May 25, 2018. This article aims to demonstrate the scope of personal data and its protection in the General Data Protection Regulations as an international document and Iran's legal system. It further recommends some improvements in cyberspace infrastructures and regulations and the necessity of better designating regulatory bodies to protect individual privacy better",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "حقوق فناوریهای نوین",
"language": "en"
},
{
"id": "hal:5315957",
"title": "Influence of Privacy Knowledge on Privacy Attitudes in the Domain of Location-Based Services",
"authors": [
"Vera Schmitt"
],
"date": "2022-08-30",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-05315957v1",
"pdfUrl": "https://inria.hal.science/hal-05315957/document",
"doi": "10.1007/978-3-031-31971-6_10",
"abstract": "In our daily life, we make extensive use of location-based services when searching for a restaurant nearby, searching for an address we want to visit, or searching for the best route to drive. Location information is highly sensitive personal information that users share without the awareness of being continuously tracked by various apps on their smartphones or smart devices. Privacy knowledge and overall privacy literacy facilitate gaining control over sharing personal information and adjusting privacy settings online. This research examines the influence of privacy literacy on privacy attitudes in the domain of location-based services. Hereby, privacy literacy is measured through four dimensions by asking the participants about various aspects of knowledge about institutional practices, technical aspects of data protection, data protection law, privacy policies, and also about possible data protection strategies. The overall privacy literacy score is examined in relation to various privacy attitudes such as tolerance of sharing personal information, perceived intrusion when using location-based services, and their perceived benefits. Overall, 155 participants took part in the questionnaire. A significant difference can be found between the overall privacy literacy score between German participants and those from other countries with German participants having a higher privacy literacy score. Furthermore, privacy literacy positively correlates with trust in the GDPR, and also with privacy concern about the secondary use of location information. Indicating, that the higher the privacy literacy level is, the more concerned participants seem to be.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:4440365",
"title": "Addressing challenges of digital transformation with modified blockchain",
"authors": [
"Gajendra Liyanaarachchi",
"Giampaolo Viglia",
"Fidan Kurtaliqi"
],
"date": "2024-04",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04440365v1",
"pdfUrl": "https://hal.science/hal-04440365/document",
"doi": "10.1016/j.techfore.2024.123254",
"abstract": "This conceptual paper challenges the notion that the enhanced data security of blockchain results in superior privacy. Blockchain's fundamental characteristics-immutability, decentralization, and transparency-promote an excessive reliance on historical data. This reliance, in turn, leads to inaccurate predictions and misguides consumer privacy preferences. The paper contends that this stern protection conflicts with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We argue that the lack of choice in managing data denies freedom, causing psychological reactance. Additionally, the dependence on past data contributes to an intensified privacy paradox as consumers need to assert accurate privacy preferences. These combined effects result in increased consumer digital vulnerability, which arises from an imbalanced power dynamic in data management. We propose a novel approach, which we call \"modified blockchain\". The approach is based on three pillars: i) selective immutability, ii) federal decentralization, and iii) supervised transparency. These pillars aim to effectively integrate regulations, organizations, and endusers within advocating for a socio-technical decision-making approach. This work also broadens the scope of the psychological reactance theory and the privacy paradox literature by affirming that a lack of autonomy in data management leads to digital vulnerability.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "Technological Forecasting and Social Change",
"language": "en"
},
{
"id": "hal:4610199",
"title": "Honest Fraction Differential Privacy",
"authors": [
"Imane Taibi",
"Jan Ramon"
],
"date": "2024-06-24",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-04610199v1",
"pdfUrl": "https://inria.hal.science/hal-04610199/document",
"doi": "10.1145/3658664.3659655",
"abstract": "Over the last decades, differential privacy (DP) has become a standard notion of privacy. It allows to measure how much sensitive information an adversary could infer from a result (statistical model, prediction, etc.) he obtains. In privacy-preserving federated machine learning, one aims to learn a statistical model from data owned by multiple data owners without revealing their sensitive data. A common strategy is to use secure multi-party computation (SMPC) to avoid revealing intermediate results. However, DP assumes a very strong adversary who is able to know all information in the dataset except the targeted secret, while most SMPC methods assume a clearly less strong adversary, e.g., it is common to assume that the adversary has bounded computational power and can corrupt only a minority of the data owners (honest majority). As a chain is not stronger than its weakest part, in such combinations the DP provides an overly strong protection at an unnecessarily high cost in terms of utility. We propose honest fraction differential privacy, which is similar to differential privacy but assumes that the adversary can only collude with data owners covering part of the data. This assumption is very similar to the assumptions made by many SMPC strategies. We illustrate this idea by considering the application to the specific task of unregularized linear regression without bias on sufficiently large datasets.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:4125939",
"title": "Questioning the ability of feature-based explanations to empower non-experts in robo-advised financial decision-making",
"authors": [
"Astrid Bertrand",
"James Eagan",
"Winston Maxwell"
],
"date": "2023-06-12",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04125939v1",
"pdfUrl": "https://hal.science/hal-04125939/document",
"doi": "10.1145/3593013.3594053",
"abstract": "Robo-advisors are democratizing access to life-insurance by enabling fully online underwriting. In Europe, financial legislation requires that the reasons for recommending a life insurance plan be explained according to the characteristics of the client, in order to empower the client to make a \"fully informed decision\". In this study conducted in France, we seek to understand whether legal requirements for feature-based explanations actually help users in their decision-making. We conduct a qualitative study to characterize the explainability needs formulated by non-expert users and by regulators expert in customer protection. We then run a large-scale quantitative study using Robex, a simplified robo-advisor built using ecological interface design that delivers recommendations with explanations in different hybrid textual and visual formats: either \"dialogic\"-more textual-or \"graphical\"-more visual. We find that providing feature-based explanations does not improve appropriate reliance or understanding compared to not providing any explanation. In addition, dialogic explanations increase users' trust in the recommendations of the robo-advisor, sometimes to the users' detriment. This real-world scenario illustrates how XAI can address information asymmetry in complex areas such as finance. This work has implications for other critical, AI-based recommender systems, where the General Data Protection Regulation (GDPR) may require similar provisions for feature-based explanations. CCS CONCEPTS • Human-centered computing → Empirical studies in HCI.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:2520052",
"title": "Ranked MSD: A New Feature Ranking and Feature Selection Approach for Biomarker Identification",
"authors": [
"Ghanshyam Verma",
"Alokkumar Jha",
"Dietrich Rebholz-Schuhmann",
"Michael G. Madden"
],
"date": "2019-08-26",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-02520052v1",
"pdfUrl": "https://inria.hal.science/hal-02520052/document",
"doi": "10.1007/978-3-030-29726-8_10",
"abstract": "In the era of big data when a huge amount of data is continuously being generated, it is common for situations to arise where the number of samples is much smaller than the number of features (variables) per sample. This phenomenon is often found in biomedical domains, where we may have relatively few patients, compared to the amount of data per patient. For example, gene expression data typically has between 10,000 and 60,000 features per sample. A separate issue arises from the “right to explanation” found in the European General Data Protection Regulation (GDPR), which may prevent the use of black-box models in applications where explainability is required. In such situations, there is a need for robust algorithms which can identify the relevant features from experimental data by discarding irrelevant ones, yielding a simpler subset that facilitates explanation. To address these needs, we have developed a new algorithm for feature ranking and feature selection, named Ranked MSD. We have tested our proposed approach on two real-world gene expression data sets, both of which relate to respiratory viral infections. This Ranked MSD feature selection algorithm is able to reduce the feature set size from 12,023 genes (features) to 65 genes on the first data set and from 20,737 genes to 31 genes on the second data set, in both cases without any significant loss in disease prediction accuracy. In an alternative configuration, our proposed algorithm is able to identify a small subset of features that gives better accuracy than that of the full feature set. Our proposed algorithm can also identify important biomarkers (genes) with their importance score for a particular disease and the identified top-ranked biomarkers can play a vital role in drug discovery and precision medicine.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:4609988",
"title": "Privacy-preserving Collaborative Computation: Methods, Challenges and Directions",
"authors": [
"Ikhlas Mastour",
"Layth Sliman",
"Benoît Charroux",
"Raoudha Ben Djemaa",
"Kamel Barkaoui"
],
"date": "2023-12-17",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04609988v1",
"pdfUrl": "https://hal.science/hal-04609988/document",
"doi": "10.1109/icca59364.2023.10401829",
"abstract": "Although data mining is very relevant to the medical sector, it has also raised privacy concerns since it is applied to sensitive data, which undoubtedly affects citizens’ rights and freedoms, which are strictly regulated by the EU through the General Data Protection Regulation (GDPR). This concern creates a big gap between the data owner and the data analyst, and it is not easy to connect them. Thus, it is evidently important to ensure privacy. This need for privacy becomes a necessity when data from multiple entities aim to collaborate. To tackle this gap, several techniques worth mentioning can be employed during data analysis to ensure privacy, including secure multiparty computation, homomorphic encryption, and federated learning. In this paper, we present the state-of-the-art of existing approaches and discuss their drawbacks to finally identify outstanding challenges in this field.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:4461731",
"title": "A probabilistic design for practical homomorphic majority voting with intrinsic differential privacy",
"authors": [
"Arnaud Grivet Sebert",
"Martin Zuber",
"Oana Stan",
"Renaud Sirdey",
"Cedric Gouy-Pailler"
],
"date": "2023-11-26",
"platform": "hal",
"sourceUrl": "https://cea.hal.science/cea-04461731v1",
"pdfUrl": "https://cea.hal.science/cea-04461731/document",
"doi": "10.1145/3605759.3625258",
"abstract": "As machine learning (ML) has become pervasive throughout various fields (industry, healthcare, social networks), privacy concerns regarding the data used for its training have gained a critical importance. In settings where several parties wish to collaboratively train a common model without jeopardizing their sensitive data, the need for a private training protocol is particularly stringent and implies to protect the data against both the model’s end-users and the other actors of the training phase. In this context of secure collaborative learning, Differential Privacy (DP) and Fully Homomorphic Encryption (FHE) are two complementary countermeasures of growing interest to thwart privacy attacks in ML systems. Central to many collaborative training protocols, in the line of PATE, is majority voting aggregation. Thus, in this paper, we design SHIELD, a probabilistic approximate majority voting operator which is faster when homomorphically executed than existing approaches based on exact argmax computation over an histogram of votes. As an additional benefit, the inaccuracy of SHIELD is used as a feature to provably enable DP guarantees. Although SHIELD may have other applications, we focus here on one setting and seamlessly integrate it in the SPEED collaborative training framework from [20] to improve its computational efficiency. After thoroughly describing the FHE implementation of our algorithm and its DP analysis, we present experimental results. To the best of our knowledge, it is the first work in which relaxing the accuracy of an algorithm is constructively usable as a degree of freedom to achieve better FHE performances.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:4050603",
"title": "A Two-Levels Data Anonymization Approach",
"authors": [
"Sarah Zouinina",
"Younès Bennani",
"Nicoleta Rogovschi",
"Abdelouahid Lyhyaoui"
],
"date": "2020-06-05",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-04050603v1",
"pdfUrl": "https://inria.hal.science/hal-04050603/document",
"doi": "10.1007/978-3-030-49161-1_8",
"abstract": "The amount of devices gathering and using personal data without the person’s approval is exponentially growing. The European General Data Protection Regulation (GDPR) came following the requests of individuals who felt at risk of personal privacy breaches. Consequently, privacy preservation through machine learning algorithms were designed based on cryptography, statistics, databases modeling and data mining. In this paper, we present two-levels data anonymization methods. The first level consists of anonymizing data using an unsupervised learning protocol, and the second level is anonymization by incorporating the discriminative information to test the effect of labels on the quality of the anonymized data. The results show that the proposed approaches give good results in terms of utility what preserves the trade-off between data privacy and its usefulness.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:4575326",
"title": "Anonymizing Speech : Evaluating and Designing Speaker Anonymization Techniques",
"authors": [
"Pierre Champion"
],
"date": "2023-04-20",
"platform": "hal",
"sourceUrl": "https://hal.univ-lorraine.fr/tel-04218098v2",
"pdfUrl": "https://hal.univ-lorraine.fr/tel-04218098/document",
"doi": "10.48550/arXiv.2308.04455",
"abstract": "The growing use of voice user interfaces, from telephones to remote controls, automobiles, and digital assistants, has led to a surge in the collection and storage of speech data. While data collection allows for the development of efficient tools powering most speech services, it also poses serious privacy issues for users as centralized storage makes private personal speech data vulnerable to cyber threats. Advanced speech technologies, such as voice-cloning and personal attribute recognition, can be used to access and exploit sensitive information. Voice-cloning technology allows an attacker to take a recording of a person's voice and use it to generate new speech that sounds like it is coming from that person. For example, an attacker could use voice-cloning to impersonate a person's voice to gain unauthorized access to his/her financial information over the phone. With the increasing use of voice-based digital assistants like Amazon's Alexa, Google's Assistant, and Apple's Siri, and with the increasing ease with which personal speech data can be collected and stored, the risk of malicious use of voice-cloning and speaker/gender/pathological/etc. recognition technologies have increased. Companies and organizations need to consider these risks and implement appropriate measures to protect user data in order to prevent misuse of speech technologies and comply with legal regulations (e.g., General Data Protection Regulation (GDPR)). To address these concerns, this thesis proposes solutions for anonymizing speech and evaluating the degree of the anonymization. In this work, anonymization refers to the process of making personal speech data unlinkable to an identity, while maintaining the usefulness (utility) of the speech signal (e.g., access to the linguistic content). The goal is to protect the privacy of individuals by removing or obscuring any Personally Identifiable Information (PPI) from the acoustic of speech. PPI includes things like a person's voice, accent, and speaking style; other personal information in the speech content like, phone number, person name, etc., is out of the scope of this thesis. Our research is built on top of existing anonymization methods based on voice conversion and existing evaluation protocols. We start by identifying and explaining several challenges that evaluation protocols need to consider to evaluate the degree of privacy protection properly. We clarify how anonymization systems need to be configured for evaluation purposes and highlight the fact that many practical deployment configurations do not permit privacy evaluation. Furthermore, we study and examine the most common voice conversion-based anonymization system and identify its weak points, before suggesting new methods to overcome some limitations. We isolate all components of the anonymization system to evaluate the degree of speaker PPI associated with each of them. Then, we propose several transformation methods for each component to reduce as much as possible speaker PPI while maintaining utility. We promote anonymization algorithms based on quantization-based transformation as an alternative to the most-used and well-known noise-based approach. Finally, we endeavor a new attack method to invert the anonymization, creating a new threat. In this thesis, we openly work on sharing anonymization systems and evaluation protocols to aid organizations in facilitating the preservation of privacy rights for individuals.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "hal:2156391",
"title": "Personal Information Controller Service (PICS)",
"authors": [
"Marco Winckler",
"Laurent Goncalves",
"Olivier Nicolas",
"Frédérique Biennier",
"Hind Benfenatki",
"Thierry Despeyroux",
"Nourhène Alaya",
"Alex Deslée",
"Mbaye Fall Diallo",
"Isabelle Collin-Lachaud",
"Gautier Ubersfeld",
"Christophe Cianchi"
],
"date": "2019-06-11",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-02156391v1",
"pdfUrl": "",
"doi": "10.1007/978-3-030-19274-7_40",
"abstract": "This paper presents a view at glance of the project PICS (which stands for Personal Information Controller Service) that is concerned by personal data protection. More specifically we present a software platform that allows users to control the exchanges between Web-based Personal Information Management Systems (the so-called PIMS that store users’ personal data) and SaaS services (such as e-commerce applications) using a reinforced authentication. The ultimate goal of this platform is to empower users by allowing them to have full control on personal data exchange. Moreover, the platform includes specific components to help users to solve cognitive demanding tasks related to the data protection such as how to properly interpret Terms of Service (ToS) imposed by the SaaS, recall previous users interactions with the SaaS (ex. personal data exchanged with the SaaS and the corresponding term of services), and detect unauthorized use of personal data. The technical solution proposed by PICS is a suitable implementation of the General Data Protection Regulation (GDPR). We present the motivations, challenges and research questions that lead to the technical solution proposed by PICS.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:4470141",
"title": "Summary: Difficulties faced by the legal system in coming to terms with blockchains",
"authors": [
"O. Lasmoles"
],
"date": "2018",
"platform": "hal",
"sourceUrl": "https://normandie-univ.hal.science/hal-04470141v1",
"pdfUrl": "",
"doi": "10.3917/ride.324.0453",
"abstract": "The recent proliferation of blockchain projects is a sign of the maturity of this technology and the awareness of its considerable stakes by economic actors. The issues raised over the past ten years by bitcoins were primarily economic and monetary policy issues, including who can mint coins. Today, questions are multiplying and going beyond the economic and state sphere. The advantages are numerous: the automation of procedures, security, and the timestamping of data. The first function of a blockchain is to preserve the data (record keeping) and to secure them. This data retention allows us to trace data and assets. Thus, in terms of transportation and logistics, it helps us to find out where the goods were produced, packaged, loaded, and unloaded. In the domain of health, this helps us to uncover the origin of the drugs shipped. This would result, de facto, in certifying the origin of the goods. The sectors that can benefit from these benefits are unlimited. Another function of blockchains, automation, allows for fluidity in management processes, saving significant amounts of time and considerable sums of money. The example of maritime transport provides indisputable proof. The timestamp of the data entered on a blockchain is often put forward to boast the advantages it offers. Indeed, particularly in the field of intellectual and industrial protection, this function makes it possible to provide proof of the primacy of a work. It is necessary, however, to distinguish industrial property and intellectual property whose legal regimes are not identical. It is therefore also necessary to determine the contribution of the timestamp to each of these properties. In addition, is timestamping a permissible form of evidence before the courts? The question arises and clarification needs to be made. The advantages of blockchains, both economic and legal, are therefore numerous. Nonetheless, several questions remain unresolved. Originally, blockchains were not intended to store and exchange personal data. However, their evolution and the evolution of the law make the situation more complex. These data, protected by the pseudonym, are being updated by legislation that, in the context of the fight against cybercrime (Titanium Project), is calling this pseudonym into question. Thus, today, blockchains can exchange personal data that are no longer protected by pseudonymity. What about their protection? There is therefore a conflict between blockchains and personal data protection laws, such as the General Data Protection Regulation (GDPR) from the EU. How can this conflict be resolved? Another question that is very often asked: will the automation of blockchains cause the disappearance of trusted third parties? This trusted third party\\textemdashwho is an intermediary\\textemdash would disappear, or at least see his/her role drastically reduced; if a blockchain makes it possible to register a sale between two private individuals, why not use it in the case of a real estate sale? The transaction will be secure, covered by the pseudonym, and dated. Are services provided by a notary still necessary? Blockchains have also given rise to the notion of smart contracts, but what about their legal qualification and their effects? The proximity of the reasoning methods of lawyers and computer scientists may have suggested that these smart contracts were contracts in the legal sense of the term. However, if they codify contractual clauses, they cannot be qualified as contracts. In addition, a smart contract does not take into account the notion of good faith that exists in the law of obligations and is therefore a matter of public order. From this point on, these ``digitized contracts'' will have to evolve so that they can be integrated into the particularities of the law of contracts. There are so many questions that deserve, if not to have an answer, at least to be nuanced. © De Boeck Supérieur. Tous droits réservés pour tous pays.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Revue internationale de droit économique",
"language": "en"
},
{
"id": "hal:1470500",
"title": "Data Protection by Default in Identity-Related Applications",
"authors": [
"Marit Hansen"
],
"date": "2013-04-08",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-01470500v1",
"pdfUrl": "https://inria.hal.science/hal-01470500/document",
"doi": "10.1007/978-3-642-37282-7_2",
"abstract": "“Privacy by default” is being discussed as one important principle for ICT system design. This principle has been taken up as “data protection by default” in the proposal for a European Data Protection Regulation published in 2012. However, it is debated what this principle should mean in practice. In this text, we analyze the relation to “security by default” and “privacy by design” and discuss different possible interpretations of the “data protection by default” principle. After presenting general considerations on how to choose and implement appropriate default settings, we exemplarily describe recommendations for typical identity-related application scenarios such as social network sites, user tracking on the web and user-controlled management of one’s identities. Both the general and the scenario-based elaborations provide guidance for developers as well as evaluators.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:5308349",
"title": "Automated Flash Audit for Web Cybersecurity: Design of a Proactive Vulnerability Scanner",
"authors": [
"Amandine Martin",
"Maxime Billy",
"Karima Boudaoud",
"Christian Delettre"
],
"date": "2025-06-21",
"platform": "hal",
"sourceUrl": "https://univ-evry.hal.science/hal-05308339v1",
"pdfUrl": "https://univ-evry.hal.science/hal-05308339/document",
"doi": "10.48545/advance2025-fullpapers-1_1",
"abstract": "Web application security is now a major strategic challenge for companies, whether large corporations or very small/small and medium-sized enterprises (VSEs/SMEs). Threats and attacks are diversifying and multiplying, including data breaches, ransomware, defacements, and intellectual property theft. These cyberattacks have severe repercussions for VSEs and SMEs, which are often not sufficiently protected. Even if reliable solutions such as penetration testing and vulnerability scanning tools exist they are generally expensive, not easy to use and not suitable for non-specialist users. Moreover, European legislation (such as GDPR, NIS2 Directive, Cyber Resilience Act and the Digital Operational Resilience Act) imposes increasing cybersecurity obligations and requirements to companies that must adopt security solutions that are compliant with the legislation. To offer a response to VSEs and SMEs companies (i.e. a solution that is affordable and can be used easily), we propose a platform, called WeakSpotter. This latter was developed to enable these companies to understand cybersecurity challenges and thus correct the vulnerabilities they encounter on their websites.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:5032252",
"title": "Le rôle de l'IA dans la recherche en santé : un examen des politiques des fondations de l'enseignement supérieur",
"authors": [
"Yuris Tri",
"Efendi Efendi Lod Simanjuntak Lod",
"Anatoliy Kostruba"
],
"date": "2024-09-03",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05032252v1",
"pdfUrl": "https://hal.science/hal-05032252/document",
"doi": "10.59247/jahir.v2i2.295",
"abstract": "The integration of Artificial Intelligence in health research has transformed data analysis, predictive modeling, and personalized treatment strategies. However, its rapid adoption presents regulatory, ethical, and institutional challenges, particularly in higher education foundations that oversee health research. This paper examines policies governing AI-driven health research, focusing on regulatory frameworks, ethical guidelines, and institutional policies that shape AI applications in academia. At the global and national levels, regulations such as the EU AI Act and World Health Organization guidelines set standards for AI safety, transparency, and data protection in health research. Despite these frameworks, challenges persist, including data privacy concerns, algorithmic bias, and inconsistent ethical oversight. Ethical frameworks like the Ethical Regulatory Framework for AI emphasize accountability, fairness, and continuous monitoring to ensure responsible AI deployment. Higher education institutions play a crucial role in developing AI governance frameworks that balance innovation with compliance. However, inconsistencies in institutional policies create gaps in regulatory enforcement and ethical standards. Addressing these issues requires harmonized policies, interdisciplinary collaboration, and proactive stakeholder engagement. This paper highlights the role of AI in optimizing research methodologies, funding allocation, and regulatory compliance while discussing emerging challenges and future directions for AI-driven health research governance.",
"topics": [
"ai_governance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Journal of Advanced Health Informatics Research",
"language": "en"
},
{
"id": "openaire:10.46793/83138.005.017n",
"title": "APPLICATION OF ARTIFICIAL INTELLIGENCE IN THE ECONOMIC OPERATIONS OF COMPANIES – LEGAL REGULATIONS OF THE EUROPEAN UNION AND THE REPUBLIC OF SERBIA",
"authors": [
"Slobodan Nešković"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.46793/83138.005.017n",
"pdfUrl": "",
"doi": "10.46793/83138.005.017n",
"abstract": "The postmodern environment channels the position and functioning of the social subjects of each countries. As an essential area of the existence of every creation, the economic operation of the company is especially modified. At the same time, the innovative paradigm artifical intelligence occupies a significant position with an evident controversial implosion through implementation in the economic, legal and other spheres of human existence. The legal context of artificial intelligence in the European Union and the Republic of Serbia is under development and includes various aspects such as data protection, ethics, responsibility and regulation. The European Union has proposed a regulation on artificial intelligence that aims to set rules for the development and use of artificial intelligence (hereinafter VI or AI). This regulation focuses on the risks associated with artificial intelligence, dividing applications into low-risk, medium- risk and high risk. High-risk applications, such as facial recognition systems or the use of AI in the justice system, are subject to stricter rules. The General Data Protection Regulation (GDPR) also applies to artifical intelligence, especially when it comes to the processing of personal data. Businesses using AI must ensure that they respect the rights of individuals and have transparent policies regarding data processing. The European Union emphasizes the importance of ethical principles in the development of AI, including fairness, transparency, accountability and the protection of human rights. Republic of Serbia is in the process of harmonizing with EU legislation, which includes areas related to AI. There are initiatives to develop strategies that will regulate the use of AI in different sectors. Serbia has a Law on the Protection of Personal Data that is harmonized with the GDPR, which means that companies using AI must ensure the protection of personal data. Various projects and initiatives are being developed in S",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1177/20552076251343959",
"title": "Data privacy in healthcare: Global challenges and solutions",
"authors": [
"Andrew Kweku Conduah",
"Sebastian Ofoe",
"Dorothy Siaw-Marfo"
],
"date": "2025-05-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1177/20552076251343959",
"pdfUrl": "https://europepmc.org/articles/PMC12138216?pdf=render",
"doi": "10.1177/20552076251343959",
"abstract": " Purpose This study explores global frameworks for healthcare data privacy, focusing on the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Protection of Personal Information Act (POPIA). It examines the challenges of regional regulatory disparities, systemic vulnerabilities identified through major health data breach case studies, and the potential of advanced technologies to enhance privacy protections. Methods A qualitative research approach was adopted, incorporating corpus construction and comparative analysis of legal and technical frameworks. The study also utilized case studies of significant health data breaches to identify vulnerabilities and evaluate the role of emerging technologies, such as artificial intelligence (AI) and machine learning (ML), in mitigating risks and enhancing regulatory compliance. Results Findings indicate that GDPR, CCPA, and POPIA set high standards for data protection but reveal significant variability in enforcement and technological adoption across regions. Challenges include inconsistent definitions of sensitive data, semantic discrepancies, a lack of standardized protocols, and limited information technology infrastructure in certain jurisdictions. Advanced technologies like AI and ML promise to address these gaps by improving data harmonization and security. Conclusions Addressing healthcare data privacy challenges requires harmonized global regulations, advanced technological tools, and international collaboration. Strengthening frameworks, enhancing information technology infrastructure, an",
"topics": [
"gdpr_compliance",
"sector_healthcare"
],
"painPointTracks": [
"Enforcement",
"Health & Genomic PII"
],
"relevanceScore": 0.55,
"venue": "Digital health",
"language": "en"
},
{
"id": "pubmed:40800528",
"title": "Demystifying the likelihood of reidentification in neuroimaging data: A technical and regulatory analysis.",
"authors": [
"Jwa, Anita S",
"Koyejo, Oluwasanmi",
"Poldrack, Russell A"
],
"date": "2024-03-22",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1038/s41596-023-00873-0",
"pdfUrl": "",
"doi": "10.1038/s41596-023-00873-0",
"abstract": "Sharing research data has been widely promoted in the field of neuroimaging and has enhanced the rigor and reproducibility of neuroimaging studies. Yet the emergence of novel software tools and algorithms, such as face recognition, has raised concerns due to their potential to reidentify defaced neuroimaging data that are thought to have been deidentified. Despite the surge of privacy concerns, however, the risk of reidentification via these tools and algorithms has not yet been examined outside the limited settings for demonstration purposes. There is also a pressing need to carefully analyze regulatory implications of this new reidentification attack because concerns about the anonymity of data are the main reason that researchers think they are legally constrained from sharing their data. This study aims to tackle these gaps through rigorous technical and regulatory analyses. Using a simulation analysis, we first tested the generalizability of the matching accuracies in defaced neuroimaging data reported in a recent face recognition study (Schwarz et al., 2021). The results showed that the real-world likelihood of reidentification in defaced neuroimaging data via face recognition would be substantially lower than that reported in the previous studies. Next, by taking a US jurisdiction as a case study, we analyzed whether the novel reidentification threat posed by face recognition would place defaced neuroimaging data out of compliance under the current regulatory regime. Our analysis suggests that defaced neuroimaging data using existing tools would still meet the regulatory requirements for data deidentification. A brief comparison with the EU's General Data Protection Regulation (GDPR) was also provided. Then, we examined the implication of NIH's new Data Management and Sharing Policy on the current practice of neuroimaging data sharing based on the results of our simulation and regulatory analyses. Finally, we discussed future directions of open data sharing i",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Imaging neuroscience (Cambridge, Mass.)",
"language": "en"
},
{
"id": "pubmed:36779023",
"title": "FROM SHARING TO SELLING: CHALLENGES AND OPPORTUNITIES OF ESTABLISHING A DIGITAL HEALTH DATA MARKETPLACE USING BLOCKCHAIN TECHNOLOGIES.",
"authors": [
"Maher, Mohamed A",
"Khan, Imtiaz A"
],
"date": "2022-01-28",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1109/OBD.2016.21",
"pdfUrl": "",
"doi": "10.1109/OBD.2016.21",
"abstract": "During the COVID-19 pandemic, we witnessed how sharing of biological and biomedical data facilitated researchers, medical practitioners, and policymakers to tackle the pandemic on a global scale. Despite the growing use of electronic health records (EHRs) by medical practitioners and wearable digital gadgets by individuals, 80% of health and medical data remain unused, adding little value to the work of researchers and medical practitioners. Legislative constraints related to health data sharing, centralized siloed design of traditional data management systems, and most importantly, lack of incentivization models are thought to be the underpinning bottlenecks for sharing health data. With the advent of the General Data Protection Regulation (GDPR) of the European Union (EU) and the development of technologies like blockchain and distributed ledger technologies (DLTs), it is now possible to create a new paradigm of data sharing by changing the incentivization model from current authoritative or altruistic form to a shared economic model where financial incentivization will be the main driver for data sharing. This can be achieved by setting up a digital health data marketplace (DHDM). Here, we review papers that proposed technical models or implemented frameworks that use blockchain-like technologies for health data. We seek to understand and compare different technical challenges associated with implementing and optimizing the DHDM operation outlined in these articles. We also examine legal limitations in the context of the EU and other countries such as the USA to accommodate any compliance requirement for such a marketplace. Last but not least, we review papers that investigated the short-, medium-, and long-term socioeconomic impact of such a marketplace on a wide range of stakeholders.",
"topics": [
"gdpr_compliance",
"data_broker_surveillance"
],
"painPointTracks": [
"Data Brokers",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Blockchain in healthcare today",
"language": "en"
},
{
"id": "doaj:f28c0c1876e344afa48c9ed3dbaf6bc8",
"title": "The secure judgment of graphic similarity against malicious adversaries and its applications",
"authors": [
"Xin Liu",
"Yang Xu",
"Dan Luo",
"Gang Xu",
"Neal Xiong",
"Xiu-Bo Chen"
],
"date": "2023",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1038/s41598-023-30741-6",
"pdfUrl": "",
"doi": "10.1038/s41598-023-30741-6",
"abstract": "Abstract With the advent of the era of big data, privacy computing analyzes and calculates data on the premise of protecting data privacy, to achieve data ‘available and invisible’. As an important branch of secure multi-party computation, the geometric problem can solve practical problems in the military, national defense, finance, life, and other fields, and has important research significance. In this paper, we study the similarity problem of geometric graphics. First, this paper proposes the adjacency matrix vector coding method of isomorphic graphics, and use the Paillier variant encryption cryptography to solve the problem of isomorphic graphics confidentiality under the semi-honest model. Using cryptography tools such as elliptic curve cryptosystem, zero-knowledge proof, and cut-choose method, this paper designs a graphic similarity security decision protocol that can resist malicious adversary attacks. The analysis shows that the protocol has high computational efficiency and has wide application value in terrain matching, mechanical parts, biomolecules, face recognition, and other fields.",
"topics": [
"privacy_engineering",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Scientific Reports",
"language": "en"
},
{
"id": "doaj:476d8557e1a242fba1775624e1f60d26",
"title": "A Reference Design Model to Manage Consent in Data Subjects-Centered Internet of Things Devices",
"authors": [
"Pankaj Khatiwada",
"Bian Yang",
"Jia-Chun Lin",
"Godfrey Mugurusi",
"Stian Underbekken"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2624-831X/5/1/6",
"pdfUrl": "",
"doi": "10.3390/iot5010006",
"abstract": "Internet of Things (IoT) devices have changed how billions of people in the world connect and interact with each other. But, as more people use IoT devices, many questions arise about how these devices handle private data and whether they properly ask for permission when using it. Due to information privacy regulations such as the EU’s General Data Protection Regulation (GDPR), which requires companies to seek permission from data subjects (DS) before using their data, it is crucial for IoT companies to obtain this permission correctly. However, this can be really challenging in the IoT world because people often find it difficult to interact with and manage multiple IoT devices under their control. Also, the rules about privacy are not always clear. As such, this paper proposes a new model to improve how consent is managed in the world of IoT. The model seeks to minimize “consent fatigue” (when people get tired of always being asked for permission) and give DS more control over how their data are shared. This includes having default permission settings, being able to compare similar devices, and, in the future, using AI to give personalized advice. The model allows users to easily review and change their IoT device permissions if previous conditions are not met. It also emphasizes the need for easily understandable privacy rules, clear communication with users, and robust tracking of consent for data usage. By using this model, companies that provide IoT services can do a better job of protecting user privacy and managing DS consent. In addition, companies can more easily comply with data protection laws and build stronger relationships with their customers.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "IoT",
"language": "en"
},
{
"id": "s2:83b6f7e39265075e3900138ae513010df67f7cce",
"title": "De-Anonymization of Health Data: A Survey of Practical Attacks, Vulnerabilities and Challenges",
"authors": [
"Hamza Aguelal",
"Paolo Palmieri"
],
"date": "2025",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/83b6f7e39265075e3900138ae513010df67f7cce",
"pdfUrl": "",
"doi": "10.5220/0013274200003899",
"abstract": ": Health data ranks among the most sensitive personal information disclosing serious details about individuals. Although anonymization is used, vulnerabilities persist, leading to de-anonymization and privacy risks highlighted by regulations like the General Data Protection Regulation (GDPR). This survey examines de-anonymization attacks on health datasets, focusing on methodologies employed, data targeted, and the effectiveness of current anonymization practices. Unlike previous surveys that lack consensus on essential empirical questions, we provide a comprehensive summary of practical attacks, offering a more logical perspective on real-world risk. Our investigation systematically categorizes these practical attacks, revealing insights into success rates, generality and reproducibility, new analytics used, and the specific vulnerabilities they exploit. The study covers health-related datasets, including medical records, genomic data, electrocardiograms (ECGs), and neuroimaging, highlighting the need for more robust anonymization. Significant challenges remain in the literature despite existing reviews. We advocate for stronger data safeness by improving anonymization methods and advancing research on de-anonymization and assessment within healthcare.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "International Conference on Information Systems Security and Privacy",
"language": "en"
},
{
"id": "s2:e7358b0956274abeffca64934d14da3ef5860914",
"title": "A Vulnerability in Video Anonymization – Privacy Disclosure from Face-obfuscated video",
"authors": [
"Hiroaki Kikuchi",
"Shun Miyoshi",
"Takafumi Mori",
"Andres Hernandez-Matamoros"
],
"date": "2022-08-22",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/e7358b0956274abeffca64934d14da3ef5860914",
"pdfUrl": "http://xplorestaging.ieee.org/ielx7/9851848/9851959/09851976.pdf?arnumber=9851976",
"doi": "10.1109/PST55820.2022.9851976",
"abstract": "This work studies a vulnerability in face obfuscation techniques intended to preserve the privacy of individuals. There have been several attempts to prevent unauthorized face recognition from being performed, aiming to guarantee anonymity in video data. Most of these attempts have focused on facial areas that are thought as sensitive to contribute most to facial recognition. However, obfuscation of such facial areas is insufficient to preserve privacy because gait information such as arm movements and step characteristics can be used to identify individuals and other personal information such as gender. In this paper, we claim that individual tracking and gender estimation are possible just from the gait information extracted from a video without using face-related data. We propose a set of biometric features and an algorithm to estimate gender from skeleton data. Our experiments with more than 100 subjects demonstrate that gender is estimated with a significant accuracy of 99.86%. The proposed identification algorithm, which is based on pattern-matching techniques, is robust against changes in the manner of walking and successfully identifies subjects with only small error of 0.036.",
"topics": [
"document_anonymization",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII"
],
"relevanceScore": 0.55,
"venue": "Conference on Privacy, Security and Trust",
"language": "en"
},
{
"id": "openaire:10.48047/cu/54/02/542-551",
"title": "Facial Recognition Technology for Seamless Check-In and Personalized Guest Service",
"authors": [
"Nilesh Ratnoday",
"Naiya Rana Ratnoday",
"Chanchreek Sharma",
"Muskan Saxena",
"Dhiraj Kumar",
"Aadity Banerjee"
],
"date": "2025-01-10",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.48047/cu/54/02/542-551",
"pdfUrl": "",
"doi": "10.48047/cu/54/02/542-551",
"abstract": "Facial recognition technology (FRT) is fundamentally reshaping the hospitality landscape, offering streamlined check-in processes, and enhanced personalized guest services. This paper explores the implementation of biometric solutions, highlighting how FRT effectively reduces queues by allowing guests to check in without traditional identification methods, thereby minimizing wait times and improving overall guest satisfaction. Moreover, integrating FRT promotes security by ensuring that only authorized individuals can access restricted areas within hotels. However, the adoption of this technology is not without challenges; important ethical and privacy concerns arise from its use. As FRT relies on sensitive biometric data, issues surrounding data collection, consent, and potential misuse must be addressed. This paper also examines the implications of regulatory frameworks, such as the General Data Protection Regulation (GDPR), which mandate strict adherence to data protection principles. By critically assessing both the benefits and challenges associated with facial recognition systems in hospitality, this research aims to provide a balanced view on creating innovative, secure, yet ethical guest experiences in the modern hotel industry. Ultimately, this study underscores the need for responsible practices in the deployment of biometric solutions.",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Cuestiones de Fisioterapia",
"language": "en"
},
{
"id": "openaire:50|datacite____::377686fa117b448b1c2e6390ac997efa",
"title": "Protecting Persona Biometric Data: The Case of Facial Privacy",
"authors": [
"Hogenhout, Lambert",
"Wangmo, Rinzin"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.48550/arxiv.2510.03035",
"pdfUrl": "",
"doi": "10.48550/arxiv.2510.03035",
"abstract": "The proliferation of digital technologies has led to unprecedented data collection, with facial data emerging as a particularly sensitive commodity. Companies are increasingly leveraging advanced facial recognition technologies, often without the explicit consent or awareness of individuals, to build sophisticated surveillance capabilities. This practice, fueled by weak and fragmented laws in many jurisdictions, has created a regulatory vacuum that allows for the commercialization of personal identity and poses significant threats to individual privacy and autonomy. This article introduces the concept of Facial Privacy. It analyzes the profound challenges posed by unregulated facial recognition by conducting a comprehensive review of existing legal frameworks. It examines and compares regulations such as the GDPR, Brazil's LGPD, Canada's PIPEDA, and privacy acts in China, Singapore, South Korea, and Japan, alongside sector-specific laws in the United States like the Illinois Biometric Information Privacy Act (BIPA). The analysis highlights the societal impacts of this technology, including the potential for discriminatory bias and the long-lasting harm that can result from the theft of immutable biometric data. Ultimately, the paper argues that existing legal loopholes and ambiguities leave individuals vulnerable. It proposes a new policy framework that shifts the paradigm from data as property to a model of inalienable rights, ensuring that fundamental human rights are upheld against unchecked technological expansion.",
"topics": [
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "arXiv.org",
"language": "en"
},
{
"id": "openaire:50|datacite____::d7d9927ae9c3e28336b0ce61780b2c82",
"title": "Contribution to facial authentication and synthetic datasets for Edge-AI applications",
"authors": [
"Yao, Wang"
],
"date": "2024-09-27",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.13025/29127",
"pdfUrl": "",
"doi": "10.13025/29127",
"abstract": "Secure authentication of low-power consumer devices such as doorbell cameras is a unique and significant challenge. This challenge arises from the complexity of the facial images captured by these devices, which encompass different lighting conditions, various postures, and individuals of different ages. These factors collectively present hurdles to the accurate recognition capabilities of these devices. The development of robust face recognition systems requires a broad and diverse dataset containing images depicting a variety of scenarios such as various lighting conditions, head pose variations, and age. However, current publicly available datasets are insufficient to meet this demanding standard. Moreover, the process of building such a comprehensive dataset is challenging because it requires laborious and time-consuming efforts. The introduction of stringent data protection regulations, such as GDPR in Europe, further makes this task more complex by introducing additional compliance and restrictions. To address these challenges, this work explores the use of synthetic data as a viable solution. The first endeavor of this study involves quantifying and compensating for the impact of lighting and pose on the performance of the facial recognition system by introducing synthetic images generated through GAN-based portrait relighting and head pose generation algorithms. Next, we quantified the performance of facial recognition algorithms across different age groups and age intervals. Further, synthetic age images were introduced, evaluated, and utilized to compensate for the performance of facial recognition across age intervals. Finally, motivated by the DAVID smart-toy project, we have investigated the use of different generative models and designed GAN-based and Diffusion-based models to generate photo-realistic child images. The work presented in this dissertation overcomes the unavailability of real data by employing synthetic data as a data augmentation techni",
"topics": [
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1049/PBPC061E_ch10",
"title": "Privacy-preserving identification for monitoring images",
"authors": [
"ZHAO, Bowen",
"LI, Xiaoguo"
],
"date": "2023-12-18",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1049/pbpc061e_ch10",
"pdfUrl": "",
"doi": "10.1049/pbpc061e_ch10",
"abstract": "Camera sensors embedded in monitor units or mobile phones make it easy to capture various personal images in daily life. Machine learning especially deep learning provides an elegant way to identify images (e.g., person re-identification, face recognition, facial expression recognition). However, a personal image usually involves an amount of sensitive data, such as identity, face, and facial expression. Accordingly, image identification poses severe challenges of privacy leakage for persons' identities, face data, facial expressions, etc. Either GDPR (General Data Protection Regulation) or EDPS (European Data Protection Supervisor) stipulates that monitoring images involve private data and are easy to intrude on the fundamental right to privacy. In this chapter, we first sort out the privacy concerns in monitoring image identification and then formalize privacy-preserving identification for monitoring images. Next, we give a general framework to achieve privacy-preserving monitoring image identification and discuss privacy-preserving person re-identification based on the proposed framework. Finally, we conclude the research challenges and attempt to foresee some new research directions in privacy-preserving monitoring image identification.",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.55214/2576-8484.v9i9.9781",
"title": "A systematic literature review on integrating contactless biometrics into online learning environments",
"authors": [
"Samukeliswe Londeka Xaba",
"Halleluyah Oluwatobi Aworinde",
"Brett van Niekerk"
],
"date": "2025-09-02",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.55214/2576-8484.v9i9.9781",
"pdfUrl": "",
"doi": "10.55214/2576-8484.v9i9.9781",
"abstract": "The rapid expansion of online learning platforms has created significant challenges in ensuring secure and seamless user authentication. Traditional methods, such as passwords and PINs, are vulnerable to security breaches and inefficiencies, prompting the exploration of contactless biometric technologies as viable alternatives. This systematic literature review examines the integration of contactless biometrics—such as facial recognition, voice patterns, and behavioral traits—into online learning environments, emphasizing their effectiveness, advantages, and challenges. This review analyzed 44 peer-reviewed studies from 2010 to 2024. Findings from the review show that contactless biometrics enhance security and user experience but face adoption barriers, such as privacy concerns, algorithmic biases, and technical limitations. Multimodal systems (e.g., combining facial recognition and keystroke dynamics) demonstrate promise in balancing accuracy and scalability, especially in high-stakes assessments. Ethical and regulatory frameworks, including GDPR compliance and bias mitigation, are crucial for responsible deployment. The study identifies gaps in research on Massive Open Online Courses (MOOCs) and underscores the urgent need for scalable, inclusive solutions. Recommendations include hybrid authentication models, inclusive design for diverse learners, and iterative testing to enhance fairness and usability. By synthesizing current advancements and challenges, this review provides actionable insights into the responsible integration of contactless biometrics in online learning for educators, developers, and policymakers. It contributes to the discourse on ethical deployment, regulatory compliance, and inclusive technological design, offering a foundation for future research and innovation in digital authentication.",
"topics": [
"biometric_surveillance",
"gdpr_compliance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::71e14c6f233873989a561c8c98ae9b9d",
"title": "COMPARATIVE ANALYSIS: IMAGE RIGHTS UNDER DATA PROTECTION VS. PERSONALITY RIGHTS",
"authors": [
"Koryogdiev, Bobur"
],
"date": "2025-06-09",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5281/zenodo.15623958",
"pdfUrl": "",
"doi": "10.5281/zenodo.15623958",
"abstract": "This comparative analysis explores two predominant legal frameworks for regulating image rights: as personal data under data protection laws and as personality rights under civil law. The data protection approach—exemplified by the GDPR—treats images as identifiable personal data, emphasizing consent, processing limitations, and data subject rights. In contrast, the civil law tradition, grounded in personality rights, protects image rights as an extension of personal dignity, autonomy, and control over one’s likeness. The analysis highlights key doctrinal and practical differences, including the scope of protection, enforcement mechanisms, and applicability in digital contexts. It also discusses the implications for regulatory design, particularly in response to emerging challenges posed by AI, facial recognition, and social media. The study underscores the need for integrated legal approaches that reconcile informational privacy with human dignity to ensure comprehensive protection of image rights in both online and offline environments.",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.5937/jrs16-27170",
"title": "Comparative analysis of video surveillance regulation in data protection laws in the former Yugoslav states",
"authors": [
"Krivokapić, Đorđe",
"Krivokapić, Danilo",
"Adamović, Jelena",
"Stefanović, Aleksandra"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5937/jrs16-27170",
"pdfUrl": "https://scindeks-clanci.ceon.rs/data/pdf/2217-995X/2021/2217-995X2101005K.pdf",
"doi": "10.5937/jrs16-27170",
"abstract": "Video surveillance, the monitoring of a specific area, event, activity or person through an electronic device or a system for visual monitoring is already established as a central tool of public security policy. Video surveillance represents a starting point for implementing advanced technologies such as automatic number plate recognition (ANPR) and automatic facial recognition (AFR), which tend to become standards in many urban areas. Based on the increased use of video surveillance technologies, governments and private actors' capabilities in terms of monitoring of the population and potentially violating fundamental human rights are colossally increased. The article will provide a comparative analysis of national regulatory frameworks of video surveillance in public spaces in former Yugoslav states and its compliance with standards provided by new data protection regulatory framework, particularly General Data Protection Regulation (GDPR). The article will also give an overview of the major violations of the right to privacy by video surveillance and insight into and potential impact of new projects and technologies currently under deployment in the observed countries.",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Journal of Regional Security",
"language": "en"
},
{
"id": "openaire:10.54254/2753-7048/2024.20365",
"title": "Artificial Intelligence in Legal Systems: Examining Gender Bias and the Role of UK Legal Frameworks in Addressing It",
"authors": [
"Muzeng Huang"
],
"date": "2025-01-08",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.54254/2753-7048/2024.20365",
"pdfUrl": "",
"doi": "10.54254/2753-7048/2024.20365",
"abstract": " This study examines the gender discrimination of Artificial Intelligence (AI) used in the legal system, focusing on risk assessment, facial recognition, and decision-making and decision-support tools. The study delves into the use of AI in the legal system, examining how its reliance on historical data, under/over-representation, and homogeneity of development teams perpetuate existing gender biases. The study then analyses the implications of the United Kingdom General Data Protection Regulation (UK GDPR) and the proposed Data Protection and Digital Information (DPPI) Bill in addressing gender biases in AI. Nevertheless, the study finds the need for a more robust and proactive legal framework that addresses the root causes of these biases in the design and implementation of AI systems. The paper concludes by proposing a framework to effectively address gender bias in AI systems used in the legal system. The framework outlines explicit obligations across policymakers, companies, and end users to ensure the development and deployment of bias-free AI systems. Its role is to provide comprehensive guidelines and oversight mechanisms that promote proactive measures to prevent gender bias. The framework aims to create a more equitable legal environment for everyone.",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Lecture Notes in Education Psychology and Public Media",
"language": "en"
},
{
"id": "openaire:10.5772/intechopen.1012301",
"title": "EdgeAI with TinyML: Redefining Privacy and Security in Online Identity Management",
"authors": [
"Yogeswar Reddy Thota",
"Tooraj Nikoubin"
],
"date": "2025-09-25",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.5772/intechopen.1012301",
"pdfUrl": "",
"doi": "10.5772/intechopen.1012301",
"abstract": "As online identity management evolves, traditional cloud-based authentication methods are facing critical challenges related to privacy, latency, and centralized risk. This chapter explores how Tiny Machine Learning (TinyML) and Edge Artificial Intelligence (EdgeAI) enable real-time, on-device biometric authentication to address these challenges. TinyML models deployed on ultra-low-power devices such as smartphones, wearables, and IoT (Internet of Things) sensors allow biometric data such as facial recognition, voice, and physiological signals like ECG (electrocardiogram) and PPG (photoplethysmogram) to be processed locally, reducing dependency on cloud infrastructure and minimizing data exposure. We explore the use of ephemeral cryptographic tokens to support passwordless authentication and the role of secure model deployment, Zero Trust Architecture (ZTA), and federated learning in protecting identity across edge ecosystems. The chapter also highlights real-world use cases from healthcare, mobile access, and border security, and addresses ethical and regulatory challenges including data consent, demographic bias, and compliance with laws like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). By offering a comprehensive review of decentralized identity frameworks, This chapter contributes a comprehensive systematization of how TinyML and EdgeAI are applied to real-time, privacy-preserving identity verification, along with security architecture, use cases, and regulatory framing.",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:1905",
"title": "Canada: will privacy rules continue to favour open science?",
"authors": [
"Adrian Thorogood"
],
"date": "2018-07-16",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/s00439-018-1905-0",
"pdfUrl": "",
"doi": "10.1007/s00439-018-1905-0",
"abstract": "Canada's regulatory frameworks governing privacy and research are generally permissive of genomic data sharing, though they may soon be tightened in response to public concerns over commercial data handling practices and the strengthening of influential European privacy laws. Regulation can seem complex and uncertain, in part because of the constitutional division of power between federal and provincial governments over both privacy and health care. Broad consent is commonly practiced in genomic research, but without explicit regulatory recognition, it is often scrutinized by research or privacy oversight bodies. Secondary use of health-care data is legally permissible under limited circumstances. A new federal law prohibits genetic discrimination, but is subject to a constitutional challenge. Privacy laws require security safeguards proportionate to the data sensitivity, including breach notification. Special categories of data are not defined a priori. With some exceptions, Canadian researchers are permitted to share personal information internationally but are held accountable for safeguarding the privacy and security of these data. Cloud computing to store and share large scale data sets is permitted, if shared responsibilities for access, responsible use, and security are carefully articulated. For the moment, Canada's commercial sector is recognized as \"adequate\" by Europe, facilitating import of European data. Maintaining adequacy status under the new European General Data Protection Regulation (GDPR) is a concern because of Canada's weaker individual rights, privacy protections, and regulatory enforcement. Researchers must stay attuned to shifting international and national regulations to ensure a sustainable future for responsible genomic data sharing.",
"topics": [
"gdpr_compliance",
"data_breach_incident"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "doaj:ec51583a0e7b450396f789ef18ab9db0",
"title": "THE ETHICAL STARTUP?",
"authors": [
"Alexis Walker"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://journals.library.columbia.edu/l/index.php/bioethics/article/view/14119",
"pdfUrl": "",
"doi": "10.52214/vib.v11i.14119",
"abstract": "Photo ID 345549 © Jonathan Mulkey | Dreamstime.com\n\n\nAbstract\n\n\nEmerging DNA marketplace startups aim to empower individuals with greater control and potential profit-sharing over their genetic data, but they face ethical tensions in navigating uncertain technological and commercial environments. Drawing on ethnographic research and ELSI scholarship, this piece uses the lens of bounded ethicality to show how limits in information, consent, and decision-making call for distributed “ethics supports” beyond individual users and firms. Focusing on cases such as LunaDNA, it outlines strategies, such as decision-support tools, transparent communication, and collaborative ethics infrastructures, to strengthen collective responsibility and ethical capacity in genomics and related fields.\n\n\nIntroduction\n\n\nWith universities in much of the world placing more emphasis on entrepreneurship and technology transfer,[1] the private sector is depicted as a key to advancing both basic and applied sciences. At the same time, widely publicized data breaches and stories of fraud have fueled skepticism about whether private sector innovation serves the public good.[2] In response, some biotech startups have begun to position themselves as ethical alternatives to traditional research and business models.\n\n\nThis paper examines the ethical and institutional burdens that accompany corporate promises to empower consumers in managing their own health data, using emerging DNA marketplaces as a case study. Unlike earlier biobanking models, which relied on broad consent to data use and offered little direct benefit to individual participants, the profit-sharing approach promises more consumer control. These companies let individuals decide how their data can be used and share in the financial benefits when companies sell access to that data. But even companies that think carefully about these dynamics face challenges as they create technologies for a future that is difficult to anticipate. Startups can respond to the ethics challenges that come along with such uncertainty; this paper provides guidance on some key pathways. My interviews, surveys, and focus groups with employees and leadership confirm that many companies are searching for guidance on how to embed ethics into their operations.[3]\n\n\nDNA marketplaces offer a compelling site for examining ethical challenges that arise when companies promise to empower individuals with control over their health data, in part because companies, such as LunaDNA and EncrypGen, explicitly frame their platforms as “empowering” users.[4] Yet, these companies blur the boundaries between consumer platforms, research intermediaries, and data brokers, placing particularly complex ethical demands on users and institutions alike. This paper argues that such models reveal not only the limits of individual decision-making under conditions of complexity and uncertainty but also the ethical shortcomings of systems that shift responsibility onto consumers without sufficiently engaging the broader obligations of companies, platforms, and institutional actors.\n\n\nA Framework for Ethics Supports\n\n\nAmong the many genomics products launched in recent years, a series of companies has emerged that offer a means for individuals to “rent” their DNA to companies and universities for research and product development. These DNA marketplaces have promised compensation in exchange for personal data, as well as privacy and transparency through novel technologies. Nebula Genomics, co-founded in 2016 by George Church, offered free genome sequencing in exchange for data-sharing on their blockchain-secured platform, or redeemable Nebula tokens for sharing genomic data sequenced elsewhere.[5] The following year, EncrypGen launched a blockchain marketplace which uses proprietary cryptocurrency to pay individuals for de-identified data,[6] and LunaDNA launched an offering of non-voting shares in the company in exchange for data use—e.g., 300 shares for a whole genome shared, a $21 value according to the company’s preliminary offering circular.[7] The marketplace model also allows participants to specify which types of studies their data would support, enabling them to opt in or out of research domains based on topic, perceived risk, or institutional or corporate affiliation of the research team. LunaDNA regularly invites participants to review and approve data use for new studies, including those with different levels of data access or revised shared offers.\n\n\nIn addition to the challenges faced under prior models of consumer genetic data sharing (e.g., through Ancestry.com, 23andMe), these companies have struggled to meet the expectations they set around user control, data ownership, and financial benefit. LunaDNA was founded as a public benefit corporation, with the premise that by receiving shares, participants would benefit financially from any proceeds LunaDNA earned from that data. The company failed to build a steady revenue stream and eventually closed in early 2024, without issuing payouts to contributors, as the company reported no cash reserves.[8] Ethical, legal, and social implications (ELSI) researchers have noted the challenges that these DNA marketplaces face as data brokers that must gather ongoing consent and manage data privacy.[9] In this piece, I highlight the broader ethical challenges that such marketplaces face, considering the startup sector’s demand for continual innovation and often grandiose speculation, even in the face of frequent organizational change and evolution.\n\n\nWhile firms may have ethics infrastructures, such as ethics committees or institutional ethics policies, ethical issues today increasingly cluster beyond the confines of an individual company. Many problems emerge in the complex landscape of angel investors, venture capital firms, private wealth management entities, crowdfunding, accelerators, incubators, co-branded partnerships, tech transfer offices, service providers, and industry networks. While ethical approaches, such as anticipatory ethics, have been developed to predict and address ethical challenges early in the development of emerging technologies,[10] many issues today arise in spaces that lie beyond the control of a single platform, ranging from downstream data sharing by a DNA platform customer to further data use by unknown subsequent parties, to company acquisition, bankruptcy, breaches by partners, and other challenges.[11]\n\n\nTo analyze these challenges, this paper applies the theory of bounded ethicality. Bounded ethicality suggests that social, psychological, and practical pressures limit people’s ability to make ethical decisions. For example, limits on available information, time constraints, decisional complexity, and bias contribute to ethical decision-making. [12] These limits point to the importance of moral supports to promote ethics and justice. Bounded ethicality recognizes the limits of the individual moral agent, instead spreading moral labor across platforms, collectives, supportive technologies, and contingencies. As shown below, combining this lens with a focus on downstream thinking can help companies and individuals establish well-designed ethical supports.\n\n\nEthics Challenges for DNA Marketplace Platforms\n\n\nDNA marketplaces risk overpromising the degree to which they can protect data. In response to criticisms of earlier genomics companies that sold user data to pharmaceutical and other companies, including data brokers, without sharing benefits, these companies have created data use policies and means to allow participants to benefit.[13] But even so, substantial risks to data privacy remain. Data breaches, government or law enforcement demands that override privacy protections, and within the limits of both users' and technologists' capacity to anticipate abstract future scenarios.[14] The bounded ethicality lens draws attention to the importance of caution in companies’ framings of their offerings, recognizing the limits even with our best efforts for ethical practice, thus guiding us toward hedging the zeal with which companies advertise privacy protections, untraceability, and individuals’ control over their data’s use.\n\n\nDifficulties also arise because of the complexity of tasks DNA marketplaces ask of their users. The complexities of these tasks include taking control of their genetic data, assessing scientific risk, postulating future scenarios, quickly learning enough genetic science to become ably informed as part of a consent process, and engaging in ongoing monitoring of developments with the platform. Growing research shows that decision fatigue, readerly limitations, distraction, comprehension and educational factors, momentary mood or energy levels, and more impede sound decision making.[15] Unlike other industries where consent may be a one-time hurdle, DNA marketplaces demand repeated, proactive choices about whether to share their genetic data, opt in or re-consent to new studies, allow certain types of future use, and decline participation in others based on study type, affiliated institutions or companies, or perceived risk. It is crucial that companies describe the terms and conditions to help customers grasp the yet unknown ways in which data could be used, including adverse scenarios. At the same time, lengthy consent documents cannot fill this need, as they overwhelm participants and do not invite deep engagement with the issues at hand.[16]\n\n\nAnother ethical issue is that significant debate persists about the risks of re-identification of ostensibly de-identified genomic data, which is possible with limited public information.[17] While some argue that little incentive exists for re-identification, there is insufficient evidence to support this claim.\n\n\nCompanies must remain responsible for protecting users, rather than placing responsibility on consumers for protecting themselves via consent procedures.[18] Many ethical frameworks acknowledge that consent alone does not waive organizational obligations. But in practice, many organizations have consent procedures and documents that resemble legal contracts more than tools for participant understanding, designed more to limit liability than to foster meaningful participant engagement.[19] Beyond these legal shields, companies owe participants real efforts to support truly informed consent, given the substantial asymmetries in expertise and control that make meaningful consent difficult without institutional support, and the broader ethical imperative to build public trust in data systems where risks are often collective, long-term, and structurally mediated. Companies can implement insights from the robust consent literature, including offering decision support tools such as interactive or pre-highlighted written information, digitally enhanced user support tools, and re-consent cues at key moments, such as when a company is acquired or when scientific developments enable new unanticipated uses of genetic data.[20] If DNA marketplaces have models that presume ongoing user engagement, support to sustain such engagement is essential.\n\n\nThis discussion makes it clear that platforms cannot reasonably suggest to users that they will maintain the privacy that many companies tout. A more ethically grounded approach could include planning for and explaining to users recourses for when a site is hacked, compromised, or down, etc. Privacy is more than a platform security issue. The future contains new kinds of capabilities that can \"de-privatize” previously privatized data by way of future datasets that we never predicted, IT capacities that we cannot yet envision, and other difficult-to-predict circumstances.\n\n\nThe Way Forward: Expanding Moral Capacity\n\n\nActionable strategies include tools to help consumers make informed decisions. Again, using the lens of bounded ethicality, I propose possible areas of intervention, but such strategies cannot completely solve moral problems or guarantee “right” moral choices; rather, they can support ethical action by redirecting attention and resources, including personal, organizational, institutional, and even technological, to spaces of moral risk, and expand capacity in those areas.\n\n\nInnovate in Comprehension and Decision Support\n\n\nSince DNA marketplaces ask users to perform complex mental tasks, including analytic, abstraction, anticipatory, and calculative work in decisions about sharing, privacy, future risks, and personal benefit. Bounded ethicality points to the need for more assistance so that consumers are not too limited when making important decisions. Significant research discusses the challenges of consent as well as possibilities for addressing them.[21] And while I advocate the use of decisional, visualization, and simulation tools to support consumers at crucial moral moments, literature in the social sciences and humanities make the dangers of expecting technology to solve all challenges clear.[22] Instead, I am advancing a vision of how today’s technologies can be designed to support the structural interventions needed to advance justice and equity.[23]\n\n\nLead with Limitations\n\n\nSubstantial empirical data show that in the face of goals that we, as moral agents, really want to achieve, we enact what many refer to as “willful blindness,” sidelining moral considerations.[24] Ethics supports would then involve leading by introducing potential limitations through marketing, communication, explanations, consent processes, etc. Leading with limitations may be the only way that users cognitively “register” the downsides of given options. Companies need to overstate the limitations of their platform’s security, the exceptional vulnerability of all digital data, the prospect that sharing their data may not lead to potential, specific cures, and the possibility that market demands may impact the company’s future practices or unravel its present policies. While this may seem counterproductive to current business goals, the very emergence of DNA marketplaces selling themselves as equitable and just alternatives to older models suggests that ethical practice can increasingly be seen as a selling point for some companies.\n\n\nWhile bounded ethicality supports enhancing the capacity of users (say, overemphasizing that which data shows we are psychologically prone to tune out), the model also requires migration away from an ethics powered mostly by sole subjects. Ethics strategies that load most of the moral risk onto individuals via the consent process, the self-report, or “honor systems” discharge too much moral labor onto a single subject, often imagined to have indefatigable capacities. Instead, the view proposed here would ask companies to do more to prevent or decrease the risk of a breach of privacy, unexpected later use of data, and reidentification. Companies should use more systems, personnel, practices, and tools to help shoulder the risks. Regulatory frameworks such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and the Genetic Information Nondiscrimination Act (GINA) provide important protections and set meaningful legal baselines. But as technologies and data practices evolve, ethics strategies can be a key site for anticipating emerging forms of risk and responsibility that may fall outside current regulatory scope.\n\n\nEthics Beyond Individual Platforms\n\n\nDNA marketplaces are also subject to concerns that genetic data, accessible through genetic databases of various types, could be used for deleterious purposes – to make claims, for example, about the genetic superiority of certain groups over others. LunaDNA addressed this by creating a data access committee that would grant research rights only to parties engaged in health research. Again, solutions have focused on the individual company level. But by requiring us to address and compensate for limits on ethical decision making, the approach described involves thinking beyond the self in much the way thinking about accessibility involves thinking about assistance at both technological and structural levels.[25]\n\n\nThere have been increasing efforts to build collaborations across the private sector genomics industry for addressing ethics and policy issues.[26] Such approaches would multiply the power of efforts at the level of individual companies. For example, creating a common database of suspicious or declined data access requests, accessible by all DNA marketplace companies, could help protect against nefarious uses and users and facilitate collective moral problem-solving. Responsibility should be distributed widely and across actors, since relying on individual moral exemplars (who leave), company cultures (which change), or terms of service (which ignore out-platform problems) puts too many of one’s ethical eggs in one basket. Thinking beyond individual moral agents in ethics breeds strategies that go beyond individual executives, platforms, policies, and even users.\n\n\nApplying empirical data about limitations on ethical decision making leads to solutions that empower consumers and individual companies by eliminating the limitations that impede high-quality moral decision making (unbinding the ethicality). Because DNA marketplace platforms like LunaDNA have specifically sold themselves as a more ethical alternative to older models, they are an ideal place from which to build these approaches.\n\n-\n\n\n[1] Robert E. Litan, Lesa Mitchell, and E.J. Reedy, “The University As Innovator: Bumps in the Road,” Issues in Science and Technology 23.4 (2007); Jordan Eidlisz, Isabelle von Simson, and Gabrielle Gold-von Simson, “Exploring the current state of technology transfer in the United States: perspectives and improvement strategies from the experts,” Frontiers 9 (2024): doi.org/10.3389/frma.2024.1376185; William R. Meek and Peter T. Gianiodis, “The Death and Rebirth of the Entrepreneurial University Model,” Academy of Management Perspectives 37.1 (2023): doi.org/10.5465/amp.2020.0180.\n\n\n[2] Cathy Hwang et al., “The Lost Promise of Private Ordering.” Cornell L. Rev. 109 (2023-2025): 1-61. https://publications.lawschool.cornell.edu/lawreview/2024/01/30/the-lost-promise-of-private-ordering/\n\n\n[3] Alexis Walker, “Diversity, Privacy, Profit: An Empirical Study of Industry Employees’ Views on Ethics in Private Sector Genomics,” AJOB Empirical Bioethics 13(2022):166-178. https://doi:10.1080/23294515.2022.206399; Elizabeth Adetiba and Alexis Walker, “‘Forget the Age of HIPAA and Lean Into The Age of Consumer Privacy’: Exploring Ethics and Responsibility among Private Sector Genomics Leaders Using Group Interviews.” New Genetics & Society. Forthcoming.\n\n\n[4] LunaPBC, “LunaPBC Raises $4.6 Million to Accelerate Company Growth and Drive Health Breakthroughs,” PR Newswire (2019), https://www.prnewswire.com/news-releases/lunapbc-raises-4-6-million-to-accelerate-company-growth-and-drive-health-breakthroughs-300846139.html; Innovations of the World, “LunaDNA: The World’s First People-Powered Health Data Platform,” Innovations of the World (n.d.), https://innovationsoftheworld.com/lunadna/; LunaPBC and Genetic Alliance, “Genetic Alliance and LunaPBC Partner to Support Personal Health and Accelerate Medical Breakthroughs,” PR Newswire (2018), https://www.prnewswire.com/news-releases/genetic-alliance-and-lunapbc-partner-to-support-personal-health-and-accelerate-medical-breakthroughs-300781275.html.\n\n\n[5] Molteni, Megan. “These DNA Startups Want to Put All of You on the Blockchain.” Wired (2018), https://www.wired.com/story/these-dna-startups-want-to-put-all-of-you-on-the-blockchain.\n\n\n[6] Ben Herschler, “Cashing in on DNA: Race on to Unlock Value in Genetic Data.” Reuters (2018), https://www.reuters.com/article/us-health-genomics-blockchain/cashing-in-on-dna-race-on-to-unlock-value-in-genetic-data-idUSKBN1KO143\n\n\n[7] U.S. Securities and Exchange Commission, “Offering Circular: LunaDNA, LLC,” Form 253G2 (2018), https://www.sec.gov/Archives/edgar/data/1741687/000119312518340286/d631377dpartiiandiii.htm.\n\n\n[8] Jonathan D. Grinstein, “Total Eclipse of LunaDNA: Once Touted Genome Data Sharing Platform Goes Dark,” Inside Precision Medicine, January 18, 2024, https://www.insideprecisionmedicine.com/topics/precision-medicine/total-eclipse-of-lunadna-once-touted-genome-data-sharing-platform-goes-dark/.\n\n\n[9] Eman Ahmed and Mahsa Shabani, “DNA data marketplace: an analysis of the ethical concerns regarding the participation of the individuals,” Frontiers in Genetics 10 (2019): 10.3389/fgene.2019.01107.\n\n\n[10] Philip A.E. Brey, “Anticipatory ethics for emerging technologies,” NanoEthics 6 (2012): 1-13, https://doi.org/10.1007/s11569-012-0141-7.\n\n\n[11] Donna M. Gitter, “Informed consent and privacy of non-identified bio-specimens and estimated data: lessons from Iceland and the United States in an era of computational genomics,” Cardozo Law Review 38.4 (2016); Julie Cook Lucas et al., “Donating human samples: who benefits? Cases from Iceland, Kenya and Indonesia,” in Benfit Sharing, eds. Schroder et al (Springer, 2013), https://doi:10.1007/978-94-007-6205-3_5; Stephen J. O'Brien, “Stewardship of human biospecimens, DNA, genotype, and clinical data in the GWAS era,” Annual Review Of Genomics And Human Genetics 10 (2009): 193-209, 10.1146/annurev-genom-082908-150133.\n\n\n[12] Dolly Chugh and Mary C Kern, “A dynamic and cyclical model of bounded ethicality,” Research in organizational behavior 36 (2016): 85-100, https://doi:10.1016/j.riob.2016.07.002; Dolly Chugh, Max H. Bazerman, and Mahzarin Banaji, “Bounded ethicality as a psychological barrier to recognizing conflicts of interest,” in Conflicts of interest: Challenges and solutions in business, law, medicine, and public policy, eds D. Moore, D. Cain, G. Loewenstein, & M. Bazerman (New York: Cambridge University Press, 2005).\n\n\n[13] Linnea I. Laestadius, Jennifer R. Rich, Paul L. Auer, “All your data (effectively) belong to us: data practices among direct-to-consumer genetic testing firms,” Genetics in Medicine 19 (2017): 513-520.\n\n\n[14] Christi J. Guerrini, Jill O. Robinson, Devan Petersen, and Amy L. McGuire, “Should police have access to genetic genealogy databases? Capturing the Golden State Killer and other criminals using a controversial new forensic technique,” PLOS Biology 16 (2018): 10, doi.org/10.1371/journal.pbio.2006906.\n\n\n[15] Laura M. Beskow and Kevin P Weinfurt, “Exploring understanding of “understanding”: the paradigm case of biobank consent comprehension,” The American Journal of Bioethics 19.5 (201): 6-18, 10.1080/15265161.2019.1587031.\n\n\n[16] Lydia O’Sullivan et al., “An evaluation of the process of informed consent: views from research participants and staff,” Trials 22.544 (2021): https://doi.org/10.1186/s13063-021-05493-1. \n\n\n[17] Muhammad Naveed et al., “Privacy in the Genomic Era,” ACM Computing Surveys 48 (2015): 1-44. doi.org/10.1145/2767007.\n\n\n[18] Ella Corren, “The Consent Burden in Consumer and Digital Markets,” Harvard Journal of Law & Technology 36.2 (2023).\n\n\n[19] David B. Resnik, “Do Informed Consent Documents Matter?” Contemporary Clinical Trials 30, no. 2 (2009): 114–115. (2009), doi:10.1016/j.cct.2008.10.004; Keith Porcaro, “It’s Time to Burn Medical Consent Forms,” Wired (June 16, 2022), https://www.wired.com/story/health-data-consent-forms/.\n\n\n[20] Holly K. Tabor, “My46: a Web-based tool for self-guided management of genomic test results in research and clinical settings,” Genetics in Medicine 19 (2017): 467-475, https://doi:10.1038/gim.2016.133.\n\n\n[21] R. Jean Cadigan, et al, “Online education and e-consent for GeneScreen, a preventive genomic screening study,” Public Health Genomics 20.4 (2017): 235-246, 10.1159/000481359; T.J. Kasperbauer, et al, “Incorporating biobank consent into a healthcare setting: challenges for patient understanding,” AJOB Empirical Bioethics (2020): 113-122, https://doi:10.1080/23294515.2020.1851313; Michelle M. Langer, et al, “Development and validation of a genomic knowledge scale to advance informed decision making research in genomic sequencing,” 2.1(2017): https://doi:10.1177/2381468317692582; Megan Prictor, Harriet J.A. Teare, Jane Kaye, “Equitable participation in biobanks: the risks and benefits of a ‘dynamic consent’ approach,” Front Public Health 6 (2018): 253, 10.3389/fpubh.2018.00253; Harriet J.A. Teare, Megan Prictor, and Jane Kaye, “Reflections on dynamic consent in biomedical research: the story so far,” European Journal of Human Genetics 29 (2021): 649-656.\n\n\n[22] Hamid Ekbia et al., “Big data, bigger dilemmas: A critical review,” Advances in Information Science 66.8 (2015): doi.org/10.1002/asi.23294.\n\n\n[23] Melissa S. Creary, “Bounded Justice and the Limits of Health Equity,” Jounral of Law, Medicine & Ethics 49.2 (2021): 241-256, https://doi:10.1017/jme.2021.34.\n\n\n[24] Margaret Heffernan, Willful Blindness: Why We Ignore the Obvious at Our Peril. (Walker & Company, 2012).\n\n\n[25] Elvan Dogan Kumtepe et al., “Design based exploration of medical system adoption: Case of wheelchair ramps,” Technology in Society 66 (2021): https://doi.org/10.1016/j.techsoc.2021.101620.\n\n\n[26] BLINDED",
"topics": [
"gdpr_compliance",
"data_broker_surveillance"
],
"painPointTracks": [
"Data Brokers",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Voices in Bioethics",
"language": "en"
},
{
"id": "https://openalex.org/W4390829176",
"title": "Balancing Privacy and Progress: A Review of Privacy Challenges, Systemic Oversight, and Patient Perceptions in AI-Driven Healthcare",
"authors": [
"S. Williamson",
"Victor R. Prybutok"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3390/app14020675",
"pdfUrl": "https://www.mdpi.com/2076-3417/14/2/675/pdf?version=1705396255",
"doi": "https://doi.org/10.3390/app14020675",
"abstract": "Integrating Artificial Intelligence (AI) in healthcare represents a transformative shift with substantial potential for enhancing patient care. This paper critically examines this integration, confronting significant ethical, legal, and technological challenges, particularly in patient privacy, decision-making autonomy, and data integrity. A structured exploration of these issues focuses on Differential Privacy as a critical method for preserving patient confidentiality in AI-driven healthcare systems. We analyze the balance between privacy preservation and the practical utility of healthcare data, emphasizing the effectiveness of encryption, Differential Privacy, and mixed-model approaches. The paper navigates the complex ethical and legal frameworks essential for AI integration in healthcare. We comprehensively examine patient rights and the nuances of informed consent, along with the challenges of harmonizing advanced technologies like blockchain with the General Data Protection Regulation (GDPR). The issue of algorithmic bias in healthcare is also explored, underscoring the urgent need for effective bias detection and mitigation strategies to build patient trust. The evolving roles of decentralized data sharing, regulatory frameworks, and patient agency are discussed in depth. Advocating for an interdisciplinary, multi-stakeholder approach and responsive governance, the paper aims to align healthcare AI with ethical principles, prioritize patient-centered outcomes, and steer AI towards responsible and equitable enhancements in patient care.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "https://openalex.org/W4394790298",
"title": "Analytical Study of the World's First EU Artificial Intelligence (AI) Act, 2024",
"authors": [
"Junaid Sattar Butt"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.55248/gengpi.5.0324.0914",
"pdfUrl": "https://doi.org/10.55248/gengpi.5.0324.0914",
"doi": "https://doi.org/10.55248/gengpi.5.0324.0914",
"abstract": "The world's first law governing \"artificial inelegance\" has arrived!The emergence of Artificial Intelligence (AI) technologies has prompted a global discourse on the necessity of regulatory frameworks to govern their development and deployment responsibly.With the escalating integration of Artificial Intelligence (AI) technologies into various facets of human life, the imperative for regulatory frameworks has become paramount.On March 13, 2024, the European Parliament formally adopted the EU Artificial Intelligence Act, 2024 1 (\"AI Act, 2024\") with a large majority of 523-46 votes in favor of the legislation, the first horizontal and standalone legislation dedicated exclusively to AI governance.The AI Act, 2024 represents a watershed moment in global governance, aiming to establish comprehensive guidelines and safeguards for the development, deployment, and use of AI systems across diverse sectors.Through rigorous analysis of the Act's key components, including definitions, principles, obligations, and enforcement mechanisms, this research seeks to elucidate its potential impact on stakeholders, innovation ecosystems, and societal dynamics worldwide.This study employs a multidisciplinary approach to scrutinize the intricate provisions and implications of the AI Act, 2024 encompassing legal, ethical, socio-economic, and technological dimensions.A crucial aspect of this research will be a deep dive into the specific provisions and regulations outlined in the AI Act, 2024 and will explore how the Act tackles the identification and mitigation of \"inelegant biases\" within AI systems.Additionally, the research will analyze the AI Act, 2024's requirements for explain-ability in \"inelegant\" AI decisions, ensuring transparency and accountability.The mechanisms established for enforcement and oversight will also be under scrutiny to understand their effectiveness in upholding the Act's regulations.Furthermore, this research endeavors to identify the strengths, weaknesses, opportunities, and threats inherent in the AI Act, 2024 considering its adaptability to evolving technological landscapes, its alignment with fundamental human rights principles, and its capacity to foster responsible AI innovation while mitigating risks and disparities.This research will contribute valuable insights to ongoing discussions about navigating the complexities of artificial intelligence in a responsible and ethical manner.",
"topics": [
"ai_governance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "International Journal of Research Publication and Reviews",
"language": "en"
},
{
"id": "https://openalex.org/W4281262808",
"title": "How to keep text private? A systematic review of deep learning methods for privacy-preserving natural language processing",
"authors": [
"Samuel Sousa",
"Roman Kern"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1007/s10462-022-10204-6",
"pdfUrl": "https://link.springer.com/content/pdf/10.1007/s10462-022-10204-6.pdf",
"doi": "https://doi.org/10.1007/s10462-022-10204-6",
"abstract": "Abstract Deep learning (DL) models for natural language processing (NLP) tasks often handle private data, demanding protection against breaches and disclosures. Data protection laws, such as the European Union’s General Data Protection Regulation (GDPR), thereby enforce the need for privacy. Although many privacy-preserving NLP methods have been proposed in recent years, no categories to organize them have been introduced yet, making it hard to follow the progress of the literature. To close this gap, this article systematically reviews over sixty DL methods for privacy-preserving NLP published between 2016 and 2020, covering theoretical foundations, privacy-enhancing technologies, and analysis of their suitability for real-world scenarios. First, we introduce a novel taxonomy for classifying the existing methods into three categories: data safeguarding methods, trusted methods, and verification methods. Second, we present an extensive summary of privacy threats, datasets for applications, and metrics for privacy evaluation. Third, throughout the review, we describe privacy issues in the NLP pipeline in a holistic view. Further, we discuss open challenges in privacy-preserving NLP regarding data traceability, computation overhead, dataset size, the prevalence of human biases in embeddings, and the privacy-utility tradeoff. Finally, this review presents future research directions to guide successive research and development of privacy-preserving NLP models.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Artificial Intelligence Review",
"language": "en"
},
{
"id": "https://openalex.org/W2898564584",
"title": "Hidebehind",
"authors": [
"Jianwei Qian",
"Haohua Du",
"Jiahui Hou",
"Linlin Chen",
"Taeho Jung",
"Xiang‐Yang Li"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1145/3274783.3274855",
"pdfUrl": "https://dl.acm.org/doi/pdf/10.1145/3274783.3274855",
"doi": "https://doi.org/10.1145/3274783.3274855",
"abstract": "We are speeding toward a not-too-distant future when we can perform human-computer interaction using solely our voice. Speech recognition is the key technology that powers voice input, and it is usually outsourced to the cloud for the best performance. However, user privacy is at risk because voiceprints are directly exposed to the cloud, which gives rise to security issues such as spoof attacks on speaker authentication systems. Additionally, it may cause privacy issues as well, for instance, the speech content could be abused for user profiling. To address this unexplored problem, we propose to add an intermediary between users and the cloud, named VoiceMask, to anonymize speech data before sending it to the cloud for speech recognition. It aims to mitigate the security and privacy risks by concealing voiceprints from the cloud. VoiceMask is built upon voice conversion but is much more than that; it is resistant to two de-anonymization attacks and satisfies differential privacy. It performs anonymization in resource-limited mobile devices while still maintaining the usability of the cloud-based voice input service. We implement VoiceMask on Android and present extensive experimental results. The evaluation substantiates the efficacy of VoiceMask, e.g., it is able to reduce the chance of a user's voice being identified from 50 people by a mean of 84%, while reducing voice input accuracy no more than 14.2%.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W4225256467",
"title": "The European risk-based approaches: Connecting constitutional dots in the digital age",
"authors": [
"Giovanni De Gregorio",
"P M Dunn"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.54648/cola2022032",
"pdfUrl": "https://cris.unibo.it/bitstream/11585/880964/1/COLA_59_02_De_Gregorio___Dunn.pdf",
"doi": "https://doi.org/10.54648/cola2022032",
"abstract": "In recent years, risk has become a proxy and a parameter characterizing EU regulation of digital technologies. Nonetheless, EU risk-based regulation in the digital age is multi-faceted in the approaches it takes. This article considers three examples: the General Data Protection Regulation; the proposal for the Digital Services Act; and the proposal for the Artificial Intelligence Act. These three instruments move across a spectrum, from a bottom-up approach (the GDPR) to a top-down architecture (the AI Act), going through an intermediate stage (the DSA). It is argued, however, that despite the different methods, the three instruments share a common objective and project: they all seek to guarantee an optimal balance between innovation and the protection of rights, in line with the developing features of European (digital) constitutionalism. Through this lens, it is thus possible to grasp the “fil rouge” behind the GDPR, the DSA and the AI Act as they express a common constitutional aspiration and direction. risk-based approach, EU law, constitutional law, digital constitutionalism, digital technologies",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Common Market Law Review",
"language": "en"
},
{
"id": "https://openalex.org/W4388439485",
"title": "Licensing high-risk artificial intelligence: Toward ex ante justification for a disruptive technology",
"authors": [
"Gianclaudio Malgieri",
"Frank Pasquale"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1016/j.clsr.2023.105899",
"pdfUrl": "https://doi.org/10.1016/j.clsr.2023.105899",
"doi": "https://doi.org/10.1016/j.clsr.2023.105899",
"abstract": "The regulation of artificial intelligence (AI) has heavily relied on ex post, reactive tools. This approach has proven inadequate, as numerous foreseeable problems arising out of commercial development and applications of AI have harmed vulnerable persons and communities, with few (and sometimes no) opportunities for recourse. Worse problems are highly likely in the future. By requiring quality control measures before AI is deployed, an ex ante approach would often mitigate and sometimes entirely prevent injuries that AI causes or contributes to. Licensing is an important tool of ex ante regulation, and should be applied in many high-risk domains of AI. Indeed, policymakers and even some leading AI developers and vendors are calling for licensure in the area. To substantiate licensing proposals, this article specifies optimal terms of licensure for AI necessary to justify its use. Given both documented and potential harms arising out of high-risk AI systems, licensing agencies should require firms to demonstrate that their AI meets clear requirements for security, non-discrimination, accuracy, appropriateness, and correctability before being deployed. Under this ex ante model of regulation, AI developers would bear the burden of proof to demonstrate that their technology is not discriminatory, not manipulative, not unfair, not inaccurate, and not illegitimate in its lawful bases and purposes. While the European Union's General Data Protection Regulation (GDPR) can provide key benchmarks here for ex post regulation, the proposed AI Act (AIA) offers a first regulatory attempt towards an ex ante licensure regime in high-risk areas, but it should be strengthened through an expansion of its scope and substantive content and through greater transparency of the ex ante justification process.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Computer law & security review",
"language": "en"
},
{
"id": "https://openalex.org/W3108895775",
"title": "Explainable AI for Interpretable Credit Scoring",
"authors": [
"Lara Marie Demajo",
"Vince Vella",
"Alexiei Dingli"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.5121/csit.2020.101516",
"pdfUrl": "https://doi.org/10.5121/csit.2020.101516",
"doi": "https://doi.org/10.5121/csit.2020.101516",
"abstract": "With the ever-growing achievements in Artificial Intelligence (AI) and the recent boosted enthusiasm in Financial Technology (FinTech), applications such as credit scoring have gained substantial academic interest. Credit scoring helps financial experts make better decisions regarding whether or not to accept a loan application, such that loans with a high probability of default are not accepted. Apart from the noisy and highly imbalanced data challenges faced by such credit scoring models, recent regulations such as the `right to explanation' introduced by the General Data Protection Regulation (GDPR) and the Equal Credit Opportunity Act (ECOA) have added the need for model interpretability to ensure that algorithmic decisions are understandable and coherent. An interesting concept that has been recently introduced is eXplainable AI (XAI), which focuses on making black-box models more interpretable. In this work, we present a credit scoring model that is both accurate and interpretable. For classification, state-of-the-art performance on the Home Equity Line of Credit (HELOC) and Lending Club (LC) Datasets is achieved using the Extreme Gradient Boosting (XGBoost) model. The model is then further enhanced with a 360-degree explanation framework, which provides different explanations (i.e. global, local feature-based and local instance-based) that are required by different people in different situations. Evaluation through the use of functionallygrounded, application-grounded and human-grounded analysis show that the explanations provided are simple, consistent as well as satisfy the six predetermined hypotheses testing for correctness, effectiveness, easy understanding, detail sufficiency and trustworthiness.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W4387171535",
"title": "Bridging the Transparency Gap: What Can Explainable AI Learn from the AI Act?",
"authors": [
"Bálint Gyevnár",
"Nick Ferguson",
"Burkhard Schäfer"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3233/faia230367",
"pdfUrl": "https://ebooks.iospress.nl/pdf/doi/10.3233/FAIA230367",
"doi": "https://doi.org/10.3233/faia230367",
"abstract": "The European Union has proposed the Artificial Intelligence Act which introduces detailed requirements of transparency for AI systems. Many of these requirements can be addressed by the field of explainable AI (XAI), however, there is a fundamental difference between XAI and the Act regarding what transparency is. The Act views transparency as a means that supports wider values, such as accountability, human rights, and sustainable innovation. In contrast, XAI views transparency narrowly as an end in itself, focusing on explaining complex algorithmic properties without considering the socio-technical context. We call this difference the “transparency gap”. Failing to address the transparency gap, XAI risks leaving a range of transparency issues unaddressed. To begin to bridge this gap, we overview and clarify the terminology of how XAI and European regulation – the Act and the related General Data Protection Regulation (GDPR) – view basic definitions of transparency. By comparing the disparate views of XAI and regulation, we arrive at four axes where practical work could bridge the transparency gap: defining the scope of transparency, clarifying the legal status of XAI, addressing issues with conformity assessment, and building explainability for datasets.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Frontiers in artificial intelligence and applications",
"language": "en"
},
{
"id": "https://openalex.org/W4400978837",
"title": "The Privacy of Emotions",
"authors": [
"Mateja Đurović",
"Tommaso Corno"
],
"date": "2024",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.4324/9781003502791-18",
"pdfUrl": "",
"doi": "https://doi.org/10.4324/9781003502791-18",
"abstract": "The exponential growth of technologies driven by artificial intelligence (AI) and their increasing employment in all areas of public and private life has prompted the pursuit of a new milestone in the regulation of technology and data protection in the European Union. Just as the Data Protection Directive in 1995 could not have envisaged the macroscopic growth of the Internet as a place of transfer of data, leading to the enactment of the General Data Protection Regulation (GDPR), the latter could not predict and address the growth of AI and the risks associated with it. This once again has led to a state of regulatory urgency, now being addressed by the discussion of the AI Act in the European Parliament. Within this framework of rapidly developing technologies and attempts to reduce their elusiveness to existing privacy and data protection regulations, emotion recognition AI represents a technology of particular concern due to the scope and nature of its application. Its ability to avoid being caught by the provisions in the GDPR, its potential for consumer manipulation, the dubious scientific basis on which its algorithms rest and its discriminatory outputs are only some of the critical aspects surrounding emotional AI. Bearing this in mind, this chapter provides a comprehensive introduction to the privacy implications of emotional AI, drawing on the academic and political debate surrounding them and evaluating the effectiveness of current data protection frameworks and of the proposed AI act in tackling them.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2892555721",
"title": "Artificial Intelligence in Medical Diagnoses and the Right to Explanation",
"authors": [
"Thomas Hoeren",
"Martin Niehoff"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.21552/edpl/2018/3/9",
"pdfUrl": "",
"doi": "https://doi.org/10.21552/edpl/2018/3/9",
"abstract": "Artificial intelligence and automation is also finding its way into the healthcare sector with some systems even claiming to deliver better results than human physicians. However, the increasing automation of medical decision-making is also accompanied by problems, as the question of how the relationship of trust between physicians and patients can be maintained or how decisions can be verified. This is where the right to explanation comes into play, which is enshrined in the General Data Protection Regulation (GDPR). This article explains how the right is derived from the GDPR and how it should be established. Keywords: Data Protection, Privacy, AI, Articial Intelligence, Algorithm",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "European Data Protection Law Review",
"language": "en"
},
{
"id": "https://openalex.org/W4365513874",
"title": "PbDinEHR: A Novel Privacy by Design Developed Framework Using Distributed Data Storage and Sharing for Secure and Scalable Electronic Health Records Management",
"authors": [
"Farida Habib Semantha",
"Sami Azam",
"Bharanidharan Shanmugam",
"Kheng Cher Yeo"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3390/jsan12020036",
"pdfUrl": "https://www.mdpi.com/2224-2708/12/2/36/pdf?version=1681435595",
"doi": "https://doi.org/10.3390/jsan12020036",
"abstract": "Privacy in Electronic Health Records (EHR) has become a significant concern in today’s rapidly changing world, particularly for personal and sensitive user data. The sheer volume and sensitive nature of patient records require healthcare providers to exercise an intense quantity of caution during EHR implementation. In recent years, various healthcare providers have been hit by ransomware and distributed denial of service attacks, halting many emergency services during COVID-19. Personal data breaches are becoming more common day by day, and privacy concerns are often raised when sharing data across a network, mainly due to transparency and security issues. To tackle this problem, various researchers have proposed privacy-preserving solutions for EHR. However, most solutions do not extensively use Privacy by Design (PbD) mechanisms, distributed data storage and sharing when designing their frameworks, which is the emphasis of this study. To design a framework for Privacy by Design in Electronic Health Records (PbDinEHR) that can preserve the privacy of patients during data collection, storage, access and sharing, we have analysed the fundamental principles of privacy by design and privacy design strategies, and the compatibility of our proposed healthcare principles with Privacy Impact Assessment (PIA), Australian Privacy Principles (APPs) and General Data Protection Regulation (GDPR). To demonstrate the proposed framework, ‘PbDinEHR’, we have implemented a Patient Record Management System (PRMS) to create interfaces for patients and healthcare providers. In addition, to provide transparency and security for sharing patients’ medical files with various healthcare providers, we have implemented a distributed file system and two permission blockchain networks using the InterPlanetary File System (IPFS) and Ethereum blockchain. This allows us to expand the proposed privacy by design mechanisms in the future to enable healthcare providers, patients, imaging labs and others to share patient-centric data in a transparent manner. The developed framework has been tested and evaluated to ensure user performance, effectiveness, and security. The complete solution is expected to provide progressive resistance in the face of continuous data breaches in the patient information domain.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Journal of Sensor and Actuator Networks",
"language": "en"
},
{
"id": "arxiv:2408.06167",
"title": "Blind-Match: Efficient Homomorphic Encryption-Based 1:N Matching for Privacy-Preserving Biometric Identification",
"authors": [
"Hyunmin Choi",
"Jiwon Kim",
"Chiyoung Song",
"Simon S. Woo",
"Hyoungshick Kim"
],
"date": "2024-08-12",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2408.06167v2",
"pdfUrl": "https://arxiv.org/pdf/2408.06167v2",
"doi": "10.1145/3627673.3680017",
"abstract": "We present Blind-Match, a novel biometric identification system that leverages homomorphic encryption (HE) for efficient and privacy-preserving 1:N matching. Blind-Match introduces a HE-optimized cosine similarity computation method, where the key idea is to divide the feature vector into smaller parts for processing rather than computing the entire vector at once. By optimizing the number of these parts, Blind-Match minimizes execution time while ensuring data privacy through HE. Blind-Match achieves superior performance compared to state-of-the-art methods across various biometric datasets. On the LFW face dataset, Blind-Match attains a 99.63% Rank-1 accuracy with a 128-dimensional feature vector, demonstrating its robustness in face recognition tasks. For fingerprint identification, Blind-Match achieves a remarkable 99.55% Rank-1 accuracy on the PolyU dataset, even with a compact 16-dimensional feature vector, significantly outperforming the state-of-the-art method, Blind-Touch, which achieves only 59.17%. Furthermore, Blind-Match showcases practical efficiency in large-scale biometric identification scenarios, such as Naver Cloud's FaceSign, by processing 6,144 biometric samples in 0.74 seconds using a 128-dimensional feature vector.",
"topics": [
"biometric_surveillance",
"privacy_engineering"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "International Conference on Information and Knowledge Management",
"language": "en"
},
{
"id": "s2:02f333f8bd6f387bd562510547f66f43b93f2529",
"title": "TollsOnly Please—Homomorphic Encryption for Toll Transponder Privacy in Internet of Vehicles",
"authors": [
"Hassan Karim",
"D. Rawat"
],
"date": "2021-02-02",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/02f333f8bd6f387bd562510547f66f43b93f2529",
"pdfUrl": "https://doi.org/10.1109/jiot.2021.3056240",
"doi": "10.1109/JIOT.2021.3056240",
"abstract": "Cities have circumvented privacy norms and deployed sensors to track vehicles via toll transponders (like E-Zpass tags). The ethical problems regarding these practices have been highlighted by various privacy advocacy groups. The industry, however, has yet to implement a standard privacy protection regime to protect users’ data. Furthermore, existing risk management models do not adequately address user-controlled data-sharing requirements. In this article, we consider the challenges of protecting private data in the Internet of Vehicles (IoV) and mobile edge networks. Specifically, we present a privacy risk reduction model for electronic toll transponder data. We seek to preserve driver privacy while contributing to intelligent transportation infrastructure congestion automation schemes. We thus propose TollsOnly, a fully homomorphic encryption protocol. TollsOnly is expected to be a postquantum privacy preservation scheme. It enables users to share specific data with smart cities via blockchain technology. TollsOnly protects driver privacy in compliance with the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act.",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "IEEE Internet of Things Journal",
"language": "en"
},
{
"id": "s2:f9b0b5b9a6e8aa83e64744a49eb674cf15ecb1af",
"title": "Privacy-preserving collaborative machine learning in biomedical applications",
"authors": [
"Wonsuk Kim",
"Junhee Seok"
],
"date": "2022-02-21",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/f9b0b5b9a6e8aa83e64744a49eb674cf15ecb1af",
"pdfUrl": "",
"doi": "10.1109/ICAIIC54071.2022.9722703",
"abstract": "Machine learning (ML) algorithms are now widely used to tackle computational problems in diverse domains. In biomedicine, the rapidly growing amounts of experimental data increasingly necessitate the use of ML to discern complex data patterns. However, biomedical data is often considered sensitive, and the privacy of individuals behind the data is increasingly put at risk as a result. Traditional methods such as anonymization and pseudonymization are not always applicable and have limited effectiveness with respect to risk mitigation. Privacy researchers are actively developing alternative approaches to privacy protection, including strategies based on cryptography, such as homomorphic encryption and secure multiparty computation. This paper discusses recent advances in biomedical applications of these privacy techniques. We first review the key privacy techniques, then provide an overview of their applications in biomedical machine learning. Finally, we highlight the remaining challenges of current approaches and suggest directions for future work.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Digital Signal Processing and Signal Processing Education Workshop",
"language": "en"
},
{
"id": "s2:01da5756731d72c1283845ab8cb0897b574edca2",
"title": "Enhanced CyberDART: A Federated and Privacy-Preserving System for Detecting Spam, Phishing and Malware Email",
"authors": [
"B. V. Prasad"
],
"date": "2026-01-31",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/01da5756731d72c1283845ab8cb0897b574edca2",
"pdfUrl": "",
"doi": "10.22214/ijraset.2026.76862",
"abstract": "Email is one of the most widely used communication tools, yet it remains a primary vector for cyberattacks\nsuch as spam, phishing, and malicious links. Traditional spam filters often fail when organizations operate in\nisolation, while cross-organization data sharing raises privacy concerns. To address this, the CyberDART framework\nintroduces a federated, privacy-preserving email threat detection system that integrates rule-based filters like Spam\nAssassin, phishing link and sender verification, and machine learning/NLP methods such as k-Nearest Neighbors\n(k-NN), hashing, Jaccard similarity, and the Lucene NLP pipeline, orchestrated through the PATCH algorithm for\nanonymized clustering and similarity analysis. Experiments on the Enron and TREC datasets reported nearly 58%\nimprovement in spam detection accuracy over standalone systems while keeping false positives low. However,\nCyberDART has several drawbacks and limitations: it is restricted mainly to spam and phishing detection, lacking\nsupport for malware attachments and advanced spear-phishing; it faces a privacy–accuracy trade-off due to heavy\nanonymization; its performance depends strongly on the dataset used; and scalability may suffer under large-scale,\nreal-time traffic. To address these gaps, the system can be enhanced with deep NLP models (e.g.,\nBERT/transformers) for semantic phishing detection, static and dynamic malware analysis for attachment\ninspection, federated learning to share model updates instead of signatures, and cryptographic techniques such as\nhomomorphic encryption or secure multi-party computation to strengthen privacy. These improvements will\ntransform CyberDART from a spam-centric filter into a comprehensive, privacy-preserving email security framework\ncapable of mitigating spam, phishing, and malware attacks with higher accuracy and broader coverage.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "International Journal for Research in Applied Science and Engineering Technology",
"language": "en"
},
{
"id": "s2:19970ba36b3ff5f5197a154671b2094595b15364",
"title": "Exploring How UK Public Authorities Use Redaction to Protect Personal Information",
"authors": [
"Yijun Chen",
"Reuben Kirkham"
],
"date": "2024-03-12",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/19970ba36b3ff5f5197a154671b2094595b15364",
"pdfUrl": "https://dl.acm.org/doi/pdf/10.1145/3651989",
"doi": "10.1145/3651989",
"abstract": "Document redaction has become increasingly important for individuals and organizations. This article investigates public-sector information redaction practices in order to determine if they adequately protect personal information from accidental disclosure due to redaction errors. Despite the importance of this in respect of data protection, 66.4% of those Public Authorities that responded did not hold formal policies or procedures at all. To assess those policies that did exist, we produced a 17-item check list of minimum best practice. Even those with policies and procedures had substantial defects to some degree (with the median performance being 29.4% on our checklist), with policies frequently recommending the use of high-risk redaction methods and overlooking essential practices. This means that these existing practices amount to widespread breaches of data protection law on the ground. To remedy this, we articulate a new set of document redaction standards, which overcome the existing inadequacies in current guidance, as well as make proposals for regulatory reform in this space.",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "ACM Transactions on Management Information Systems",
"language": "en"
},
{
"id": "s2:b88595c0a24ff3d390e6f0a85e133334dbcdf403",
"title": "Data Privacy: Strategies for Protecting Sensitive Data for OT using Artificial Intelligence",
"authors": [
"Manam Karthik Babu, Yugandhar Suthari"
],
"date": "2024-09-30",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/b88595c0a24ff3d390e6f0a85e133334dbcdf403",
"pdfUrl": "",
"doi": "10.52710/cfs.628",
"abstract": "The exponential rise of data in the digital age has enabled huge possibilities for innovation in every field. Although the data surge has its implications with respect to the protection of sensitive information, it also contains high privacy concerns on account of it. In this paper, we discuss how Artificial Intelligence (AI) can be used to better develop privacy-preserving techniques. Finally, we provide a general overview of how differential privacy, federated learning, homomorphic encryption, and anonymization techniques are being used to protect sensitive data with AI-driven mechanisms.Through an analysis of existing frameworks and case studies, we illustrate the effectiveness of these AI strategies in mitigating privacy risks while maintaining data utility for analytical purposes. We support these AI strategies via an analysis of existing frameworks and case studies to prove the efficacy of these AI strategies in reducing privacy risk while maintaining data utility for analytic purposes. In the meantime, we also tackle the open challenges of proper trade-off between data privacy and AI property, i.e. computational overhead, algorithmic factuality and accountability. In this way, our study examines them and offers valuable insights as well as directions for future research about the privacy-preserving landscape. This document aims to contribute to the ongoing torsion on AI and privacy of data while proposing actionable strategies for AI researchers, AI practitioners, and AI policymakers seeking to ensure that sensitive data is in an increasingly connected world.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Computer fraud & security",
"language": "en"
},
{
"id": "s2:af8e1ca2600ef617473ca5388c97f3f58db12c21",
"title": "A Framework for User Biometric Privacy Protection in UAV Delivery Systems with Edge Computing",
"authors": [
"Aiting Yao",
"Shantanu Pal",
"Chengzu Dong",
"Xuejun Li",
"Xiao Liu"
],
"date": "2024-03-11",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/af8e1ca2600ef617473ca5388c97f3f58db12c21",
"pdfUrl": "",
"doi": "10.1109/PerComWorkshops59983.2024.10502849",
"abstract": "The development of intelligent logistics increasingly leads the evolution of future supply chain technology. As an innovative technology in the field of logistics, Unmanned Aerial Vehicles (UAVs) provide efficient, fast and flexible solutions for transportation and delivery. However, the application of UAVs needs to ensure effective identity authentication and the security of the delivery process. Because biometric data (such as fingerprints, facial recognition, iris scans) is highly sensitive personal information. Once stolen or abused, it may lead to serious personal privacy disclosure problems. In this paper, we use differential privacy and diffusion models to implement secure face recognition and identity authentication in edge computing environments for address the privacy issues in UAV delivery. The UAVs collect the user’s biometric data through edge computing nodes during delivery, and uses a diffusion model for secure transmission to protect user privacy. The edge computing node at the receiving end performs face recognition and authentication to ensure that only legitimate users can accept the delivery. Our study not only improves the accuracy of user identity authentication, but also protects the privacy of users.",
"topics": [
"biometric_surveillance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII"
],
"relevanceScore": 0.55,
"venue": "2024 IEEE International Conference on Pervasive Computing and Communications Workshops and other Affiliated Events (PerCom Workshops)",
"language": "en"
},
{
"id": "s2:0d4a0ed5da90c0d42277d82c90b289be9e3c69be",
"title": "Prohibited practice of Clearview AI, Inc. regarding online facial recognition of photo images",
"authors": [
"D. Bulgakova"
],
"date": "2025-07-25",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/0d4a0ed5da90c0d42277d82c90b289be9e3c69be",
"pdfUrl": "",
"doi": "10.37566/2707-6849-2025-2(51)-4",
"abstract": "Identification through biometric data is important in a digital environment. The problem arises when such data is used for monitoring and profiling without the knowledge and consent of users by representatives of the private sector. To clarify this issue, an assessment of the legal aspects is proposed, using Clearview AI, Inc. as an example. The results obtained are important for understanding the practical application of the relevant prohibition and legal consequences in the context of the GDPR regarding the lawfulness of processing biometric data without a legal basis.\nKeywords: personal data, unique identification, biometric data processing, General Data Protection Regulation (GDPR).",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Slovo of the National School of Judges of Ukraine",
"language": "en"
},
{
"id": "s2:5db1a0c1ea7e9b517ce62b190e222641ea6e97e2",
"title": "Data quality, provenance and transparency in real-world data : Aligning quality standards with data governance legal frameworks",
"authors": [
"Puja Myles",
"Eleanor Axson",
"C. Mitchell"
],
"date": "2025-11-12",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/5db1a0c1ea7e9b517ce62b190e222641ea6e97e2",
"pdfUrl": "",
"doi": "10.69554/pggw3813",
"abstract": "There have been numerous papers discussing data quality and data protection independently, but there has been little discussion on how data quality relates to data protection and other data governance regulatory frameworks. This paper is a step towards addressing that gap and makes the case for why data quality is relevant for data protection and legal compliance professionals. Real-world data in the context of healthcare refers to data that is routinely collected in the course of delivering healthcare. From a data protection regulatory perspective, Article 5 of the General Data Protection Regulation (GDPR) lists data accuracy as one of the principles for data processing. The recently adopted European Union Artificial Intelligence Act (EU AI Act) Article 10 outlines requirements for data and data governance, specifically quality criteria for datasets used to train, test and validate high-risk AI models to address concerns around algorithmic bias due to biases in the training data. The Standards for Data Diversity, Inclusivity and Generalisability (STANDING) Together consensus recommendations for dataset curators on transparency in dataset documentation enable an informed assessment of the suitability of data and examination of biases, for development of AI health technologies. This includes information on data provenance, modifications, sociodemographic composition and bias assessment findings. The Clinical Practice Research Datalink (CPRD) database is used to illustrate how these recommendations can be implemented in a practical way using unique identifiers such as digital object identifiers (DOIs), metadata, published data resource profiles with sociodemographic information and data quality assessments using validation and comparability studies. There is considerable alignment between established scientific standards, medical product regulatory and data governance legal requirements on data quality, as well as emerging international consensus which will reduce the compliance burden on curators and users of real-world data. This article is also included in The Business & Management Collection which can be accessed at https://hstalks.com/business/.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "s2:5705ee91882283af33ed12ac33450160cdffcd1f",
"title": "An Anonymization Service for Privacy in Data Mining",
"authors": [
"Matheus Silveira",
"Danielle Santos",
"Michael S. Souza",
"Douglas Silva",
"Maria Mesquita",
"Jonas Neto",
"Rafael Lopes Gome"
],
"date": "2023-10-16",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/5705ee91882283af33ed12ac33450160cdffcd1f",
"pdfUrl": "",
"doi": "10.1145/3615366.3625074",
"abstract": "Anonymization techniques play a key role in protecting data privacy, especially in a context where more and more personal information is collected and processed. Although anonymization techniques are considered a crucial approach to comply with the aforementioned aspects of privacy laws, these existing anonymization techniques allow for different levels of anonymization, which can change the context of the data, making it impossible to apply smart solution techniques. Within this context, this article presents a cloud service for anonymizing data according to the type of data identified. In addition to the application of existing techniques, the algorithm Clustering Permutation for data Anonymization (CPA) is proposed. Results of experiments using a real cloud environment suggest that the proposed solution is adequate to protect data through data anonymization.",
"topics": [
"data_anonymization",
"enterprise_privacy_ops"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Latin-American Symposium on Dependable Computing",
"language": "en"
},
{
"id": "s2:1433b94cc2d4c19d1d5e625ddcaa4574ecdee68f",
"title": "De-Anonymizing Users across Rating Datasets via Record Linkage and Quasi-Identifier Attacks",
"authors": [
"Nicolás Torres",
"Patricio Olivares"
],
"date": "2024-05-27",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/1433b94cc2d4c19d1d5e625ddcaa4574ecdee68f",
"pdfUrl": "https://www.mdpi.com/2306-5729/9/6/75/pdf?version=1716801034",
"doi": "10.3390/data9060075",
"abstract": "The widespread availability of pseudonymized user datasets has enabled personalized recommendation systems. However, recent studies have shown that users can be de-anonymized by exploiting the uniqueness of their data patterns, raising significant privacy concerns. This paper presents a novel approach that tackles the challenging task of linking user identities across multiple rating datasets from diverse domains, such as movies, books, and music, by leveraging the consistency of users’ rating patterns as high-dimensional quasi-identifiers. The proposed method combines probabilistic record linkage techniques with quasi-identifier attacks, employing the Fellegi–Sunter model to compute the likelihood of two records referring to the same user based on the similarity of their rating vectors. Through extensive experiments on three publicly available rating datasets, we demonstrate the effectiveness of the proposed approach in achieving high precision and recall in cross-dataset de-anonymization tasks, outperforming existing techniques, with F1-scores ranging from 0.72 to 0.79 for pairwise de-anonymization tasks. The novelty of this research lies in the unique integration of record linkage techniques with quasi-identifier attacks, enabling the effective exploitation of the uniqueness of rating patterns as high-dimensional quasi-identifiers to link user identities across diverse datasets, addressing a limitation of existing methodologies. We thoroughly investigate the impact of various factors, including similarity metrics, dataset combinations, data sparsity, and user demographics, on the de-anonymization performance. This work highlights the potential privacy risks associated with the release of anonymized user data across diverse contexts and underscores the critical need for stronger anonymization techniques and tailored privacy-preserving mechanisms for rating datasets and recommender systems.",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.55,
"venue": "International Conference on Data Technologies and Applications",
"language": "en"
},
{
"id": "s2:bbb09bfc3645ccef93ecd82a053bd68ee8a1c10c",
"title": "A Secured Artificial Intelligence (AI) Assisted Personal Data Prediction and Leakage Prevention System Using Deep Learning Logic",
"authors": [
"Divyapriya S",
"P. Neelaveni",
"R. Sankar",
"V. Mythily",
"C. S. Lakshmi",
"N. Vani"
],
"date": "2025-10-09",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/bbb09bfc3645ccef93ecd82a053bd68ee8a1c10c",
"pdfUrl": "",
"doi": "10.1109/ICECONF65644.2025.11379512",
"abstract": "Securing personal data against prediction misuse and leakage threats has emerged as a pressing concern in the era of artificial intelligence. The paper suggests an AI-Assisted Secured Personal Data Prediction and Leakage Prevention System, which combines a hybrid CapsuleNetxGBoost-based system with federated privacy/differentiated privacy models. Data preprocessing includes sanitization, anonymization and synthetic data generation to make sure privacy is preserved. The CapsuleNet extracts hierarchical relationships in sensitive attributes, whereas XGBoost narrows down predictive decision-making. In order to protect against attacks further, adversarial training and immutable logging based on blockchain is added, and homomorphic encryption is also used to process queries securely. The experimental results indicate that the given method is notably superior to traditional deep learning models. In particular, it had a prediction accuracy of 98.6 (a higher score than CNN, 93.5), a precision of 98.3, a recall of 98.8, and F1-score of 98.5. Strongness against adversarial examples and leakage probability were higher than 94 and 2.1 respectively under a rigorous privacy constraint $(\\varepsilon=1.2)$. The Data Leakage Risk Index (DLRI), which was assisted by AI, also allowed identifying insider threats and abnormal access patterns in a dynamic way. Finally, the proposed model is not only more predictive accurate, but also resists leakage and adversarial exploitation. It has had wide applications in sensitive areas like health care, financial services and e-governance. Future studies will be aimed at extending the architecture by adding quantum-resistant-based encryption, reinforcement-based adaptive access control, as well as extending the DLRI architecture to multi-cloud and IoT-based settings. This paper takes the secure AI frameworks a step further to predictive intelligence and privacy protection.",
"topics": [
"data_anonymization",
"privacy_engineering"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "2025 2nd International Conference on Artificial Intelligence and Knowledge Discovery in Concurrent Engineering (ICECONF)",
"language": "en"
},
{
"id": "doaj:b9e325e30b7942c9a5e2a8ab85408142",
"title": "THE DIGITAL PERSONAL DATA PROTECTION ACT OF 2023:",
"authors": [
"Shubham Saurabh"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://ijlcw.emnuvens.com.br/revista/article/view/84",
"pdfUrl": "",
"doi": "10.54934/ijlcw.v3i2.84",
"abstract": "The Digital Personal Data Protection Act of 2023 is a landmark piece of legislation that safeguards individual privacy rights and strengthens data security. It emphasizes the power of individuals over their personal data by introducing the concepts of consent, data minimization, and the right to be forgotten. The Act also impacts businesses by imposing obligations on data controllers and processors, requiring them to implement effective data protection frameworks and procedures. The Establishment of the Data Protection Board of India as the Central Watchdog will be crucial in enforcing the Act. This research paper examines the power given to people over their personal data and its impact on business compliance and operational changes on data controllers, given the penalties for non-compliance. The analysis concludes that the Digital Personal Data Protection Act of 2023 serves as a beacon for privacy rights and data protection in the digital world.\n\n\n__________\n\n\nLa Ley de Protección de Datos Personales Digitales de 2023 es una legislación histórica que protege los derechos de privacidad individual y refuerza la seguridad de los datos. Destaca el poder de las personas sobre sus datos personales mediante la introducción de conceptos como el consentimiento, la minimización de datos y el derecho al olvido. La Ley también afecta a las empresas al imponer obligaciones a los controladores y procesadores de datos, exigiéndoles implementar marcos y procedimientos efectivos de protección de datos. La creación de la Junta de Protección de Datos de la India como el organismo central de supervisión será crucial para la aplicación de la Ley. Este trabajo de investigación analiza el poder otorgado a las personas sobre sus datos personales y su impacto en el cumplimiento empresarial, así como los cambios operativos para los controladores de datos, dados los riesgos de sanciones por incumplimiento. El análisis concluye que la Ley de Protección de Datos Personales Digitales de 2023 se erige como un faro para los derechos de privacidad y la protección de datos en el mundo digital.\n\n\n__________\n\n\n《2023年数字个人数据保护法》是一部具有里程碑意义的法律,旨在保障个人隐私权并加强数据安全。通过引入同意、数据最小化和被遗忘权等概念,该法强调个人对其个人数据的掌控权。该法还对企业产生影响,要求数据控制者和处理者履行义务,实施有效的数据保护框架和程序。印度数据保护委员会的设立作为中央监管机构,对于推动该法的实施至关重要。本文研究了该法赋予个人的数据掌控权,以及其对企业合规性和数据控制者运营变革的影响,尤其是在违反规定的处罚风险下。分析得出结论,《2023年数字个人数据保护法》是数字世界中隐私权和数据保护的灯塔。",
"topics": [
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "International Journal of Law in Changing World",
"language": "en"
},
{
"id": "https://openalex.org/W2994279415",
"title": "Nivel adecuado para transferencias internacionales de datos",
"authors": [
"Miguel Recio Gayo"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.18800/derechopucp.201902.007",
"pdfUrl": "http://revistas.pucp.edu.pe/index.php/derechopucp/article/download/21472/21114",
"doi": "https://doi.org/10.18800/derechopucp.201902.007",
"abstract": "As a concept, the adequate level of protection for international data transfers remains to some extent unknown and, in the case of the European Union, with regard to Directive 95/46/EC, already repealed, its content has been specified by the General Data Protection Regulation (GDPR). Its origin is, in the pre-digital era, in international instruments on the protection of personal data and its most relevant development has occurred in the European Union, until reaching the case of the adequacy decision of Japan, which is the first adopted after 25 of May of 2018, which shows the practical application of the elements required under the GDPR. Other countries, particularly in Latin America, have also included the concept of adequate level in their data protection laws. Although the adequate level is only one of the instruments for international data transfers, the differences that may arise, between countries or regions, as to which countries have an adequate level of protection for international data transfer could lead toconsider whether a multilateral standard that facilitates the latter is advisable. In any case, it should also be considered that the adequacy model is one of the instruments for the international transfer of data, but not the only one, since there may be other mechanisms to apply adequate and effective data protection protections.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Derecho PUCP",
"language": "es"
},
{
"id": "https://openalex.org/W3131382364",
"title": "THE INFLUENCE OF NEW TECHNOLOGIES ON THE PROTECTION OF PERSONAL DATA WITHIN THE FRAMEWORK OF THE EPIDEMIC COVID-19",
"authors": [
"María Teresa Heredero Campo"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.46294/ulplr-rdulp.v14i4.7472",
"pdfUrl": "https://revistas.ulusofona.pt/index.php/rfdulp/article/download/7472/4434",
"doi": "https://doi.org/10.46294/ulplr-rdulp.v14i4.7472",
"abstract": "SUMMARY Legislators legislate as needs arise; it is the present moment and society itself, through its demands, which sets the path and provides them with the keys as to what matters to legislate on and what aspects need to be developed in greater detail. Contemporary societies try, with greater or lesser success, to adapt to the changes that are taking place, both those reflected in daily customs and habits, and those related to the generation, dissemination and use of information and knowledge. Today's society consumes and handles an excessive volume of information and data, often without assessing its veracity or analysing the source from which it comes, without considering the importance of the data it provides at any given time, and much less thinking about the consequences that misuse of such data may have for privacy, for example. These are issues that, despite being the order of the day, have already given cause for concern. A fact that is reflected in an increasingly prolix jurisprudence. An example of this, as we will have the opportunity to point out below, is the SAN of 6 April 2018, which, with regard to the problems that arise in relation to medical records, highlights the importance of defending the right to the protection of personal data and the need to obtain consent in an appropriate manner. In these times of pandemic, it is important to seek a suitable approach and to know some fundamental aspects of the aforementioned right to data protection, starting from such extremely important concepts as: personal data or consent itself. Moreover, the development of this right, so much questioned lately due to the use of COVID applications, in terms of the possible effects on privacy or image, or any of the controversies that are arising around data protection in the management of the coronavirus, almost forces us to think about its limits. In this respect, we must bear in mind that many of the answers to the questions that are being raised about the problems associated with current practices lie in the legitimising bases of data processing. In this study, I conclude that despite the great importance of some personality rights, including privacy, honour or self-image, and among which is the right to data protection, the right that deserves the greatest protection is the right to life. Let us not forget that the function of law is to serve the person to whom the reason for its existence must be attributed. KEY WORDS Law and New Technologies; Data Protection; Fundamental Rights; Personality Rights; Data Protection; Right to privacy; Right to honour; Right to image; General Data Protection Regulation (GDPR); Organic Law on Data Protection and Guarantee of Digital Rights (LOPDyGDD); COVID-19 (Coronavirus).",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "ULP Law Review",
"language": "en"
},
{
"id": "hal:5062874",
"title": "Règlement européen sur l’intelligence artificielle, le jour d’après",
"authors": [
"Dominique Desbois"
],
"date": "2025-05-06",
"platform": "hal",
"sourceUrl": "https://hal.inrae.fr/hal-05062874v1",
"pdfUrl": "https://hal.inrae.fr/hal-05062874/document",
"doi": "10.4000/13vhs",
"abstract": "Entré en vigueur à compter du 1 er août 2024, le Règlement européen sur l'intelligence artificielle entend favoriser le développement de l'intelligence artificielle (IA) et son déploiement responsable au sein de l'Union européenne (UE), conjointement aux autres législations promulguées par la précédente mandature de la Commission européenne encadrant le secteur du numérique (Data Act, Data Governance Act, Digital Services Act, Digital Market Act et RGPD) : L’Europe en recherche de gains de productivité Un second souffle pour les investissements en intelligence artificielle Une régulation à dimension européenne sur l’intelligence artificielle La dynamique d’accélération des investissements en intelligence artificielle générative Retour sur investissements et logique de financement Des avancées techniques à l’apprentissage de plus en plus coûteux De légitimes inquiétudes concernant les développements et usages de l’IA générative",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Terminal. Technologie de l’information, culture & société",
"language": "fr"
},
{
"id": "https://openalex.org/W7128487500",
"title": "Faciliter la circulation des données dans le contexte particulier de l’IA : la règlementation européenne à l’épreuve",
"authors": [
"Thomas Dautieu"
],
"date": "2026",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3917/i2d.252.0028",
"pdfUrl": "",
"doi": "https://doi.org/10.3917/i2d.252.0028",
"abstract": "Le corpus européen en matière de protection des données à caractère personnel apparaît souvent comme un frein à la circulation des données et plus indirectement à l’innovation, et ce, dans un monde de plus en plus compétitif dans le domaine du numérique. Alors qu’il est reproché à l’Europe de restreindre la possibilité d’entreprendre et de créer, la Commission européenne produit un certain nombre de textes à valeur contraignante pour organiser le marché des données personnelles. En complément du Règlement général sur la protection des données (RGPD), le « paquet numérique » introduit le Data Act et le Data Governance Act . Parallèlement, l’essor fulgurant de l’IA a conduit le législateur européen à venir réguler cette technologie, afin de garantir la prise en compte des intérêts et des droits fondamentaux. Cet encadrement pourrait laisser croire à une volonté d’entraver la circulation des données : il vise au contraire à en assurer la maîtrise, et ce de façon durable. On doit aussi noter une volonté de la Commission de procéder à des ajustements destinés à simplifier ce corpus normatif, jugé trop complexe.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "I2D - Information données & documents",
"language": "fr"
},
{
"id": "https://openalex.org/W2901993237",
"title": "W sprawie obowiązków posła jako administratora w kontekście ogólnego rozporządzenia o ochronie danych (RODO)",
"authors": [
"Beata Bińkowska-Artowicz"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.31268/ps.2018.22",
"pdfUrl": "http://orka.sejm.gov.pl/przeglad.nsf/LiczOpen?OpenAgent&45E480AE489B3F13C125834B0036C506",
"doi": "https://doi.org/10.31268/ps.2018.22",
"abstract": "The opinion contains an analysis of duties of a Deputy as an administrator within the meaning of the General Data Protection Regulation (GDPR). The problem of a consent to data processing by the Deputy's offi ce is discussed herein, as well as its features on the basis of GDPR and the guidelines by Article 29 Data Protection Working Party and issues related to obtaining the consent of the person, whose personal data is to be processed. Matters related to protecting data are also presented. It is pointed that the control of implementing the GDPR is based on the provisions of the national law (the act on personal data protection).",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Przegląd Sejmowy",
"language": "pl"
},
{
"id": "https://openalex.org/W2940613859",
"title": "The protection of customer personal data as an element of entrepreneurs’ ethical conduct",
"authors": [
"Ewa Kulesza"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.18778/1899-2226.21.7.02",
"pdfUrl": "https://czasopisma.uni.lodz.pl/annales/article/download/4554/4010",
"doi": "https://doi.org/10.18778/1899-2226.21.7.02",
"abstract": "The right to the protection of personal data, which is part of the right to privacy, is a fundamental human right. Thus, its guarantees were included in the high-level regulations of the European Union as well as the legal norms of the EU Member States. The first Polish law regulating the protection of personal data was adopted in 1997 as the implementation of EU Directive 95/46. The law imposed a number of obligations on public and private entities which process personal data in order to protect the rights of data subjects and, in particular, to guarantee them the ability to control the correctness of processing of their personal data. Therefore, the law obliged data controllers to process data only on the basis of the premises indicated in the legislation, to adequately secure data, and to comply with the disclosure obligation concerning data subjects, including their right to correct false or outdated data or to request removal of data processed in violation of the law. However, as complaints directed by citizens to the supervisory body—the Inspector General for Personal Data Protection—showed, personal data controllers, especially those operating in the private sector, did not comply with the law, acting in a manner that violated their customers’ rights. In the hitherto existing unfair business practices of entrepreneurs, the violations of the data protection provisions that were the most burdensome for customers were related to preventing them from exercising their rights, including the right to control the processing of data, as well as the failure to provide the controller’s business address, which made it impossible for subjects whose data were used in violation of the law or for the inspecting authorities to contact the company, a lack of data security and a failure to follow the procedures required by law, the failure to secure documents containing personal data or their abandonment, a lack of updating customer data, the use of unverified data sets and sending marketing offers to deceased people or incorrect target recipients, and excessive amounts of data requested by controllers. The violations of the rights of data subjects recorded in Poland and other EU Member States—among other arguments—provided inspiration for the preparation of a new legal act in the form of the EU General Data Protection Regulation (GDPR) (which entered into force on 25 May 2018). The extension of the rights of people whose data are processed was combined in the GDPR with the introduction of new legal instruments disciplining data controllers. Instruments in the form of administrative fines and the strongly emphasised possibility to demand compensation for a violation of the right to data protection were directed in particular against economic entities violating the law.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Annales Etyka w życiu gospodarczym",
"language": "en"
},
{
"id": "https://openalex.org/W7118635275",
"title": "DOSSIÊ ÚNICO DE RESPONSABILIZAÇÃO SISTÊMICA Tratamento de Dados Pessoais, Omissão de Accountability e Parâmetros Técnicos Pré‑Existentes (LGPD + NIST)",
"authors": [
"DANIEL MORAES CORONEL PALMA",
"Croatian Personal Data Protection Agency",
"Production and Archive of Social Science Data",
"Stiftung Datenschutz"
],
"date": "2026",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.5281/zenodo.18160414",
"pdfUrl": "https://doi.org/10.5281/zenodo.18160414",
"doi": "https://doi.org/10.5281/zenodo.18160414",
"abstract": "DOSSIÊ ÚNICO DE RESPONSABILIZAÇÃO SISTÊMICA Tratamento de Dados Pessoais, Omissão de Accountability e Parâmetros Técnicos Pré‑Existentes (LGPD + NIST) 1. Finalidade e Escopo do Dossiê O presente Dossiê Único de Responsabilização Sistêmica integra, de forma técnica e coerente, dois núcleos documentais já existentes: Anexo Técnico‑Institucional (NIST) – que materializa parâmetros objetivos de governança, rastreabilidade, gestão de riscos e accountability; e Fundamentação para Provocação Formal da ANPD – que demonstra notificação prévia, ciência inequívoca das autoridades e omissão qualificada na aplicação da LGPD. O objetivo é demonstrar que não houve falha normativa ou ausência de parâmetro, mas sim falha sistêmica de responsabilização, envolvendo agentes públicos e privados, diante de tratamento de dados pessoais e dados pessoais sensíveis do titular. O tom adotado é técnico‑regulatório com assertividade contenciosa, adequado à atuação fiscalizatória da ANPD e à eventual escalada para instâncias de controle interno, externo ou internacional. 2. Integração do Anexo NIST como Parâmetro Material de Accountability O primeiro anexo (NIST) não constitui mero documento informativo. Pela sua existência institucional, ele exerce as seguintes funções jurídicas: Âncora objetiva de accountability; Parâmetro técnico pré‑existente de governança e rastreabilidade; Elemento de non‑repudiation, impedindo negação posterior dos fatos; Marco de ciência qualificada para todos os atores envolvidos. À luz de frameworks NIST (governança de riscos, integridade da informação, cadeia de custódia, controle de acesso e prestação de contas), o tratamento de dados descrito no caso concreto já exigia: identificação clara de papéis (controlador / operador); mapeamento do ciclo de vida dos dados; documentação de decisões; mecanismos de resposta a incidentes; demonstração ativa de conformidade. Nada disso foi produzido. 3. Cadeia Sistêmica de Atores Envolvidos A análise integrada dos documentos evidencia uma cadeia sistêmica de atores, todos já cientificados: fabricante de tecnologia; prestadores de serviço; profissionais vinculados à área médica; agentes públicos municipais, estaduais e federais; órgãos de controle e fiscalização (CGU, COAF); sistemas oficiais de transparência e ouvidoria (Fala.BR, BuscaLAI); autoridade reguladora central (ANPD); referências normativas e institucionais internacionais. Nenhum desses atores pode alegar: desconhecimento do fato; ausência de parâmetro técnico; inexistência de dever de agir. 4. Padrão Reiterado de Não‑Accountability Apesar da ciência inequívoca e do parâmetro material já existente (LGPD + NIST), o padrão observado foi: deslocamento procedimental contínuo; invocação genérica do art. 198 do CTN como barreira absoluta; ausência de diagnóstico técnico do tratamento de dados; inexistência de relatório, parecer ou decisão fundamentada; fragmentação administrativa deliberada. Sob a ótica NIST e LGPD, isso configura: falha sistêmica de governança e violação do princípio da prestação de contas (art. 6º, X, LGPD). O sigilo fiscal foi utilizado não como instrumento de proteção, mas como mecanismo de opacidade institucional, em prejuízo direto do titular dos dados. 5. Ativação Necessária da Competência da ANPD Com a integração dos anexos, resta demonstrado que: o parâmetro técnico já estava materializado; os fatos já estavam notificados; a omissão não é episódica, mas estrutural; há impacto direto sobre direitos fundamentais do titular. Nesse contexto, a atuação da ANPD não é facultativa, mas decorrência necessária de sua competência legal para: exigir accountability; apurar falhas sistêmicas; orientar e, se necessário, sancionar agentes de tratamento; restaurar a lógica de governança prevista na LGPD. 6. Qualificação Jurídica da Omissão A integração dos documentos permite qualificar a situação como: omissão regulatória qualificada; falha sistêmica de accountability; violação do dever de governança em proteção de dados; desvio de finalidade no uso do sigilo legal; negação prática dos direitos do titular, inclusive acesso, transparência e autodeterminação informativa. Essa qualificação é relevante tanto para atuação administrativa da ANPD quanto para eventual controle externo ou internacional. 7. Requerimentos Estruturais à ANPD (Dossiê Integrado) Com base no dossiê integrado, requer‑se que a ANPD: reconheça formalmente a existência de tratamento de dados pessoais e sensíveis; determine a identificação completa dos agentes de tratamento; exija diagnóstico técnico compatível com padrões de governança (LGPD + NIST); avalie a utilização indevida do art. 198 do CTN como mecanismo de não‑accountability; apure responsabilidades institucionais; determine medidas corretivas, estruturais e preventivas; produza manifestação técnica formal apta a encerrar a fragmentação administrativa. 8. Conclusão Final Este dossiê demonstra que o problema não é ausência de lei, nem de norma, nem de parâmetro técnico. O problema é a recusa sistêmica em prestar contas, mesmo após ciência inequívoca e diante de parâmetros claros. A integração entre LGPD e NIST elimina qualquer zona cinzenta interpretativa e impõe à ANPD o dever institucional de agir, sob pena de consolidação da falha sistêmica ora documentada. ENGLISH VERSION ⬇️ INTEGRATED SYSTEMIC ACCOUNTABILITY DOSSIER Processing of Personal Data, Failure of Accountability and Pre‑Existing Technical Parameters (LGPD + NIST) 1. Purpose and Scope of the Dossier This Integrated Systemic Accountability Dossier consolidates, in a technical and legally coherent manner, two documentary pillars that already exist: Technical‑Institutional Annex (NIST) – which materializes objective parameters of governance, traceability, risk management and accountability; and Legal Grounds for Formal Triggering of the Brazilian Data Protection Authority (ANPD) – which demonstrates prior notification, unequivocal institutional awareness and a qualified omission in the application of the Brazilian General Data Protection Law (LGPD). The purpose of this dossier is to demonstrate that there was no regulatory vacuum or lack of standards, but rather a systemic failure of accountability, involving public and private actors, in the context of processing personal data and sensitive personal data of the data subject. The tone adopted is technical‑regulatory with assertive‑contentious elements, appropriate for supervisory action by the ANPD and for potential escalation to internal, external or international oversight bodies. 2. Integration of the NIST Annex as a Material Accountability Standard The first annex (NIST) is not a merely informational document. By its institutional existence alone, it performs the following legal and regulatory functions: an objective anchor of accountability; a pre‑existing technical standard for governance and traceability; an element of non‑repudiation, preventing later denial of facts; a qualified notice trigger for all involved actors. In light of NIST frameworks (risk governance, information integrity, chain of custody, access control and accountability), the data processing described in this case already required: clear identification of roles (controller / processor); mapping of the data lifecycle; documentation of decisions; incident response mechanisms; active demonstration of compliance. None of these requirements were fulfilled. 3. Systemic Chain of Involved Actors The integrated analysis of the documents evidences a systemic chain of actors, all of whom had already been notified: technology manufacturer; service providers; professionals linked to the medical sector; municipal, state and federal public officials; oversight and control bodies (CGU, COAF); official transparency and grievance systems (Fala.BR, BuscaLAI); the central regulatory authority (ANPD); international normative and institutional references. None of these actors may legitimately claim: lack of knowledge of the facts; absence of technical standards; absence of a duty to act. 4. Recurrent Pattern of Non‑Accountability Despite unequivocal notice and the existence of a material standard (LGPD + NIST), the observed institutional pattern consisted of: continuous procedural deflection; generic invocation of Article 198 of the Brazilian National Tax Code (CTN) as an absolute barrier; absence of any technical diagnosis of the data processing activities; lack of reports, opinions or reasoned decisions; deliberate administrative fragmentation. From the perspective of both NIST frameworks and the LGPD, this conduct constitutes: a systemic governance failure and a violation of the accountability principle (Article 6, item X, LGPD). Tax secrecy was used not as a protective mechanism, but as a tool of institutional opacity, directly harming the data subject. 5. Mandatory Activation of ANPD Competence With the integration of both annexes, it is demonstrated that: the technical parameters were already materialized; the facts had already been formally notified; the omission is structural rather than episodic; there is a direct impact on the fundamental rights of the data subject. Under these circumstances, action by the ANPD is not discretionary, but a necessary consequence of its statutory mandate to: require accountability; investigate systemic governance failures; guide and, where appropriate, sanction data processing agents; restore the governance logic established by the LGPD. 6. Legal Qualification of the Omission The integrated dossie",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Zenodo (CERN European Organization for Nuclear Research)",
"language": "en"
},
{
"id": "https://openalex.org/W4379987756",
"title": "Can the use of privacy enhancing technologies enable federated learning for health data applications in a Swedish regulatory context?",
"authors": [
"Rickard Brännvall",
"Helena M. Linge",
"Johan Östman"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3384/ecp199006",
"pdfUrl": "https://ecp.ep.liu.se/index.php/sais/article/download/718/624",
"doi": "https://doi.org/10.3384/ecp199006",
"abstract": "A recent report by the Swedish Authority for Privacy Protection (IMY) evaluates the potential of jointly training and exchangingmachine learningmodels between two healthcare providers. In relation to the privacy problems identified therein, this article explores the trade-off between utility and privacy when using privacyenhancing technologies (PETs) in combination with federated learning. Results are reported from numerical experiments with standard text-book machine learning models under both differential privacy (DP) and FullyHomomorphic Encryption (FHE). The results indicate that FHE is a promising approach for privacy-preserving federated learning, with the CKKS scheme being more favorable in terms of computational performance due to its support of SIMD operations and compact representation of encrypted vectors. The results for DP are more inconclusive. The article briefly discusses the current regulatory context and aspects that lawmakers may consider to enable an AI leap in Swedish healthcare while maintaining data protection.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "Linköping electronic conference proceedings",
"language": "en"
},
{
"id": "gdprhub:8838",
"title": "AEPD (Spain) - EXP202212247",
"authors": [],
"date": "2025-02-05",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202212247",
"pdfUrl": "",
"doi": "",
"abstract": "that the controller is obliged to respect the principles of privacy by design and privacy by default as per Article 25 GDPR. 3. Processing of Biometric",
"topics": [
"gdpr_compliance",
"privacy_engineering",
"pii_entity_types",
"data_anonymization",
"biometric_surveillance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "cs"
},
{
"id": "gdprhub:8040",
"title": "Personvernnemnda (Norway) - PVN-2024-04",
"authors": [],
"date": "2024-07-08",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=Personvernnemnda_(Norway)_-_PVN-2024-04",
"pdfUrl": "",
"doi": "",
"abstract": "authority under the Personal Data Protection Ordinance qualifies as a decision also under the Personal Data Act. In the Norwegian Data Protection Authority's opinion",
"topics": [
"jurisdiction_regulatory",
"data_anonymization",
"gdpr_compliance"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "cs"
},
{
"id": "gdprhub:2709",
"title": "Datatilsynet (Norway) - 20/01865",
"authors": [],
"date": "2023-09-14",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_20/01865",
"pdfUrl": "",
"doi": "",
"abstract": "Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf. Article 57 GDPR. 3.1. Choice of law The Personal Data Act (2018)",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "gdprhub:7610",
"title": "PVN - PVN-2023-23",
"authors": [],
"date": "2024-02-23",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=PVN_-_PVN-2023-23",
"pdfUrl": "",
"doi": "",
"abstract": "Norwegian Data Protection Authority has closed a case without taking a decision on whether the Personal Data Act has been breached, the Personal Data Protection",
"topics": [
"jurisdiction_regulatory",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "cs"
},
{
"id": "gdprhub:275",
"title": "Datatilsynet (Norway)",
"authors": [],
"date": "2023-03-26",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)",
"pdfUrl": "",
"doi": "",
"abstract": "General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through the Personal Data Act. The Personal Data Act is",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "cs"
},
{
"id": "gdprhub:3639",
"title": "Personvernnemnda (Norway)",
"authors": [],
"date": "2022-01-24",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=Personvernnemnda_(Norway)",
"pdfUrl": "",
"doi": "",
"abstract": "General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through the Personal Data Act. The Personal Data Act is",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "cs"
},
{
"id": "gdprhub:2719",
"title": "Garante per la protezione dei dati personali (Italy) - 9451734",
"authors": [],
"date": "2023-12-06",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9451734",
"pdfUrl": "",
"doi": "",
"abstract": ""General Data Protection Regulation" (hereinafter RGPD); HAVING REGARD TO Legislative Decree no. 196 of 30 June 2003, "Personal Data Protection Code" (hereinafter",
"topics": [
"gdpr_compliance",
"data_anonymization",
"privacy_engineering",
"jurisdiction_regulatory",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "doaj:00a7984cab4b4eb7b4cbc1e564ef9e6a",
"title": "Analysis of the Legal Framework for the Protection of Personal Data in the European Union",
"authors": [
"Mahdieh Latifzadeh",
"Sayyed Mohammad Mahdi Qabuli Dorafshan",
"Saeed Mohseni",
"Mohammed Abedi"
],
"date": "2021",
"platform": "doaj",
"sourceUrl": "http://jipm.irandoc.ac.ir/article-1-4551-en.html",
"pdfUrl": "",
"doi": "",
"abstract": "Personal data is of great economic importance, which is called the currency of the future, but the environment in which people live and work with it constantly, collect and process personal data and use it in a variety of ways. Therefore, there is a need for laws that protect this valuable thing. The most important legal framework for the protection of personal data is the General Data Protection Regulation (GDPR). This regulation was approved in 2016 and came into force in 2018, and is currently the most comprehensive framework for the protection of personal data. However, in previous years the EU has enacted legislation on the protection of personal data (Personal Data Protection Directive 1995), but this regulation is the most complete legal framework for data protection due to its innovative features and protections. Due to the importance of this regulation in the protection of personal data, it is necessary to introduce this legal framework and express the basic concepts, scope of application and strengths of this regulation in order to better understand the protections contained in the GDPR. The present article, by searching this regulation and related sources, states this and takes steps to clarify this regulation to help formulate an appropriate legal framework regarding the protection of personal data in the Iranian legal system.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Iranian Journal of Information Processing & Management",
"language": "en"
},
{
"id": "doaj:0e961d5b424f464b96f3280133f447bb",
"title": "Supply Chain Data Sharing: Evaluating Challenges and Opportunities of EU Data Law",
"authors": [
"Nils Wiedemann",
"Maximilian Leicht"
],
"date": "2024",
"platform": "doaj",
"sourceUrl": "https://lawreview.law.nycu.edu.tw/supply-chain-data-sharing-evaluating-challenges-and-opportunities-of-eu-data-law/",
"pdfUrl": "",
"doi": "",
"abstract": "After regulating the processing of personal data with the GDPR, the EU is now aiming to govern the emerging data economy. The different acts of this socalled data law shall create a single market for data. To this end, the legislation intends to break up data monopolies and incentivise the sharing of both nonpersonal and personal data. We argue that the data law will have a major impact on international supply chain data sharing – especially, because this involves complex layers of different stakeholders. Especially the Data Act (DA) will have a significant effect on data sharing. The regulation lays down harmonising rules on how to access and share data generated by products of the “Internet of Things” (IoT), which covers not only smart home devices but also industrial machines connected to the internet. The DA applies to products placed in and data transferred to the EU. It is a horizontal framework which the EU intends to complement with several sector-specific regulations for the creation of so-called “data spaces”. The Commission has recently published a proposal for the first data space – the European Health Data Space (EHDS). Further data spaces shall cover other supply-chain-related areas like manufacturers or mobility. This paper analyses the effects of the European Data Law on supply chain data sharing as one of the most promising scenarios and illustrates both chances and challenges of the regulatory framework. For a comprehensive view, it highlights relevant parts of the new cybersecurity framework for products with digital elements (mainly the Cyber Resilience Act) and their influence on data sharing.",
"topics": [
"jurisdiction_regulatory",
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "交大法學評論",
"language": "en"
},
{
"id": "gdprhub:2930",
"title": "CNIL (France) - SAN-2020-009",
"authors": [],
"date": "2023-12-06",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-009",
"pdfUrl": "",
"doi": "",
"abstract": "breaches of the GDPR and the French Data Protection law (Loi informatique et libertés). In this case, the French data protection authority investigated several",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "el"
},
{
"id": "hal:1811691",
"title": "A Large-Scale Analysis of Browser Fingerprinting via Chrome Instrumentation",
"authors": [
"Mohammadreza Ashouri"
],
"date": "2019-08-01",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-01811691v1",
"pdfUrl": "https://hal.science/hal-01811691/document",
"doi": "",
"abstract": "In this work, we introduce FPTracker as a standalone, portable and practical browser that utilizes static and dynamic analysis to obtain concise results on a large set of websites. In contrast to the previous works, which rely on native code instrumentation that have low performance and high cost for monitoring each fingerprint Application programming interface (API), FPTracker is developed as an independent tool that does not need to interact with users’ web browsers. In order to prove the usefulness of FPTracker, we have evaluated the top 10,000 European websites (according to Alexa.com) that comprise 1,393,426 links. We have chosen popular European websites to discern how these websites employ user tracking third parties concerning the EU General Data Protection Regulation (GDPR). Accordingly, we found that 117,012 links out of 1,393,426 use invisible user fingerprinting systems. For instance, one of the biggest European banks and a leading advertising website still fingerprint their visitors.",
"topics": [
"gdpr_compliance",
"linkability_tracking"
],
"painPointTracks": [
"Enforcement",
"Re-identification"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2005.13812",
"title": "A Technical Look At The Indian Personal Data Protection Bill",
"authors": [
"Ram Govind Singh",
"Sushmita Ruj"
],
"date": "2020-05-28",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2005.13812v1",
"pdfUrl": "https://arxiv.org/pdf/2005.13812v1",
"doi": "",
"abstract": "The Indian Personal Data Protection Bill 2019 provides a legal framework for protecting personal data. It is modeled after the European Union's General Data Protection Regulation(GDPR). We present a detailed description of the Bill, the differences with GDPR, the challenges and limitations in implementing it. We look at the technical aspects of the bill and suggest ways to address the different clauses of the bill. We mostly explore cryptographic solutions for implementing the bill. There are two broad outcomes of this study. Firstly, we show that better technical understanding of privacy is important to clearly define the clauses of the bill. Secondly, we also show how technical and legal solutions can be used together to enforce the bill.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2208.08662",
"title": "Private, Efficient, and Accurate: Protecting Models Trained by Multi-party Learning with Differential Privacy",
"authors": [
"Wenqiang Ruan",
"Mingxin Xu",
"Wenjing Fang",
"Li Wang",
"Lei Wang",
"Weili Han"
],
"date": "2022-08-18",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2208.08662v1",
"pdfUrl": "https://arxiv.org/pdf/2208.08662v1",
"doi": "",
"abstract": "Secure multi-party computation-based machine learning, referred to as MPL, has become an important technology to utilize data from multiple parties with privacy preservation. While MPL provides rigorous security guarantees for the computation process, the models trained by MPL are still vulnerable to attacks that solely depend on access to the models. Differential privacy could help to defend against such attacks. However, the accuracy loss brought by differential privacy and the huge communication overhead of secure multi-party computation protocols make it highly challenging to balance the 3-way trade-off between privacy, efficiency, and accuracy. In this paper, we are motivated to resolve the above issue by proposing a solution, referred to as PEA (Private, Efficient, Accurate), which consists of a secure DPSGD protocol and two optimization methods. First, we propose a secure DPSGD protocol to enforce DPSGD in secret sharing-based MPL frameworks. Second, to reduce the accuracy loss led by differential privacy noise and the huge communication overhead of MPL, we propose two optimization methods for the training process of MPL: (1) the data-independent feature extraction method, which aims to simplify the trained model structure; (2) the local data-based global model initialization method, which aims to speed up the convergence of the model training. We implement PEA in two open-source MPL frameworks: TF-Encrypted and Queqiao. The experimental results on various datasets demonstrate the efficiency and effectiveness of PEA. E.g. when $ε$ = 2, we can train a differentially private classification model with an accuracy of 88% for CIFAR-10 within 7 minutes under the LAN setting. This result significantly outperforms the one from CryptGPU, one SOTA MPL framework: it costs more than 16 hours to train a non-private deep neural network model on CIFAR-10 with the same accuracy.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2308.16109",
"title": "Grandma Karl is 27 years old -- research agenda for pseudonymization of research data",
"authors": [
"Elena Volodina",
"Simon Dobnik",
"Therese Lindström Tiedemann",
"Xuan-Son Vu"
],
"date": "2023-08-30",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2308.16109v1",
"pdfUrl": "https://arxiv.org/pdf/2308.16109v1",
"doi": "",
"abstract": "Accessibility of research data is critical for advances in many research fields, but textual data often cannot be shared due to the personal and sensitive information which it contains, e.g names or political opinions. General Data Protection Regulation (GDPR) suggests pseudonymization as a solution to secure open access to research data, but we need to learn more about pseudonymization as an approach before adopting it for manipulation of research data. This paper outlines a research agenda within pseudonymization, namely need of studies into the effects of pseudonymization on unstructured data in relation to e.g. readability and language assessment, as well as the effectiveness of pseudonymization as a way of protecting writer identity, while also exploring different ways of developing context-sensitive algorithms for detection, labelling and replacement of personal information in unstructured data. The recently granted project on pseudonymization Grandma Karl is 27 years old addresses exactly those challenges.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2310.12401",
"title": "Privacy-Preserving Hierarchical Anonymization Framework over Encrypted Data",
"authors": [
"Jing Jia",
"Kenta Saito",
"Hiroaki Nishi"
],
"date": "2023-10-19",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2310.12401v1",
"pdfUrl": "https://arxiv.org/pdf/2310.12401v1",
"doi": "",
"abstract": "Smart cities, which can monitor the real world and provide smart services in a variety of fields, have improved people's living standards as urbanization has accelerated. However, there are security and privacy concerns because smart city applications collect large amounts of privacy-sensitive information from people and their social circles. Anonymization, which generalizes data and reduces data uniqueness is an important step in preserving the privacy of sensitive information. However, anonymization methods frequently require large datasets and rely on untrusted third parties to collect and manage data, particularly in a cloud environment. In this case, private data leakage remains a critical issue, discouraging users from sharing their data and impeding the advancement of smart city services. This problem can be solved if the computational entity can perform the anonymization process without obtaining the original plain text. This study proposed a hierarchical k-anonymization framework using homomorphic encryption and secret sharing composed of two types of domains. Different computing methods are selected flexibly, and two domains are connected hierarchically to obtain higher-level anonymization results in an efficient manner. The experimental results show that connecting two domains can accelerate the anonymization process, indicating that the proposed secure hierarchical architecture is practical and efficient.",
"topics": [
"privacy_engineering",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2508.02177",
"title": "Deep classification algorithm for De-identification of DICOM medical images",
"authors": [
"Bufano Michele",
"Kotter Elmar"
],
"date": "2025-08-04",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2508.02177v1",
"pdfUrl": "https://arxiv.org/pdf/2508.02177v1",
"doi": "",
"abstract": "Background : De-identification of DICOM (Digital Imaging and Communi-cations in Medicine) files is an essential component of medical image research. Personal Identifiable Information (PII) and/or Personal Health Identifying Information (PHI) need to be hidden or removed due to legal reasons. According to the Health Insurance Portability and Accountability Act (HIPAA) and privacy rules, also full-face photographic images and any compa-rable images are direct identifiers and are considered protected health information that also need to be de-identified. Objective : The study aimed to implement a method that permit to de-identify the PII and PHI information present in the header and burned on the pixel data of DICOM. Methods : To execute the de-identification, we implemented an algorithm based on the safe harbor method, defined by HIPAA. Our algorithm uses input customizable parameter to classify and then possibly de-identify individual DICOM tags. Results : The most sensible information, like names, history, personal data and institution were successfully recognized. Conclusions : We developed a python algorithm that is able to classify infor-mation present in a DICOM file. The flexibility provided by the use of customi-zable input parameters, which allow the user to customize the entire process de-pending on the case (e.g., the language), makes the entire program very promis-ing for both everyday use and research purposes. Our code is available at https://github.com/rtdicomexplorer/deep_deidentification.",
"topics": [
"sector_healthcare",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2105.02175",
"title": "Automatic de-identification of Data Download Packages",
"authors": [
"Laura Boeschoten",
"Roos Voorvaart",
"Casper Kaandorp",
"Ruben van den Goorbergh",
"Martine de Vos"
],
"date": "2021-05-04",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2105.02175v1",
"pdfUrl": "https://arxiv.org/pdf/2105.02175v1",
"doi": "",
"abstract": "The General Data Protection Regulation (GDPR) grants all natural persons the right of access to their personal data if this is being processed by data controllers. The data controllers are obliged to share the data in an electronic format and often provide the data in a so called Data Download Package (DDP). These DDPs contain all data collected by public and private entities during the course of citizens' digital life and form a treasure trove for social scientists. However, the data can be deeply private. To protect the privacy of research participants while using their DDPs for scientific research, we developed de-identification software that is able to handle typical characteristics of DDPs such as regularly changing file structures, visual and textual content, different file formats, different file structures and accounting for usernames. We investigate the performance of the software and illustrate how the software can be tailored towards specific DDP structures.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2511.04079",
"title": "Improving the Performance of Radiology Report De-identification with Large-Scale Training and Benchmarking Against Cloud Vendor Methods",
"authors": [
"Eva Prakash",
"Maayane Attias",
"Pierre Chambon",
"Justin Xu",
"Steven Truong",
"Jean-Benoit Delbrouck",
"Tessa Cook",
"Curtis Langlotz"
],
"date": "2025-11-06",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2511.04079v2",
"pdfUrl": "https://arxiv.org/pdf/2511.04079v2",
"doi": "",
"abstract": "Objective: To enhance automated de-identification of radiology reports by scaling transformer-based models through extensive training datasets and benchmarking performance against commercial cloud vendor systems for protected health information (PHI) detection. Materials and Methods: In this retrospective study, we built upon a state-of-the-art, transformer-based, PHI de-identification pipeline by fine-tuning on two large annotated radiology corpora from Stanford University, encompassing chest X-ray, chest CT, abdomen/pelvis CT, and brain MR reports and introducing an additional PHI category (AGE) into the architecture. Model performance was evaluated on test sets from Stanford and the University of Pennsylvania (Penn) for token-level PHI detection. We further assessed (1) the stability of synthetic PHI generation using a \"hide-in-plain-sight\" method and (2) performance against commercial systems. Precision, recall, and F1 scores were computed across all PHI categories. Results: Our model achieved overall F1 scores of 0.973 on the Penn dataset and 0.996 on the Stanford dataset, outperforming or maintaining the previous state-of-the-art model performance. Synthetic PHI evaluation showed consistent detectability (overall F1: 0.959 [0.958-0.960]) across 50 independently de-identified Penn datasets. Our model outperformed all vendor systems on synthetic Penn reports (overall F1: 0.960 vs. 0.632-0.754). Discussion: Large-scale, multimodal training improved cross-institutional generalization and robustness. Synthetic PHI generation preserved data utility while ensuring privacy. Conclusion: A transformer-based de-identification model trained on diverse radiology datasets outperforms prior academic and commercial systems in PHI detection and establishes a new benchmark for secure clinical text processing.",
"topics": [
"sector_healthcare",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od______2186::572556470600c62fe364b052afe35054",
"title": "Ochrana osobních údajů ve vybraných základních školách",
"authors": [
"Ježilová, Kristýna"
],
"date": "2024-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______2186::572556470600c62fe364b052afe35054",
"pdfUrl": "",
"doi": "",
"abstract": "Kristýna Ježilová Školský management Ochrana osobních údajů ve vybraných základních školách ABSTRACT The bachelor thesis focuses on how personal data protection works in education and how selected primary school principals in the Czech Republic view this issue. The bachelor thesis is divided into two parts. The theoretical part explains and describes with the help of expert sources the important concepts of the so-called GDPR - General Data Protection Regulation, such as personal data, data protection, data fiduciary, data protection principles, subject, controller and processor in the context of the GDPR legislation, introduces us to the history of the GDPR, the legislation and the principles of personal data protection Furthermore, it describes the GDPR in education itself, what obligations schools and educational institutions have and what is the consent to the processing of personal data. In the practical part, a qualitative survey through interviews with school principals was conducted to find out how primary schools in the Czech Republic comply with the legislation on personal data protection. The aim of the work was to analyse and compare the positives and negatives of the implementation of GDPR in the field of education. Using qualitative research, the experiences of the respondents were analysed...",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:uis.brage.unit.no:11250/3202391",
"title": "MedTek - AI-styring i medisinsk utstyr: Juridiske, etiske og regulatoriske perspektiver",
"authors": [
"Wenelborg, Mikael Ørke"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:uis.brage.unit.no:11250/3202391",
"pdfUrl": "",
"doi": "",
"abstract": "In this thesis it will explore the integration and governance of artificial intelligence (AI) in medical devices with focusing on legal, ethical and regulatory perspectives. It will also investigate how can AI transform the healthcare in particularly in imaging and diagnostics by improving accuracy, efficiency and decision making processes. The regulatory framework is examined through the EU AI Act, General Data Protection Regulation (GDPR), Medical Data Regulation (MDR) and along with the U.S Food and Drug Administration (FDA) guidelines. These regulations aim to ensure transparency, safety, data protection and accountability for AI-based systems used in clinical settings. Ethical considerations include explainability, transparency and distribution of responsibility when AI systems assist human decision making. This thesis also discusses how hardware replacement, such as CT tubes can affect the performance of the AI algorithms and how to get certificate CE marking. The conclusion points that AI have great potential to improve diagnostics and efficiency, but this requires a good governance system that combines technological innovation with safe, legal, and ethical accountability",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:usir.salford.ac.uk:63426",
"title": "Responsible AI : the praxis of AI and data protection management : negotiating innovation and FAT principles",
"authors": [
"Addis, Chiara"
],
"date": "",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:usir.salford.ac.uk:63426",
"pdfUrl": "",
"doi": "",
"abstract": "The increasing deployment of Artificial Intelligence applications has sparked a debate on its possible uses and potential problems, and many questions on the protection of personal data have emerged. The General Data Protection Regulation (GDPR) imposed new requirements for organisations handling personal data, and the implications for organisations managing AI technologies are particularly significant. Whereas much research focuses on algorithmic biases and the development of AI, this research explores other important concerns arising from the uses of personal data during the introduction of AI, which impact on individuals and organisations. It investigates innovation in different organisational contexts and how people perceive, understand and apply AI, data protection and FAT principles (fairness, accountability and transparency).\\ud Drawing on responsible research and innovation (RRI) and Feenberg’s critical theory of technology, the research investigates the praxis of AI and GDPR management within UK organisations, examining the interplay between AI, data protection and FAT principles.\\ud The methodology comprises a multi method approach, employing a survey of experts and dual case studies of organisations implementing responsible AI projects. This research investigates organisational practices and people's agency, providing in-depth analysis of values, power dynamics, experience, understanding, perceptions, and difficulties of various stakeholders (leaders, senior managers, data protection and ML experts) in their specific contexts, all of which shapes and constructs this ambivalent technology.\\ud The research indicates that GDPR is often misinterpreted, there is limited understanding of AI and its specific risks, and there are diverse perceptions of the relevance of FAT principles. Discussion on ethics is usually focused on data and activities conducted prior to the implementation of new AI systems. Internal processes and personal data created by AI are genera",
"topics": [
"gdpr_compliance",
"ai_governance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:openaccess.city.ac.uk:23225",
"title": "A triage playbook: privacy harm and data incident response in the UK",
"authors": [
"Devey, C. S. H."
],
"date": "",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:openaccess.city.ac.uk:23225",
"pdfUrl": "",
"doi": "",
"abstract": "Personal data incidents have become a serious concern in almost every industry. In the UK, the TalkTalk data breach in October 2015 generated headline news and raised public awareness of data breaches. Under the EU General Data Protection Regulation (GDPR), organisations in the UK are held accountable for reporting data breach incidents to the Information Commissoner’s Office (ICO) within 72 hours. Furthermore, organisations are required to notify the ICO and to communicate with affected individuals where there is high risk. However, the triggers or criteria for what constitutes a general risk and a high risk are not clear. Researchers have pointed out that privacy impact assessments (PIA) and breach notifications are new concepts. There is no universal PIA framework which could be used for comparative privacy risk analysis. Security-related literature on PIA primarily addresses the prevention of harm through technical measures or system development and says little about assessing the harm to individuals. The overall aim of this PhD was to explore personal data incident (DBI) response, data privacy harms and breach notifications under the GDPR. Firstly, in-depth personal interviews were conducted to gauge the extent and nature of DBI responses by organisations in the UK. Interviewees viewed breach notifications as a ‘right thing to do’ but raised concerns about the GDPR breach notification timelines. Although there is no dedicated DBI response framework, interviewees were using triage and checklists during DBI response. Based on these findings, in the second stage of the research, a research question was framed: How can a triage playbook be used to address data privacy harms for breach notification prioritisation during the initial response to a personal data incident? A triage playbook was developed; this synthesised the triage steps; operationalised the steps with checklists; and created a data matrix for scoring the likely impact on individuals. Finally, in a thi",
"topics": [
"gdpr_compliance",
"data_breach_incident"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|tubitakulakb::902c5986b3a1b3cea4d7bdc26639438a",
"title": "AB ve Türk Hukukunda Veri İhlalinin Tespiti ve Bildirim Süresinin Karşılaştırmalı Değerlendirmesi",
"authors": [
"SEVİNDİ, Nur Sena",
"ORDU, Muhammet Emin"
],
"date": "2023-05-02",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|tubitakulakb::902c5986b3a1b3cea4d7bdc26639438a",
"pdfUrl": "",
"doi": "",
"abstract": "Data breach notification to data protection authorities is a legal obligation of data processors which starts from the occurrence of a data breach. The notification is subjected to the legal time period and format of the authorities. However; it is crucial to detect and categorize the data breach correctly in order to identify the beginning of the notification documents and time period. Due to the fact that the types of data breach are not specific and vary according to the concrete case, the data breach notification obligation and its duration raise a question mark among data controllers. In this study, in which the solutions for the detection of data breach will be discussed, data breach notification and notification periods to data protection authorities will be evaluated comparatively within the scope of the Personal Data Protection Law No. 6698 and the European Union General Data Protection Regulation.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od______1548::808ac05728004dc92cd6435a08380b2d",
"title": "Approaches to Regulating Privacy Dark Patterns",
"authors": [
"Gaulton, Matthew",
"Kelly, Dominique",
"Burkell, Jacquelyn"
],
"date": "2024-03-15",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______1548::808ac05728004dc92cd6435a08380b2d",
"pdfUrl": "",
"doi": "",
"abstract": "In this paper, we will evaluate new bills slated to replace the Personal Information Protection and Electronic Documents Act (PIPEDA) and offer stronger privacy dark pattern protections to Canadians. Existing scholarship in the realm of privacy law, such as “Deceptive Design and Ongoing Consent in Privacy Law” by Jeremy Wiener and “Privacy Dark Patterns: A Case for Regulatory Reform in Canada” by Ademola Adeyoju, primarily focuses on creating frameworks for understanding privacy dark patterns in the law and explaining the pitfalls and legal inadequacies surrounding dark pattern legislation in Canada. However, the aim of this paper diverges significantly. While acknowledging the invaluable insights provided by these foundational works, the objective of this article is twofold: First, to offer a comprehensive review of multiple proposed legislative bills slated to replace PIPEDA in Canada; and second, to critically evaluate the effectiveness of these proposed changes, especially in comparison with more robust frameworks like California's Consumer Privacy Act (CCPA) and the European Union's General Data Protection Regulation (GDPR), which offer extensive protections against dark patterns. In doing so, this paper seeks to fill a gap in the existing literature by examining how proposed Canadian legislation measures up to international standards in protecting citizens from the pitfalls of dark patterns.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:orbilu.uni.lu:10993/52802",
"title": "\"Dark Cookie\" - A serious game to train users to spot and interact with dark patterns in cookie banners",
"authors": [
"Akinyemi, Opeyemi Priscilla"
],
"date": "2022-08-29",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:orbilu.uni.lu:10993/52802",
"pdfUrl": "",
"doi": "",
"abstract": "Deceptive design patterns, also called dark patterns, can be found all over the internet today. These designs are used by website operators to trick users into sharing their personal data or performing other actions that are mostly favorable to the operators. Since taking effect in 2018, the General Data Protection Regulation (GDPR), strictly mandates website operators to inform EU website visitors of how their personal data will be processed. Although they put up cookie banners to disclose such information and ask user’s consent, many website operators have found ways to use deceptive designs, such as confusing design and language, to trick users into giving them their personal data, and pass them on to advertisers that use them to personalize ads and target users. In this thesis, I study different dark patterns on the internet and those in cookie banners and I delve into one of the proposed interventions against dark patterns in previous work, gamification. I hypothesize that it is possible to create a serious game to train online users to respond to dark patterns in cookie banners, so that they can retain most of their personal in- formation without disclosing it to advertisers. In particular, I have conceptualized and developed an online game with five levels that uses game mechanics like feedback, points, levels, badges and story to make the game educative, engaging and interactive. To evaluate the game, I created a survey and gathered the answers of 54 players and assessed aspects like game clarity of goals and rules, knowledge acquisition, perceived applicability and engagement. I conclude with the analysis of the results obtained, suggesting the gamification is an appropriate and effective tool for training users on how to interact with cookie banners in a way that maximizes their privacy.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od_______383::e96c0efe3bbc952973e897aad519eed0",
"title": "How transparency and UI/UX optimization influences user perspective : User perspective of cookie banner and cookie consent forms",
"authors": [
"Szüsz, Holger"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od_______383::e96c0efe3bbc952973e897aad519eed0",
"pdfUrl": "",
"doi": "",
"abstract": "Since the enforcement of the General Data Protection Regulation (GDPR), cookie banners have become a common feature of websites. These banners are meant to support informed consent, but many use deceptive design techniques known as dark patterns that steer users toward accepting cookies, often without fully understanding their choices. This raises concerns about user autonomy, privacy, and compliance with GDPRguidelines. This thesis investigates whether transparent UI design and AI-supported tools can influence user perspectives of cookie banners. A user study was conducted using a custom-build minimal viable product (MVP) that featured three versions of cookie banners: a dark-pattern UI, a GDPR-compliant UI, and an AI-assisted design. ResultsshowthattransparentUIdesignimproveduserunderstandingandtrust. TheAIassistedbannerledtofastertaskcompletion,buttrustintheAIvaried. GDPR-compliant banners took more time to navigate, but helped users make more deliberate and informed choices. These findings highlight the importance of design transparency.",
"topics": [
"gdpr_compliance",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Enforcement",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|userclaim___::482fa6cb97a911caa2418fd153ae9e82",
"title": "MobiDataLab D4.10 Data Protection Tools (V2)",
"authors": [
"A. MANJON, Jesús",
"MARTINEZ, Sergio",
"MANZANARES, Benet",
"BLANCO, Alberto"
],
"date": "",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|userclaim___::482fa6cb97a911caa2418fd153ae9e82",
"pdfUrl": "",
"doi": "",
"abstract": "A trajectory microdata set is a microdata set that contains trajectory data. This kind of datasets are
special because the location information included in them can be considered both as quasi-identifiers
and sensitive information. Trajectory microdata is prone to privacy attacks on individual users
because of two defining characteristics: Trajectory data are highly unique and hard to anonymize.
The main goal of task T4.5 is to develop data processing modules that apply data protection and
anonymization techniques that will be later uploaded the Transport Cloud.
The first version of the demonstrator was released in July 2022. It included 3 anonymization methods
for protecting trajectory data, selected from the catalogue of techniques compiled in T2.2 considering
the use case requirements elicited in T2.6, and the computation of utility metrics in trajectory
databases. It also provides a command line interface (CLI) that lets users anonymize a mobility
dataset and compute some utility measures over both the original and the anonymized datasets in
a straightforward way.
This second version includes 6 anonymization methods, 1 privacy-preserving analysis method, 4
methods to compute different utility measures and 1 method to compute a privacy metric. The CLI
has been extended to handle the new functionality and the demonstrator is now ready to be deployed
into a server and to process requests through an API.
The anonymization module has been designed with a focus on modularity, where pseudonymization
or anonymization methods can be built using different components dedicated to preprocessing,
clustering, distance computation, aggregation, etc.
Deliverable D4.10 describes the characteristic of the final version of the demonstrator and includes
a detailed user manual. Demonstrator is available at https://github.com/MobiDataLab/mdlanonymizer.
A video demonstration is available at
https://raw.githubusercont",
"topics": [
"data_anonymization",
"linkability_tracking"
],
"painPointTracks": [
"AI Anonymization",
"Re-identification"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:5170064",
"title": "Strengthening Vietnam's Personal Data Protection Framework in the Education Sector: Legal Lessons from the EU",
"authors": [
"Huu Phuc Nguyen"
],
"date": "2025-07-18",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05170064v1",
"pdfUrl": "https://hal.science/hal-05170064/document",
"doi": "",
"abstract": "The rapid advancement of digital technologies has fundamentally reshaped how personal data are perceived and protected. As Vietnam navigates this digital transformation, the imperative for a robust legal framework governing personal data protection has become paramount, especially in the education sector. In 2023, the government enacted Decree 13 on personal data protection (\"Decree 13\") to protect Vietnamese personal data. This paper explores Vietnam's current regulatory landscape for personal data protection, focusing on key aspects such as the classification of data, the rights of data subjects, and the obligations of data controllers and processors. Based on lessons from the General Data Protection Regulation (GDPR), this article aims to give insights into potential improvements to Vietnamese regulations on personal data protection, especially in the education sector.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Revue Lexsociété",
"language": "en"
},
{
"id": "openaire:50|od______2712::67f98f7422961084a5a6ed4c025b254e",
"title": "Actions to ensure personal data protection in a business enterprise",
"authors": [
"Kulbeckienė, Gintarė",
"Litevkienė, Nijolė"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______2712::67f98f7422961084a5a6ed4c025b254e",
"pdfUrl": "",
"doi": "",
"abstract": "The General Data Protection Regulation is related to fundamental changes in business enterprises as they need to radically rethink how to process customers’ personal data. The following principles of personal data protection have been established: the principle of lawfulness, fairness and transparency; purpose limitation in data handling; the data minimisation principle; the principle of periodicity; the principle of storage limitation; the principle of integrity and confidentiality; and the principle of responsibility. The study revealed problem areas in the implementation of the personal data protection policy in the business enterprise: ensuring management of access to personal data; informing individuals about the nature of the use of their personal data; and development of a description of the procedure for rules on a new consent to the use of personal data. Hiring external experts and leader support in implementing the personal data policy in the organization are to be assessed as the enterprise’s weaknesses. Keywords: General Data Protection Regulation, personal data protection, business enterprise, implementation, problem areas.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:doaj.org/article:bca1f11779f24eb497790ac46e097e9c",
"title": "Identify the Nature of Personal Data and Search for a Suitable Legal Framework to Support it in the Iranian Legal System",
"authors": [
"mahdieh latifzadeh",
"Sayyed Mohammad Mahdi Qabuli Dorafshan",
"Saeed Mohseni",
"Mohammad Abedi"
],
"date": "2022-06-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:doaj.org/article:bca1f11779f24eb497790ac46e097e9c",
"pdfUrl": "",
"doi": "",
"abstract": "People use their personal data in different contexts, the use of personal data is inevitable. On the other hand, the protection of personal data is a citizenship right and personal data must be legally protected. Such legal protection is fully achieved by the General Data Protection Regulation (GDPR). This European regulation is the most comprehensive legal framework for the protection of personal data. Despite the importance of personal data protection, many countries do not yet have an independent legal document in this regard or have not yet finalized their draft documents, Iran is also one of these countries that does not have an approved legal document in this regard. Therefore, the present article seeks to introduce a suitable legal framework for the protection of personal data in the Iranian legal system and identify the nature of personal data. The nature of personal data and the right to personal data is special.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od______2186::89e793708528f82cbaf5d3d1c03a4a91",
"title": "Ochrana osobných údajov na marketingovom oddelení obchodnej spoločnosti",
"authors": [
"Kvardová, Lucia"
],
"date": "2019-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______2186::89e793708528f82cbaf5d3d1c03a4a91",
"pdfUrl": "",
"doi": "",
"abstract": "The diploma thesis deals with the issue of personal data protection in the field of marketing. The aim of the thesis is to propose recommendations that will ensure that the marketing department of the selected company complies with the General Data Protection Regulation (GDPR). The literature review focuses on the legal grounding of personal data protection, the General Data Protection Regulation and the definition of terms that are directly related to the issue. Attention is also paid to the context of marketing activities with the processing and protection of personal data. The own research analyses the level of personal data protection in the marketing department of the selected company, which is then compared to the requirements of the current legislation on personal data protection. At the end of the thesis, the necessary corrective measures are proposed.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "doaj:68c8145096e94887b5ee6bc36552e54c",
"title": "THE IMPACT OF AI ON FUNDAMENTAL HUMAN RIGHTS IN EU COUNTRIES. EXAMINATION OF ACADEMIC STUDIES AND THE POSITIONS OF NON-GOVERNMENTAL ORGANIZATIONS REGARDING THE ETHICAL AND AI LEGAL RISKS",
"authors": [
"Doina Ljungholm POPESCU",
"Carmina-Elena TOLBARU"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://cks.univnt.ro/download/cks_2025_articles%252F3_CKS_2025_PUBLIC_LAW%252FCKS_2025_PUBLIC_LAW_006.pdf",
"pdfUrl": "https://cks.univnt.ro/download/cks_2025_articles%252F3_CKS_2025_PUBLIC_LAW%252FCKS_2025_PUBLIC_LAW_006.pdf",
"doi": "",
"abstract": "Artificial intelligence (AI) is rapidly changing life in Europe and profoundly transforming contemporary society, influencing multiple aspects of economic, social, and legal life. In the European Union, the development and use of AI pose significant challenges regarding the protection of fundamental human rights, such as the right to privacy, equality, and access to justice. Authorities are implementing strict regulations to ensure that innovation does not compromise essential democratic values, aiming to find a balance where new technologies and the protection of human rights merge in the best interest of humanity. My research aims to analyze the impact of artificial intelligence (AI) technologies on fundamental rights in the EU, identify the risks to these rights, and assess legislative and ethical measures for their protection. The research methodology is based on documentary analysis, meaning the study of European laws and international documents related to AI and human rights. Another method used is comparative evaluation, identifying points of convergence and divergence between the national regulations of member states in implementing EU standards on AI. The research follows a deductive approach, starting with the existing legal framework, such as the Charter of Fundamental Rights of the EU and the General Data Protection Regulation (GDPR), while also considering new initiatives like the Artificial Intelligence Act (AI Act). Additionally, the study examines specialized literature and reports from international institutions, such as the Council of Europe and the European Union Agency for Fundamental Rights. This paper provides a comprehensive analysis of EU regulations on AI and proposes practical solutions to align technology with human rights.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Challenges of the Knowledge Society",
"language": "en"
},
{
"id": "doaj:07df8992cc82433eae847140b9abd15c",
"title": "Privacy-preserving digital rights management scheme in cloud computing",
"authors": [
"Qin-long HUANG",
"Zhao-feng MA",
"Jing-yi FU",
"Yi-xian YANG",
"Xin-xin NIU"
],
"date": "2014",
"platform": "doaj",
"sourceUrl": "http://www.joconline.com.cn/zh/article/doi/10.3969/j.issn.1000-436x.2014.02.013/",
"pdfUrl": "",
"doi": "",
"abstract": "In order to meet the needs of digital content and user privacy protection in cloud computing environment, a privacy-preserving digital rights management (DRM) scheme in cloud computing was proposed. The framework of digital content copyright lifecycle protection and user privacy protection in cloud computing was firstly designed, which includes four protocols: system setup, content encryption, license acquisition and content decryption, and then a content encryption key protection and distribution mechanism based on attribute-based encryption and additively homomorphic encryption was proposed, which ensures the security of content encryption key. In addition, the pro-posed scheme also allows the users to purchase content and acquire license anonymously from cloud service provider, which protects the user privacy and prevents cloud service provider, license server and key server in the cloud from collecting the user's sensitive information. Compared with existing DRM schemes in cloud computing, the proposed scheme which not only protects the data security and user privacy, but also supports fine-grained access control, and supports online and super-distribution application modes, is more applicable in the copyright protection for cloud computing.",
"topics": [
"privacy_engineering",
"power_knowledge_asymmetry"
],
"painPointTracks": [
"Solutions Market",
"User Behavior / PII Communities"
],
"relevanceScore": 0.55,
"venue": "Tongxin xuebao",
"language": "en"
},
{
"id": "hal:4513699",
"title": "China Data Flows and Power in the Era of Chinese Big Tech",
"authors": [
"W. Gregory Voss",
"Emmanuel Pernot-Leplay"
],
"date": "2024-03-10",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04513699v1",
"pdfUrl": "https://hal.science/hal-04513699/document",
"doi": "",
"abstract": "Personal data have great economic interest today and their possession and control are the object of geopolitics, leading to their regulation by means that vary dependent on the strategic objectives of the jurisdiction considered. This study fills a gap in the literature in this area by analyzing holistically the regulation of personal data flows both into and from China, the world’s second largest economy. In doing so, it focuses on laws and regulations of three major power blocs: the United States, the European Union, and China, seen within the framework of geopolitics, and considering the rise of Chinese big tech. First, this study analyzes ways that the United States—the champion of the free-flow of data that has helped feed the success of the Silicon Valley system—has in specific cases prevented data flows to China on grounds of individual data protection and national security. The danger of this approach and alternate protection through potential U.S. federal data privacy legislation are evoked. Second, the cross-border data flow restriction of the European Union’s General Data Protection Regulation (GDPR) is studied in the context of data exports to China, including where the data transit via the United States prior to their transfer to China. Next, after review of the conditions for a European Commission adequacy determination and an examination of recent data privacy legislation in China, the authors provide a preliminary negative assessment of the potential for such a determination for China, where government access is an important part of the picture. Difficult points are highlighted for investigation by data exporters to China, when relying on EU transfer mechanisms, following the Schrems II jurisprudence. Finally, recent Chinese regulations establishing requirements for the export of data are studied. In this exercise, light is shed on compliance requirements for companies under Chinese law, provisions of Chinese data transfer regulations that are similar to the those of the GDPR, and aspects that show China’s own approach to restrictions on data transfers, such as an emphasis on national security protection. This study concludes with the observation that restrictions for data flows both into and out of China will continue and potentially be amplified, and economic actors will need to prepare themselves to navigate the relevant regulations examined in this study.",
"topics": [
"gdpr_compliance",
"jurisdiction_regulatory"
],
"painPointTracks": [
"Enforcement",
"Sector Regulations"
],
"relevanceScore": 0.55,
"venue": "Northwestern Journal of International Law and Business",
"language": "en"
},
{
"id": "hal:4986853",
"title": "Securing Health Data in the Digital Age: Challenges, Regulatory Frameworks, and Strategic Solutions in Saudi Arabia",
"authors": [
"Houda Alhoussari"
],
"date": "2025",
"platform": "hal",
"sourceUrl": "https://shs.hal.science/halshs-04986853v1",
"pdfUrl": "",
"doi": "",
"abstract": "The rapid digital transformation in Saudi Arabia, driven by the ambitious Vision 2030 initiative, positions health data as a cornerstone of innovation in the healthcare sector. Health data, classified as sensitive and strategic, is critical for improving patient care, advancing medical research, and fostering predictive analytics. However, this digitization also exposes health data to escalating cyber threats, such as ransomware, phishing, and attacks on IoMT devices. These risks compromise data confidentiality, integrity, and availability, eroding trust and causing significant economic impacts.This study adopts an analytical and comparative approachto evaluate the challenges and solutions associated with health data cybersecurity in Saudi Arabia. It examines the strengths and weaknesses of national frameworks, including the Personal Data Protection Law (PDPL) and the Essential Cybersecurity Controls(ECC), while benchmarking them against international standards such as the General Data Protection Regulation(GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). By addressing technical, organizational, and human challenges, the research proposes strategic recommendations, emphasizing technological measures, regulatory enhancements, and capacity-building initiatives. The findings aim to contribute to the development of a secure and innovative digital healthcare ecosystem in Saudi Arabia, aligning with the goals of Vision 2030 and ensuring the protection of sensitive health data.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "Journal of Ecohumanism",
"language": "en"
},
{
"id": "hal:5517715",
"title": "Privacy-Preserving Multidimensional Data Analysis : Query Answering and Data Publication under Differential Privacy",
"authors": [
"Ala Eddine Laouir"
],
"date": "2025-11-26",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-05517715v1",
"pdfUrl": "https://theses.hal.science/tel-05517715/document",
"doi": "",
"abstract": "In the modern days, almost every individual continuously relies on and interacts with multiple digital services and applications on a daily basis. These services collect vast amounts of data, which can be highly valuable for analysis, decision-making, and improving their solutions. However, a major concern for individuals is that much of the data collected, analyzed, and shared by companies and organizations is highly sensitive, such as location information, shopping preferences, social media interactions, browsing history, medical records, and financial details. Legal frameworks such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), along with broader ethical principles, are designed to safeguard personal data. Nevertheless, these same regulations also restrict the extent to which data curators can fully exploit the collected data.In this thesis, we propose solutions that enable organisations to analyse and publish sensitive individual data while ensuring strong privacy guarantees. More specifically, we focus on the application of Differential Privacy (DP) to multidimensional (aggregated tabular) data with two main objectives: (i) enabling Online Analytical Processing (OLAP) through aggregation queries in both single-server and federated environments, and (ii) generating privacy- and utility-preserving views of the data for secure publication.In the first part of this work, we developed a solution that enables analysts to query very large databases and obtain near real-time responses. The proposed approach relies on approximation and sampling techniques to reduce processing time, with a careful integration of Differential Privacy (DP) to ensure strong privacy guarantees while preserving query accuracy. We then extended this approach to a federated environment, where multiple organizations aim to collaborate without sharing or disclosing their private data due to regulatory constraints. Our solution introduces a lightweight protocol for answering OLAP queries in such a setting, representing the first approach that combines approximation and Differential Privacy to achieve end-to-end privacy, while significantly reducing computational costs and improving query response time.In the second part of this thesis, we propose a novel solution that combines sampling with Differential Privacy (DP) to generate a data synopsis that analysts can query without any privacy risk. Our approach is highly scalable to large datasets, introduces minimal processing overhead, and provides the most utility-preserving view compared to existing methods. We further address the data publishing problem from a another perspective, particularly in scenarios where data must be released and made publicly accessible (e.g., downloadable datasets on the web). To this end, we introduce a new decomposition technique that produces a publish-ready view, capable of outperforming existing approaches in terms of utility preservation. This improvement stems from our method's innovative handling of multidimensional data and its efficient application of Differential Privacy.",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:2913272",
"title": "Privacy guarantees for de-identifying text transformations",
"authors": [
"David Ifeoluwa Adelani",
"Ali Davody",
"Thomas Kleinbauer",
"Dietrich Klakow"
],
"date": "2020-10-25",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-02907939v1",
"pdfUrl": "https://inria.hal.science/hal-02907939/document",
"doi": "",
"abstract": "Machine Learning approaches to Natural Language Processing tasks benefit from a comprehensive collection of real-life user data. At the same time, there is a clear need for protecting the privacy of the users whose data is collected and processed. For text collections, such as, e.g., transcripts of voice interactions or patient records, replacing sensitive parts with benign alternatives can provide de-identification. However, how much privacy is actually guaranteed by such text transformations, and are the resulting texts still useful for machine learning? In this paper, we derive formal privacy guarantees for general text transformation-based de-identification methods on the basis of Differential Privacy. We also measure the effect that different ways of masking private information in dialog transcripts have on a subsequent machine learning task. To this end, we formulate different masking strategies and compare their privacy-utility trade-offs. In particular, we compare a simple redact approach with more sophisticated word-byword replacement using deep learning models on multiple natural language understanding tasks like named entity recognition, intent detection, and dialog act classification. We find that only word-byword replacement is robust against performance drops in various tasks.",
"topics": [
"data_anonymization",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:3361344",
"title": "Bridging the gap between Privacy by Design and mobile systems by patterns",
"authors": [
"Karina Sokolova"
],
"date": "2016-04-27",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-03361344v1",
"pdfUrl": "https://theses.hal.science/tel-03361344/document",
"doi": "",
"abstract": "Nowadays, smartphones and smart tablets generate, receive, store and transfer substantial quantities of data, providing services for all possible user needs with easily installable programs, also known as mobile applications. A number of sensors integrated into smartphones allow the devices to collect very precise information about the owner and his environment at any time. The important flow of personal and business data becomes hard to manage.The “Privacy by Design” approach with 7 privacy principles states privacy can be integrated into any system from the software design stage. In Europe, the Data Protection Directive (Directive 95/46/EC) includes “Privacy by Design” principles. The new General Data Protection Regulation enforces privacy protection in the European Union, taking into account modern technologies such as mobile systems and making “Privacy by Design” not only a benefit for users, but also a legal obligation for system designers and developers.The goal of this thesis is to propose pattern-oriented solutions to cope with mobile privacy problems, such as lack of transparency, lack of consent, poor security and disregard for purpose limitation, thus giving mobile systems more Privacy by (re) Design",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.55,
"venue": "",
"language": "en"
},
{
"id": "hal:4862356",
"title": "Blockchain-Enabled Healthcare Systems: AI Integration for Improved Patient Data Privacy",
"authors": [
"Jaya Chandra Srikanth Gummadi"
],
"date": "2022-12-31",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04862356v1",
"pdfUrl": "https://hal.science/hal-04862356/document",
"doi": "",
"abstract": "
This research examines how blockchain and AI might enhance patient data privacy and security in healthcare systems. The primary goal is to evaluate how these technologies might help secure sensitive health data while complying with HIPAA and GDPR. Secondary data assesses the literature on blockchain's function in safe data management and AI's privacy-preserving analytics. Blockchain can store data decentralized, transparently, and immutably, while AI can process and analyze data securely via federated learning and homomorphic encryption. Blockchain-AI integration enhances data interoperability, secures data exchange, and protects patient privacy during data analysis. The hurdles were scalability, legacy system integration, and ethical issues regarding data immutability and algorithmic bias. These technologies need revised legal frameworks to comply with data privacy rules and promote innovation. The report recommends infrastructure investment, stakeholder engagement, and AI ethics in healthcare. Blockchain and AI might transform healthcare by improving data security and patient privacy if technological, legislative, and ethical challenges are overcome.
Objectives
Sharing medical data is hampered by technical, regulatory, and privacy challenges, including compliance with the Health Insurance Portability and Accountability Act of 1996. However, existing data anonymization methods are error-prone or vulnerable to re-identification, and synthetic data generation approaches are limited. This study introduces SYNNER, a novel synthetic data generation framework that overcomes existing limitations, preserving data utility while ensuring privacy.Methods
We employ knowledge graph embeddings to encode data into a k-dimensional space, capturing complex relationships. For each entity, its nearest neighbors are identified, and their characteristics are used to generate a synthetic version that maintains statistical consistency. We evaluated SYNNER on seven publicly available datasets, measuring the preservation of original data signals and comparing macro-F1 scores across prediction tasks. A novel evaluation protocol for differential privacy was also introduced, simulating an adversarial attack to infer missing values.Results
The evaluation shows that SYNNER maintains an average of 83.2% of the signals from the original datasets. In predictive tasks, models trained on SYNNER-generated data achieved a proportional average macro-F1 score of 74.4%, comparable to those trained on the original data. The proposed evaluation protocol for differential privacy assesses whether synthetic datasets meet expected privacy standards and highlights potential risks of individual data point reconstruction.Conclusion
SYNNER provides a scalable and effective solution for generating synthetic data that maintains statistical fidelity. It overcomes the limitations of existing methods, providing a privacy-preserving solution for synthetic data generation and advancing research in sensitive domains such as healthcare.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "Digital health",
"language": "de"
},
{
"id": "europepmc:40739149",
"title": "A privacy preserving machine learning framework for medical image analysis using quantized fully connected neural networks with TFHE based inference.",
"authors": [
"Selvakumar S",
"Senthilkumar B."
],
"date": "2025-07-30",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1038/s41598-025-07622-1",
"pdfUrl": "https://europepmc.org/articles/PMC12310975?pdf=render",
"doi": "10.1038/s41598-025-07622-1",
"abstract": "Medical image analysis using deep learning algorithms has become a basis of modern healthcare, enabling early detection, diagnosis, treatment planning, and disease monitoring. However, sharing sensitive raw medical data with third parties for analysis raises significant privacy concerns. This paper presents a privacy-preserving machine learning (PPML) framework using a Fully Connected Neural Network (FCNN) for secure medical image analysis using the MedMNIST dataset. The proposed PPML framework leverages a torus-based fully homomorphic encryption (TFHE) to ensure data privacy during inference, maintain patient confidentiality, and ensure compliance with privacy regulations. The FCNN model is trained in a plaintext environment for FHE compatibility using Quantization-Aware Training to optimize weights and activations. The quantized FCNN model is then validated under FHE constraints through simulation and compiled into an FHE-compatible circuit for encrypted inference on sensitive data. The proposed framework is evaluated on the MedMNIST datasets to assess its accuracy and inference time in both plaintext and encrypted environments. Experimental results reveal that the PPML framework achieves a prediction accuracy of 88.2% in the plaintext setting and 87.5% during encrypted inference, with an average inference time of 150 milliseconds per image. This shows that FCNN models paired with TFHE-based encryption achieve high prediction accuracy on MedMNIST datasets with minimal performance degradation compared to unencrypted inference.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "",
"language": "de"
},
{
"id": "europepmc:41295085",
"title": "Rethinking Privacy in Medical Imaging AI: From Metadata and Pixel-Level Identification Risks to Federated Learning and Synthetic Data Challenges.",
"authors": [
"Giouroukou K",
"Marias K",
"Tsiknakis M",
"Klontzas ME."
],
"date": "2026-01-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1148/ryai.250273",
"pdfUrl": "",
"doi": "10.1148/ryai.250273",
"abstract": "Metadata, which refers to nonimage information such as patient identifiers, acquisition parameters, and institutional details, have long been the primary focus of de-identification efforts when constructing datasets for artificial intelligence applications in medical imaging. However, it is now evident that information intrinsic to the image itself, at the pixel level (eg, intensity values), can also be exploited by deep learning models, potentially revealing sensitive patient data and posing privacy risks. This report discusses both metadata and sources of identifiable information in medical imaging studies, highlighting the potential risks of overlooking their presence. Privacy-preserving approaches such as federated learning and synthetic data generation are also reviewed, with emphasis on their limitations-particularly vulnerabilities to model inversion and inference attacks-that must be considered when developing and deploying artificial intelligence in medical imaging. Keywords: Privacy, Metadata, Synthetic, Federated Learning, Anonymization De-identification ©RSNA, 2025.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "de"
},
{
"id": "https://openalex.org/W2966322590",
"title": "Data protection in biobanks from a practical point of view: what must be taken into account during set-up and operation?",
"authors": [
"Johannes Drepper"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1515/labmed-2018-0112",
"pdfUrl": "https://www.degruyter.com/downloadpdf/journals/labm/43/6/article-p301.pdf",
"doi": "https://doi.org/10.1515/labmed-2018-0112",
"abstract": "Abstract The European General Data Protection Regulation (GDPR) incorporates many of the principles of data protection that were already in force in the past. Insofar the data protection requirements for German biobanks have not fundamentally changed since the GDPR became applicable in May 2018. In detail, however, new and relevant requirements have been added. Due to many derogation clauses that allow national deviations, federal and state laws must also be taken into account in Germany, depending on the legal form of the biobank or the supporting institution, which increases the complexity in individual cases. Research-oriented biobanks can still rely on informed, voluntary and explicit consent from patients or test persons. Other legal bases are also possible in certain cases. The information and transparency requirements have increased with the DSGVO, which has led to higher administrative costs. However, a major problem existed before and continues to exist in clarifying how biobanks deal with the right to know and the right not to know of their subjects, how this is explained in advance and which policy can be implemented in the long term, also in the context of targeted recruitment for later studies. The complexity of the regulatory framework and the resulting demands on biobanks make the development and implementation of standards unavoidable. In addition, it is recommended that such infrastructures be centralised, professionalised and equipped with the necessary resources.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Journal of Laboratory Medicine",
"language": "en"
},
{
"id": "https://openalex.org/W4385884517",
"title": "Generic Consents in Digital Ecosystems: Legal, Psychological, and Technical Perspectives",
"authors": [
"Bianca Steffes",
"Simone Salemi",
"Denis Feth",
"Eduard C. Groen"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1007/978-3-031-28643-8_13",
"pdfUrl": "https://link.springer.com/content/pdf/10.1007/978-3-031-28643-8_13.pdf",
"doi": "https://doi.org/10.1007/978-3-031-28643-8_13",
"abstract": "Abstract Consent is an important authorization basis for the processing of personal data. According to the General Data Protection Regulation (GDPR), consents must be as specific and unambiguous as possible. In practice, however, this leads to users being overwhelmed by the large number of consent requests, which can ultimately be detrimental to freedom of choice. What the overwhelming number of requests for consent can lead to is reflected by the so-called cookie fatigue problem: users have become accustomed to accepting cookies on websites only to get rid of cookie banners as quickly as possible. As cookies do not always lead to the collection of personal data, the cookie fatigue problem cannot be transferred entirely to the problem we would like to address in this chapter. It only serves as an example for the consequences of overloading a data subject with requests for consent. As the GDPR demands that consent be informed and given freely, the current strategy of consent handling cannot be in the spirit of the data protection legislation. In this chapter, we present our vision of how consent can be integrated in the context of digital ecosystems from three perspectives: (1) achieving legal compliance according to data protection law, (2) demonstrating technical feasibility, and (3) assuring user-friendliness by adding cognition to the equation. Our approach aims to enable “generic consents” within a clearly defined scope and context. Although generic consents that serve as a “catch-all” are generally not allowed, we leverage the specific characteristics of digital ecosystems to impose limitations that can justify their use in this particular context. We will also detail the legal implications and present implementation options.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2407.03732",
"title": "Collection, usage and privacy of mobility data in the enterprise and public administrations",
"authors": [
"Alexandra Kapp"
],
"date": "2024-07-04",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2407.03732v1",
"pdfUrl": "https://arxiv.org/pdf/2407.03732v1",
"doi": "10.56553/popets-2022-0117",
"abstract": "Human mobility data is a crucial resource for urban mobility management, but it does not come without personal reference. The implementation of security measures such as anonymization is thus needed to protect individuals' privacy. Often, a trade-off arises as such techniques potentially decrease the utility of the data and limit its use. While much research on anonymization techniques exists, there is little information on the actual implementations by practitioners, especially outside the big tech context. Within our study, we conducted expert interviews to gain insights into practices in the field. We categorize purposes, data sources, analysis, and modeling tasks to provide a profound understanding of the context such data is used in. We survey privacy-enhancing methods in use, which generally do not comply with state-of-the-art standards of differential privacy. We provide groundwork for further research on practice-oriented research by identifying privacy needs of practitioners and extracting relevant mobility characteristics for future standardized evaluations of privacy-enhancing methods.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2201.06446",
"title": "Privacy-Preserving Maximum Matching on General Graphs and its Application to Enable Privacy-Preserving Kidney Exchange",
"authors": [
"Malte Breuer",
"Ulrike Meyer",
"Susanne Wetzel"
],
"date": "2022-01-17",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2201.06446v2",
"pdfUrl": "https://arxiv.org/pdf/2201.06446v2",
"doi": "10.1145/3508398.3511509",
"abstract": "To this day, there are still some countries where the exchange of kidneys between multiple incompatible patient-donor pairs is restricted by law. Typically, legal regulations in this context are put in place to prohibit coercion and manipulation in order to prevent a market for organ trade. Yet, in countries where kidney exchange is practiced, existing platforms to facilitate such exchanges generally lack sufficient privacy mechanisms. In this paper, we propose a privacy-preserving protocol for kidney exchange that not only addresses the privacy problem of existing platforms but also is geared to lead the way in overcoming legal issues in those countries where kidney exchange is still not practiced. In our approach, we use the concept of secret sharing to distribute the medical data of patients and donors among a set of computing peers in a privacy-preserving fashion. These computing peers then execute our new Secure Multi-Party Computation (SMPC) protocol among each other to determine an optimal set of kidney exchanges. As part of our new protocol, we devise a privacy-preserving solution to the maximum matching problem on general graphs. We have implemented the protocol in the SMPC benchmarking framework MP-SPDZ and provide a comprehensive performance evaluation. Furthermore, we analyze the practicality of our protocol when used in a dynamic setting (where patients and donors arrive and depart over time) based on a data set from the United Network for Organ Sharing.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2209.02948",
"title": "Assessing Software Privacy using the Privacy Flow-Graph",
"authors": [
"Feiyang Tang",
"Bjarte M. Østvold"
],
"date": "2022-09-07",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2209.02948v3",
"pdfUrl": "https://arxiv.org/pdf/2209.02948v3",
"doi": "10.1145/3549035.3561185",
"abstract": "We increasingly rely on digital services and the conveniences they provide. Processing of personal data is integral to such services and thus privacy and data protection are a growing concern, and governments have responded with regulations such as the EU's GDPR. Following this, organisations that make software have legal obligations to document the privacy and data protection of their software. This work must involve both software developers that understand the code and the organisation's data protection officer or legal department that understands privacy and the requirements of a Data Protection and Impact Assessment (DPIA). To help developers and non-technical people such as lawyers document the privacy and data protection behaviour of software, we have developed an automatic software analysis technique. This technique is based on static program analysis to characterise the flow of privacy-related data. The results of the analysis can be presented as a graph of privacy flows and operations - that is understandable also for non-technical people. We argue that our technique facilitates collaboration between technical and non-technical people in documenting the privacy behaviour of the software. We explain how to use the results produced by our technique to answer a series of privacy-relevant questions needed for a DPIA. To illustrate our work, we show both detailed and abstract analysis results from applying our analysis technique to the secure messaging service Signal and to the client of the cloud service NextCloud and show how their privacy flow-graphs inform the writing of a DPIA.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "crossref:10.1093/grurint/ikac049",
"title": "Artificial Intelligence and Data Protection: A Comparative Analysis of AI Regulation through the Lens of Data Protection in the EU and Brazil",
"authors": [
"Patricia Peck Pinheiro",
"Helen Batista Battaglini"
],
"date": "2022-11-05",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.1093/grurint/ikac049",
"pdfUrl": "https://academic.oup.com/grurint/article-pdf/71/10/924/46810514/ikac049.pdf",
"doi": "10.1093/grurint/ikac049",
"abstract": "Abstract\n Artificial intelligence (AI) is already a major part of our daily lives. From unlocking our smartphones with our faces to receiving film recommendations on streaming platforms, AI is part of our routines. In recent years, a widespread adoption of AI technologies both by public and private agencies has been observed. Notwithstanding the many conveniences it has created, the use of AI also involves many risks for people individually and for society as a whole. For instance, it may jeopardise fundamental rights such as privacy and data protection or even intensify existing discrimination against minorities. For this reason, various nations are now facing the challenge of regulating AI without limiting its development. In terms of data protection, the European General Data Protection Regulation (GDPR) has been consistently applied and enforced in the European Union (EU) and has inspired many other data protection laws that came after it, such as the one in Brazil. In Brazil, the General Data Protection Law (LGPD) has finally come into force and is slowly being enforced. In 2021, a series of legislative initiatives concerning the development and use of AI systems drew the attention of governments, academics and the tech industry around the world. In the EU, the European Commission released a proposal for regulation in April that presents harmonised rules on AI. Meanwhile, in Brazil, in September, the Chamber of Deputies approved a rather superficial bill aiming to regulate AI in the country. Thus, one can wonder: what is the impact of data protection laws on AI regulations? And how could Brazil benefit once again from following the EU’s lead on regulating AI? In order to answer these questions, this article begins by explaining the concept of AI. It then presents the relation between AI and privacy and data protection as well as the main principles that guide privacy and data protection under both EU and Brazilian data protection laws. Subsequently, it introduces the EU legal framework for AI and focuses on the risk-based approach. Later, it presents the proposed Brazilian bill, focusing on its main principles from a comparative perspective with the EU. Finally, it will conclude how Brazil can benefit from taking inspiration from the EU experience on AI regulation.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "GRUR International",
"language": "en"
},
{
"id": "crossref:10.55009/bilisimhukukudergisi.1510104",
"title": "PERSONAL DATA BREACH ON THE INTERNET: A CASE STUDY ON GOOGLE FONT",
"authors": [
"Kazım Ateş",
"Ersin Çağlar"
],
"date": "2024-12-30",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.55009/bilisimhukukudergisi.1510104",
"pdfUrl": "",
"doi": "10.55009/bilisimhukukudergisi.1510104",
"abstract": "Web pages have maintained their popularity from the moment the internet entered our lives becoming a social media catalogue for every sector. Websites facilitated and accelerated many processes such as reaching target audiences, advertising, or sales. Thus, the presence of every sector in the social environment was ensured. With the development of information technology, design opportunities have also developed and the visuality and attractiveness of web pages have gradually increased. Video and text effects are at the top of the design possibilities. Apart from the attractive possibilities of these developing design possibilities, they have also been used for malicious purposes such as stealing or damaging information. This study addresses how the use of Google Fonts conflicts with the European Union's General Data Protection Regulation (GDPR) and the ways to solve this problem. The GDPR has introduced strict rules on the protection and processing of personal data. However, Google Fonts, which is widely used by web developers and designers, sends users' IP addresses to Google's servers without explicitly stating how this data is processed. This is contrary to the GDPR principles of transparency and data minimization. This article elaborates on the privacy implications of using Google Fonts as well as the GDPR violations. As a solution, this study introduces alternatives such as local font hosting, open-source font libraries, and associated best practices. It also emphasizes the significance of the adoption of privacy-oriented design principles by web developers and designers and discusses the potential of these approaches to achieve GDPR compliance. In terms of theoretical and practical perspective, this study aims to provide a roadmap for harmonizing the use of Google Fonts and similar services with applicable privacy-related legislation.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Bilişim Hukuku Dergisi",
"language": "en"
},
{
"id": "crossref:10.69554/cfeg3902",
"title": "Observing 2021–22 data breach decisions of the Irish Data Protection Commission",
"authors": [
"Marie C. Daly"
],
"date": "2023-01-01",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.69554/cfeg3902",
"pdfUrl": "",
"doi": "10.69554/cfeg3902",
"abstract": "The Irish Data Protection Commission (DPC) regulates many of the top global technology companies and as such its decisions have a significant impact on the companies and on the many users of their platforms. This article examines a number of recent data breach decisions of the DPC and finds them forensic, focused, reasoned and formulaic in approach. The decisions deal with key General Data Protection Regulation (GDPR) provisions, notably on requirements for data breach notification and communication with data subjects. In a change of strategy earlier this year, the DPC no longer offers guidance to controllers dealing with a breach, as was its previous practice. Decisions such as these are likely to help fill that vacuum.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Journal of Data Protection & Privacy",
"language": "en"
},
{
"id": "crossref:10.4018/978-1-5225-9489-5.ch008",
"title": "Erosion by Standardisation",
"authors": [
"Athena Christofi",
"Pierre Dewitte",
"Charlotte Ducuing",
"Peggy Valcke"
],
"date": "2020",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.4018/978-1-5225-9489-5.ch008",
"pdfUrl": "https://www.igi-global.com/viewtitle.aspx?TitleId=255197",
"doi": "10.4018/978-1-5225-9489-5.ch008",
"abstract": "This chapter examines the interplay between the GDPR and parallel private regulation in the form of privacy-related standards adopted by the International Organisation for Standardisation (ISO). Focusing on the understanding of ‘risks' in the GDPR and ISO respective ecosystems, it compares the GDPR requirement for Data Protection Impact Assessments (DPIAs) with ISO/IEC 29134:2017, a private standard on Privacy Impact Assessment explicitly referred to by EU Data Protection Authorities as relevant in the context of DPIA methods. The resulting gap analysis identifies and maps misalignments, critically reflecting on whether the parallel form of ISO regulation, in the context of DPIAs, could support or rather blurs GDPR's objective to protect fundamental rights by embracing a risks-based approach.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Advances in Information Security, Privacy, and Ethics",
"language": "en"
},
{
"id": "openaire:10.1093/oso/9780192896476.003.0011",
"title": "Conclusion",
"authors": [
"Dara Hallinan"
],
"date": "2021-03-11",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1093/oso/9780192896476.003.0011",
"pdfUrl": "",
"doi": "10.1093/oso/9780192896476.003.0011",
"abstract": "Abstract This concluding chapter argues that European data protection law, under the General Data Protection Regulation (GDPR), can and ought to be looked at to play a central role in the protection of genetic privacy in biobanking in Europe. In the first instance, the substantive framework presented by the GDPR already offers an impressive baseline level of protection for genetic privacy. In turn, while numerous problems with this baseline standard of protection are identifiable, the GDPR offers the normative flexibility to accommodate solutions to these problems, as well as the procedural mechanisms to facilitate the realisation of solutions. The interaction between GDPR and biobanking is still, however, in the early stages. Whether this potential is realised now depends on the decisions and actions of regulatory stakeholders in the biobanking space. Their decisions have the potential to optimise or undermine the GDPR as a system for the protection of genetic privacy in biobanking. The biobanking community also have consequential choices as to how they perceive and operationalise the GDPR.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.54473/ijtret.2025.9503",
"title": "STATISTICAL ANALYSIS OF AI SECURITY METRICS AND ORGANIZATIONAL COMPLIANCE WITH DATA PROTECTION STANDARDS",
"authors": [
"ASERE Gbenga Femi",
"CHRIS-ALOFE Mary Folashade",
"ABDULRAHMAN Musa Ali"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.54473/ijtret.2025.9503",
"pdfUrl": "",
"doi": "10.54473/ijtret.2025.9503",
"abstract": "As artificial intelligence (AI) becomes increasingly integrated into cybersecurity systems, assessing its performance in relation to data protection compliance has become a critical area of study. This research investigates the statistical relationship between AI-based security performance metrics and organizational compliance with data protection standards, focusing on frameworks such as the Nigeria Data Protection Regulation (NDPR) and the General Data Protection Regulation (GDPR). Using Canonical Correlation Analysis (CCA), the study examines multivariate data collected from a sample of organizations across key sectors including finance, education, and healthcare. AI security performance was measured through indicators such as detection accuracy, false positive rate, and response time, while compliance was assessed through audit scores, policy implementation levels, and employee awareness training. The analysis reveals statistically significant associations between AI performance and compliance outcomes, suggesting that organizations with higher data protection compliance tend to also exhibit more effective AI-based security operations. These findings support the hypothesis that regulatory alignment may enhance institutional cybersecurity maturity. The study contributes to the emerging field of regulatory-driven cybersecurity research and offers practical implications for policymakers, data protection officers, and IT security professionals seeking to optimize both AI systems and regulatory compliance frameworks. The paper concludes by recommending the integration of statistical monitoring tools for continuous assessment of AI performance in relation to evolving regulatory requirements.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "openaire:S1867299X25000194",
"title": "AI at Risk in the EU: It’s Not Regulation, It’s Implementation",
"authors": [
"Judith Arnal"
],
"date": "2025-03-27",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1017/err.2025.19",
"pdfUrl": "",
"doi": "10.1017/err.2025.19",
"abstract": "Abstract The implementation of the General Data Protection Regulation (GDPR) in the EU, rather than the regulation itself, is holding back technological innovation. The EU’s data protection governance architecture is complex, leading to contradictory interpretations among Member States. This situation is prompting companies of all kinds to halt the deployment of transformative projects in the EU. The case of Meta is paradigmatic: both the UK and the EU broadly have the same regulation (GDPR), but the UK swiftly determined that Meta could train its generative AI model using first-party public data under the legal basis of legitimate interest, while in the EU, the European Data Protection Board (EDPB) took months to issue an Opinion that national authorities must still interpret and implement individually, leading to legal uncertainty. Similarly, the case of Deepseek has demonstrated how some national data protection authorities, such as the Italian Garante, have moved to ban the AI model outright, while others have opted for investigations. This fragmented enforcement landscape exacerbates regulatory uncertainty and hampers EU’s competitiveness, particularly for startups, which lack the resources to navigate an unpredictable compliance framework. For the EU to remain competitive in the global AI race, strengthening the EDPB’s role is essential.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "European Journal of Risk Regulation",
"language": "en"
},
{
"id": "openaire:50|datacite____::66f95f8b98efa49134d4eff16ca6ff1b",
"title": "SMOTE-DP: Improving Privacy-Utility Tradeoff with Synthetic Data",
"authors": [
"Zhou, Yan",
"Malin, Bradley",
"Kantarcioglu, Murat"
],
"date": "2025-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.48550/arxiv.2506.01907",
"pdfUrl": "",
"doi": "10.48550/arxiv.2506.01907",
"abstract": "Privacy-preserving data publication, including synthetic data sharing, often experiences trade-offs between privacy and utility. Synthetic data is generally more effective than data anonymization in balancing this trade-off, however, not without its own challenges. Synthetic data produced by generative models trained on source data may inadvertently reveal information about outliers. Techniques specifically designed for preserving privacy, such as introducing noise to satisfy differential privacy, often incur unpredictable and significant losses in utility. In this work we show that, with the right mechanism of synthetic data generation, we can achieve strong privacy protection without significant utility loss. Synthetic data generators producing contracting data patterns, such as Synthetic Minority Over-sampling Technique (SMOTE), can enhance a differentially private data generator, leveraging the strengths of both. We prove in theory and through empirical demonstration that this SMOTE-DP technique can produce synthetic data that not only ensures robust privacy protection but maintains utility in downstream learning tasks.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:5017320",
"title": "Privacy and Utility Evaluation of Synthetic Tabular Data for Machine Learning",
"authors": [
"Felix Hermsen",
"Avikarsha Mandal"
],
"date": "2023-08-08",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-05017320v1",
"pdfUrl": "https://inria.hal.science/hal-05017320/document",
"doi": "10.1007/978-3-031-57978-3_17",
"abstract": "Synthetic data generation approaches have attracted a lot of attention as a potential substitute for classical anonymization methods. However, synthetic data still pose a wide range of privacy risks, for example, dataset containing data points close to real data points, thus, increasing risks of linkage attacks. While differentially private generative models are generally considered immune to privacy attacks, it is not immediately evident how these models maintain privacy with reasonable utility. In this study, we evaluate the privacy and utility trade-offs in synthetic data generated by the state-of-the-art generative model CTGAN and its differentially private variant DPCTGAN for mixed tabular data domain. We conduct experiments using widely recognized benchmark datasets to highlight the importance of selecting optimal hyperparameters such that the model converges during training and produces synthetic data with satisfactory utility. Our experiments show that synthetic data generators, which were trained with differential privacy, may experience collapse during the training phase. While the addition of a smaller noise allows the training to converge, still could limit risks against privacy attacks such as membership inference and linkage.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.4337/9781803920887.00025",
"title": "Persuasion, manipulation, choice architecture and dark patterns",
"authors": [
"Trzaskowski, Jan; id_orcid 0000-0002-4496-3824"
],
"date": "2023-10-20",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.4337/9781803920887.00025",
"pdfUrl": "",
"doi": "10.4337/9781803920887.00025",
"abstract": "The purpose of this chapter is to introduce and discuss the regulation of behaviour modification through the design of choice architecture in light of European Union data protection law (GDPR) and marketing law (UCPD). In data protection law 'consent' must reflect the data subject's genuine and informed choice. In marketing law the aim is to ensure that 'commercial practices' do not impair the consumer's ability to make free and informed decisions. The chapter focuses on the General Data Protection Regulation (GDPR), the ePrivacy Directive, the Unfair Commercial Practices Directive (UCPD) and the Digital Services Act (DSA).",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.56553/popets-2022-0082",
"title": "On dark patterns and manipulation of website publishers by CMPs",
"authors": [
"Toth, Michael",
"Bielova, Nataliia",
"Roca, Vincent"
],
"date": "2022-07-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.56553/popets-2022-0082",
"pdfUrl": "https://inria.hal.science/hal-03577024/document",
"doi": "10.56553/popets-2022-0082",
"abstract": "Web technologies and services widely rely on data collection via tracking users on websites. In the EU, the collection of such data requires user consent thanks to the ePrivacy Directive (ePD), and the General Data Protection Regulation (GDPR). To comply with these regulations and integrate consent collection into their websites, website publishers often rely on third-party contractors, called Consent Management Providers (CMPs), that provide consent pop-ups as a service. Since the GDPR came in force in May 2018, the presence of CMPs continuously increased. In our work, we systematically study the installation and configuration process of consent pop-ups and their potential effects on the decision making of the website publishers. We make an in-depth analysis of the configuration process from ten services provided by five popular CMP companies and identify common unethical design choices employed. By analysing CMP services on an empty experimental website, we identify manipulation of website publishers towards subscription to the CMPs paid plans and then determine that default consent pop-ups often violate the law. We also show that configuration options may lead to non-compliance, while tracking scanners offered by CMPs manipulate publishers. Our findings demonstrate the importance of CMPs and design space offered to website publishers, and we raise concerns around the privileged position of CMPs and their strategies influencing website publishers.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Proceedings on Privacy Enhancing Technologies",
"language": "en"
},
{
"id": "openaire:10.1111/exsy.12855",
"title": "A formal method for privacy‐preservation in cognitive smart cities",
"authors": [
"Mohammad Ayoub Khan"
],
"date": "2021-10-24",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1111/exsy.12855",
"pdfUrl": "",
"doi": "10.1111/exsy.12855",
"abstract": "AbstractThe Internet of things (IoT) and communication technologies are enabling the consumer to use the smart devices. The explosion of smart devices is shifting the IoT into a framework, which we call the cognitive IoT. The cognitive IoT can enhance many sectors such as smart cities, healthcare, industry 4.0, transportation, just to name a few. Most of the data produced in smart cities are wasted because the important information is not extracted due to lack of standard mechanism for knowledge extraction and archiving methods. This has attracted the attention of researcher to design new approaches of machine and cognitive learning that can handle vast amount of dynamic data. The cognitive smart city is the integration of IoT, smart city technology, real‐time big data analytics and artificial intelligence (AI) strategies for proactive actions. The services in smart cities relies on the collection and analysis of the data which are provided by the use themselves or accessed by the services providers. The citizen engagement is the key for success of smart city; however, the engagement may get reduced due to privacy concerns arising from data collection. Therefore, privacy‐preservation shall be achieved in a manner where valuable data is exchanged with service provider, and other third party while protecting the citizens' privacy, upholding data laws and enforcement. Therefore, there is a need to control the anonymization and mix some more techniques to preserve the quality of the data. The proposed formal method for privacy‐preservation in smart cities is based on pseudonymization, clustering, anonymization and differential privacy methods. The modified clustering algorithm selects the initial cluster based on the concept of dissimilarity between the data sequences. We have assessed the functional correctness and preformation of the proposed model for privacy‐preservation in smart cities. The proposed method has lower discriminating r",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-319-14717-8_22",
"title": "Achieving Absolute Privacy Preservation in Continuous Query Road Network Services",
"authors": [
"Yankson Herbert Gustav",
"Xiao Wu",
"Yan Ren",
"Yong Wang",
"Fengli Zhang"
],
"date": "2014-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-319-14717-8_22",
"pdfUrl": "",
"doi": "10.1007/978-3-319-14717-8_22",
"abstract": "Research have shown that location semantics have lead to privacy leakages especially when two or more users in a cloaked region depict similar semantic locations. This implies that, to achieve absolute privacy(query privacy, location privacy and semantic location privacy) protection for a client on road network, it is important that cloaked users have their locations distinctly diverse with diverse semantics, and making diverse service request thus satisfying the k-anonymity and l-diversity conditions for privacy. Unfortunately, the determination of semantic location of a mobile user online is a challenge which makes the achievement of absolute privacy protection more challenging. In this paper, we developed a privacy preserving algorithm that protects a client’s absolute privacy for continuous query road network services. We employed an offline trajectory clustering algorithm and semantic location graph to aid the selection of cloaked users that will effectively protect the absolute privacy of a client. We evaluated the effectiveness of our algorithm on a real world map with two defined metrics, and it exhibited an excellent anonymization success rate in a very good query processing time for the entire period of continuously querying road network services.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1609/aaai.v37i9.26289",
"title": "Purifier: Defending Data Inference Attacks via Transforming Confidence Scores",
"authors": [
"Yang, Ziqi",
"Wang, Lijin",
"Yang, Da",
"Wan, Jie",
"Zhao, Ziming",
"Chang, Ee-Chien",
"Zhang, Fan",
"Ren, Kui"
],
"date": "2023-06-26",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1609/aaai.v37i9.26289",
"pdfUrl": "",
"doi": "10.1609/aaai.v37i9.26289",
"abstract": "Neural networks are susceptible to data inference attacks such as the membership inference attack, the adversarial model inversion attack and the attribute inference attack, where the attacker could infer useful information such as the membership, the reconstruction or the sensitive attributes of a data sample from the confidence scores predicted by the target classifier. In this paper, we propose a method, namely PURIFIER, to defend against membership inference attacks. It transforms the confidence score vectors predicted by the target classifier and makes purified confidence scores indistinguishable in individual shape, statistical distribution and prediction label between members and non-members. The experimental results show that PURIFIER helps defend membership inference attacks with high effectiveness and efficiency, outperforming previous defense methods, and also incurs negligible utility loss. Besides, our further experiments show that PURIFIER is also effective in defending adversarial model inversion attacks and attribute inference attacks. For example, the inversion error is raised about 4+ times on the Facescrub530 classifier, and the attribute inference accuracy drops significantly when PURIFIER is deployed in our experiment.",
"topics": [
"llm_privacy_attacks"
],
"painPointTracks": [
"AI Training PII"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|datacite____::cb464ae52cf2ea9099dfb6576a1f2d1c",
"title": "Holistic risk assessment of inference attacks in machine learning",
"authors": [
"Yang, Yang"
],
"date": "2022-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.48550/arxiv.2212.10628",
"pdfUrl": "",
"doi": "10.48550/arxiv.2212.10628",
"abstract": "As machine learning expanding application, there are more and more unignorable privacy and safety issues. Especially inference attacks against Machine Learning models allow adversaries to infer sensitive information about the target model, such as training data, model parameters, etc. Inference attacks can lead to serious consequences, including violating individuals privacy, compromising the intellectual property of the owner of the machine learning model. As far as concerned, researchers have studied and analyzed in depth several types of inference attacks, albeit in isolation, but there is still a lack of a holistic rick assessment of inference attacks against machine learning models, such as their application in different scenarios, the common factors affecting the performance of these attacks and the relationship among the attacks. As a result, this paper performs a holistic risk assessment of different inference attacks against Machine Learning models. This paper focuses on three kinds of representative attacks: membership inference attack, attribute inference attack and model stealing attack. And a threat model taxonomy is established. A total of 12 target models using three model architectures, including AlexNet, ResNet18 and Simple CNN, are trained on four datasets, namely CelebA, UTKFace, STL10 and FMNIST.",
"topics": [
"llm_privacy_attacks"
],
"painPointTracks": [
"AI Training PII"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "europepmc:41286730",
"title": "EU protection requirements for ePortfolios in clinical healthcare education.",
"authors": [
"Embo M",
"Wasiak C",
"Verschaeve S",
"Van Acker L",
"Timmers M",
"Lievens E."
],
"date": "2025-11-24",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1186/s12909-025-08157-9",
"pdfUrl": "https://europepmc.org/articles/PMC12641944?pdf=render",
"doi": "10.1186/s12909-025-08157-9",
"abstract": "Background
When using ePortfolios in healthcare education, the collection and processing of personal data from various stakeholders, also known as data subjects (e.g., students, mentors, supervisors) is inevitable. This is why it is crucial to identify the stakeholders who need to comply with legal obligations imposed by data protection law, and to assess the legal grounds for processing personal (health) data. Research on the legal aspects of such ePortfolios is lacking. Therefore, the aim of this study was to identify and document the data protection requirements for ePortfolios in clinical healthcare education that apply in the EU.Methods
Desk research based on a traditional legal analysis of legislation, policy documents, guidelines, case law, and legal doctrine was performed during a multidisciplinary ePortfolio research project.Results
The analysis resulted in a description of the relevant EU data protection requirements covering the Charter of Fundamental Rights and the General Data Protection Regulation, a translation of these legal requirements into the context of ePortfolios in clinical healthcare education and the formulation of recommendations for data protection compliance based on these insights: (1) the duties and responsibilities of educational institutions and the healthcare student must be clarified in an agreement before the start of an internship, (2) '(substantial) public interest' is the most appropriate legal basis for the processing of health data in ePortfolios, and (3) adequate and appropriate measures to protect the fundamental rights and interests of the data subjects must be provided.Conclusion
This study contributes to the limited literature on the legal aspects of the use of digital technologies, such as ePortfolios, in healthcare education. There is a need for rigorous evidence on how to design legally compliant ePortfolios for healthcare education.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "BMC medical education",
"language": "en"
},
{
"id": "europepmc:41392784",
"title": "Sotto la lente della valutazione d’impatto privacy: la ricerca clinica fra trasparenza e sfide regolatorie.",
"authors": [
"Piccolo A",
"Franchina V",
"Cagnazzo C."
],
"date": "2025-12-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1701/4619.46279",
"pdfUrl": "",
"doi": "10.1701/4619.46279",
"abstract": "In the context of clinical research, the Data Protection Impact Assessment (DPIA), as required by Article 35 of the GDPR 2016/679, is an essential tool to ensure the compliant and responsible processing of personal data, particularly health and genetic data. The adoption of the DPIA addresses the need to safeguard the fundamental rights and freedoms of data subjects in high-risk scenarios, such as multicenter studies and the use of innovative technologies. This article analyzes the ethical, regulatory, and organizational value of the DPIA in clinical trials, highlighting operational challenges such as lack of resources, insufficient training, interpretative ambiguities, and weak integration with ethics committees. A multidisciplinary approach is proposed that sees the DPIA not merely as a regulatory obligation but as a strategic lever to enhance transparency and quality in research. In conclusion, the importance of clarifying roles and responsibilities is emphasized, while promoting a culture of data protection from the earliest stages.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Recenti progressi in medicina",
"language": "en"
},
{
"id": "doaj:73adbb4b6bc9464b9d46996f857ad519",
"title": "A blockchain secured metaverse framework for scalable and immersive telemedicine",
"authors": [
"Rahul Ganpatrao Sonkamble",
"Swati Shirke-Deshmukh",
"Vijay Katkar",
"M. Lunagaria",
"Ganshyam G. Tejani",
"Seyed Jalaleddin Mousavirad"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1038/s41598-025-12068-6",
"pdfUrl": "https://europepmc.org/articles/PMC12284164?pdf=render",
"doi": "10.1038/s41598-025-12068-6",
"abstract": "Abstract The rapid evolution of telemedicine has enhanced healthcare accessibility, yet significant challenges persist, particularly in data security, patient engagement, latency, and scalability. Existing telemedicine solutions rely on centralized architectures, making Electronic Health Records (EHRs) susceptible to data breaches and unauthorized access. This research proposes a novel system which integrates the metaverse and blockchain into telemedicine which can be a transformative approach to solve problems in remote healthcare. By combining immersive virtual environments with decentralized data management, the proposed solution described in this paper aims to give users more ways to interact with each other, enhanced data security, increased efficiency, and higher scalability. The Metaverse serves as the foundation for the implementation of 3D consultation rooms, virtual training spaces, and individual care. Blockchain offers safe, transparent, and immutable data exchange that will create patient-empowered medical records for them. Real-time devices and analysis of real-time physiological data from wearables, sensors, Internet of Things (IoT) devices, and Artificial Intelligence (AI) analytics complete the system. The proposed solution extensively uses Virtual Reality (VR)/Augmented Reality (AR) devices, IoT sensors, Ethereum, and the Unity 3D platform, among others. Assessments indicate that system receives a significantly high level of satisfaction from its users, better secured data, increased automation of processes, and compliance with global standards such as General Data Protection Regulation (GDPR). Compliance with such global standards is achieved through smart contract-based access management, smart contract-based consent management, and immutable audit trails in the blockchain. Moreover, this research demonstrates that incorporating high-tech tools like AI and VR into telemedicine is currently feasible. This paves the way for the creation of even more secure and user-friendly telemedicine platforms that employ neural networks. This research sets a foundation for next-generation telemedicine ecosystems.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Scientific Reports",
"language": "en"
},
{
"id": "europepmc:39453800",
"title": "Federated Unlearning: A Survey on Methods, Design Guidelines, and Evaluation Metrics.",
"authors": [
"Romandini N",
"Mora A",
"Mazzocca C",
"Montanari R",
"Bellavista P."
],
"date": "2025-07-01",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1109/tnnls.2024.3478334",
"pdfUrl": "",
"doi": "10.1109/tnnls.2024.3478334",
"abstract": "Federated learning (FL) enables collaborative training of a machine learning (ML) model across multiple parties, facilitating the preservation of users' and institutions' privacy by maintaining data stored locally. Instead of centralizing raw data, FL exchanges locally refined model parameters to build a global model incrementally. While FL is more compliant with emerging regulations such as the European General Data Protection Regulation (GDPR), ensuring the right to be forgotten in this context-allowing FL participants to remove their data contributions from the learned model-remains unclear. In addition, it is recognized that malicious clients may inject backdoors into the global model through updates, e.g., to generate mispredictions on specially crafted data examples. Consequently, there is the need for mechanisms that can guarantee individuals the possibility to remove their data and erase malicious contributions even after aggregation, without compromising the already acquired \"good\" knowledge. This highlights the necessity for novel federated unlearning (FU) algorithms, which can efficiently remove specific clients' contributions without full model retraining. This article provides background concepts, empirical evidence, and practical guidelines to design/implement efficient FU schemes. This study includes a detailed analysis of the metrics for evaluating unlearning in FL and presents an in-depth literature review categorizing state-of-the-art FU contributions under a novel taxonomy. Finally, we outline the most relevant and still open technical challenges, by identifying the most promising research directions in the field.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "IEEE transactions on neural networks and learning systems",
"language": "en"
},
{
"id": "pubmed:38445168",
"title": "Patients' knowledge, preferences, and perspectives about data protection and data control: an exploratory survey.",
"authors": [
"Lalova-Spinks, Teodora",
"Saesen, Robbe",
"Silva, Mitchell",
"Geissler, Jan",
"Shakhnenko, Iryna",
"Camaradou, Jennifer Catherine",
"Huys, Isabelle"
],
"date": "2024-02-20",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1038/nbt.3145",
"pdfUrl": "",
"doi": "10.1038/nbt.3145",
"abstract": "Background: In the European Union, the General Data Protection Regulation (GDPR) plays a central role in the complex health research legal framework. It aims to protect the fundamental right to the protection of individuals' personal data, while allowing the free movement of such data. However, it has been criticized for challenging the conduct of research. Existing scholarship has paid little attention to the experiences and views of the patient community. The aim of the study was to investigate 1) the awareness and knowledge of patients, carers, and members of patient organizations about the General Data Protection Regulation, 2) their experience with exercising data subject rights, and 3) their understanding of the notion of \"data control\" and preferences towards various data control tools. Methods: An online survey was disseminated between December 2022 and March 2023. Quantitative data was analyzed descriptively and inferentially. Answers to open-ended questions were analyzed using the thematic analysis method. Results: In total, 220 individuals from 28 European countries participated. The majority were patients (77%). Most participants had previously heard about the GDPR (90%) but had not exercised any of their data subject rights. Individual data control tools appeared to be marginally more important than collective tools. The willingness of participants to share personal data with data altruism organizations increased if patient representatives would be involved in the decision-making processes of such organizations. Conclusion: The results highlighted the importance of providing in-depth education about data protection. Although participants showed a slight preference towards individual control tools, the reflection based on existing scholarship identified that individual control holds risks that could be mitigated through carefully operationalized collective tools. The discussion of results was used to provide a critical view into the proposed Europ",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Frontiers in pharmacology",
"language": "en"
},
{
"id": "pubmed:37848609",
"title": "Specific measures for data-intensive health research without consent: a systematic review of soft law instruments and academic literature.",
"authors": [
"Smit, Julie-Anne R",
"Mostert, Menno",
"van der Graaf, Rieke",
"Grobbee, Diederick E",
"van Delden, Johannes J M"
],
"date": "2023-10-17",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1186/1471-2458-7-318",
"pdfUrl": "",
"doi": "10.1186/1471-2458-7-318",
"abstract": "It is a common misunderstanding of current European data protection law that when consent is not being used as lawful basis, the processing of personal data is prohibited. Article 9(2)(j) of the European General Data Protection Regulation (GDPR) permits Member States to establish a legal basis in national law that allows for the processing of personal data for scientific research purposes without consent. However, the European legislator has formulated this \"research exemption\" as an opening clause, rendering the GDPR not specific as to what measures exactly are required to comply with the research exemption. This may have significant implications for both the protection of personal data and the advancement of data-intensive health research. We performed a systematic review of relevant soft law instruments and academic literature to identify what measures are mentioned in those documents. Our analysis resulted in the identification of four overarching themes of suggested measures: organizational measures; technical measures; oversight and review mechanisms; and public engagement and participation. Some of the suggested measures do not substantially contribute to the clarification of the GDPR's \"suitable and specific measures\" requirement because they remain vague or broad in nature and encompass all types of data processing. However, the themes oversight and review mechanisms and public engagement and participation provide valuable insights which can be put to practice. Nevertheless, further clarification of the measures and safeguards that should be installed when invoking the research exemption remains necessary.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "European journal of human genetics : EJHG",
"language": "en"
},
{
"id": "pubmed:36067111",
"title": "Adherence Forecasting for Guided Internet-Delivered Cognitive Behavioral Therapy: A Minimally Data-Sensitive Approach.",
"authors": [
"Cote-Allard, Ulysse",
"Pham, Minh H",
"Schultz, Alexandra K",
"Nordgreen, Tine",
"Torresen, Jim"
],
"date": "2023-06-05",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1109/JBHI.2022.3204737",
"pdfUrl": "",
"doi": "10.1109/JBHI.2022.3204737",
"abstract": "Internet-delivered psychological treatments (IDPT) are seen as an effective and scalable pathway to improving the accessibility of mental healthcare. Within this context, treatment adherence is an especially pertinent challenge to address due to the reduced interaction between healthcare professionals and patients. In parallel, the increase in regulations surrounding the use of personal data, such as the General Data Protection Regulation (GDPR), makes data minimization a core consideration for real-world implementation of IDPTs. Consequently, this work proposes a Self-Attention-based deep learning approach to perform automatic adherence forecasting, while only relying on minimally sensitive login/logout-timestamp data. This approach was tested on a dataset containing 342 patients undergoing Guided Internet-delivered Cognitive Behavioral Therapy (G-ICBT) treatment. Of these 342 patients, 101 ( ∼ 30%) were considered non-adherent (dropout) based on the adherence definition used in this work (i.e. at least eight connections to the platform lasting more than a minute over 56 days). The proposed model achieved over 70% average balanced accuracy, after only 20 out of the 56 days ( ∼ 1/3) of the treatment had elapsed. This study demonstrates that automatic adherence forecasting for G-ICBT, is achievable using only minimally sensitive data, thus facilitating the implementation of such tools within real-world IDPT platforms.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "IEEE journal of biomedical and health informatics",
"language": "en"
},
{
"id": "pubmed:33076938",
"title": "Designing and piloting a generic research architecture and workflows to unlock German primary care data for secondary use.",
"authors": [
"Bahls, Thomas",
"Pung, Johannes",
"Heinemann, Stephanie",
"Hauswaldt, Johannes",
"Demmer, Iris",
"Blumentritt, Arne",
"Rau, Henriette",
"Drepper, Johannes",
"Wieder, Philipp",
"Groh, Roland",
"Hummers, Eva",
"Schlegelmilch, Falk"
],
"date": "2020-10-19",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1002/ehf2.12168",
"pdfUrl": "",
"doi": "10.1002/ehf2.12168",
"abstract": "BACKGROUND: Medical data from family doctors are of great importance to health care researchers but seem to be locked in German practices and, thus, are underused in research. The RADAR project (Routine Anonymized Data for Advanced Health Services Research) aims at designing, implementing and piloting a generic research architecture, technical software solutions as well as procedures and workflows to unlock data from family doctor's practices. A long-term medical data repository for research taking legal requirements into account is established. Thereby, RADAR helps closing the gap between the European countries and to contribute data from primary care in Germany. METHODS: The RADAR project comprises three phases: (1) analysis phase, (2) design phase, and (3) pilot. First, interdisciplinary workshops were held to list prerequisites and requirements. Second, an architecture diagram with building blocks and functions, and an ordered list of process steps (workflow) for data capture and storage were designed. Third, technical components and workflows were piloted. The pilot was extended by a data integration workflow using patient-reported outcomes (paper-based questionnaires). RESULTS: The analysis phase resulted in listing 17 essential prerequisites and guiding requirements for data management compliant with the General Data Protection Regulation (GDPR). Based on this list existing approaches to fulfil the RADAR tasks were evaluated-for example, re-using BDT interface for data exchange and Trusted Third Party-approach for consent management and record linkage. Consented data sets of 100 patients were successfully exported, separated into person-identifying and medical data, pseudonymised and saved. Record linkage and data integration workflows for patient-reported outcomes in the RADAR research database were successfully piloted for 63 responders. CONCLUSION: The RADAR project successfully developed a generic architecture together with a technical framework of tools,",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Journal of translational medicine",
"language": "en"
},
{
"id": "pubmed:32220868",
"title": "Assessing data protection and governance in health information systems: a novel methodology of Privacy and Ethics Impact and Performance Assessment (PEIPA).",
"authors": [
"Di Iorio, Concetta Tania",
"Carinci, Fabrizio",
"Oderkirk, Jillian",
"Smith, David",
"Siano, Manuela",
"de Marco, Dorotea Alessandra",
"de Lusignan, Simon",
"Hamalainen, Paivi",
"Benedetti, Massimo Massi"
],
"date": "2020-03-27",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1136/medethics-2019-105948",
"pdfUrl": "",
"doi": "10.1136/medethics-2019-105948",
"abstract": "BACKGROUND: Data processing of health research databases often requires a Data Protection Impact Assessment to evaluate the severity of the risk and the appropriateness of measures taken to comply with the European Union (EU) General Data Protection Regulation (GDPR). We aimed to define and apply a comprehensive method for the evaluation of privacy, data governance and ethics among research networks involved in the EU Project Bridge Health. METHODS: Computerised survey among associated partners of main EU Consortia, using a targeted instrument designed by the principal investigator and progressively refined in collaboration with an international advisory panel. Descriptive measures using the percentage of adoption of privacy, data governance and ethical principles as main endpoints were used for the analysis and interpretation of the results. RESULTS: A total of 15 centres provided relevant information on the processing of sensitive data from 10 European countries. Major areas of concern were noted for: data linkage (median, range of adoption: 45%, 30%-80%), access and accuracy of personal data (50%, 0%-100%) and anonymisation procedures (56%, 11%-100%). A high variability was noted in the application of privacy principles. CONCLUSIONS: A comprehensive methodology of Privacy and Ethics Impact and Performance Assessment was successfully applied at international level. The method can help implementing the GDPR and expanding the scope of Data Protection Impact Assessment, so that the public benefit of the secondary use of health data could be well balanced with the respect of personal privacy.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Journal of medical ethics",
"language": "en"
},
{
"id": "pubmed:31658736",
"title": "Privacy Engineering for Domestic IoT: Enabling Due Diligence.",
"authors": [
"Lodge, Tom",
"Crabtree, Andy"
],
"date": "2019-10-10",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1007/s40860-018-0054-5",
"pdfUrl": "",
"doi": "10.1007/s40860-018-0054-5",
"abstract": "The EU's General Data Protection Regulation (GDPR) has recently come into effect and insofar as Internet of Things (IoT) applications touch EU citizens or their data, developers are obliged to exercise due diligence and ensure they undertake Data Protection by Design and Default (DPbD). GDPR mandates the use of Data Protection Impact Assessments (DPIAs) as a key heuristic enabling DPbD. However, research has shown that developers generally lack the competence needed to deal effectively with legal aspects of privacy management and that the difficulties of complying with regulation are likely to grow considerably. Privacy engineering seeks to shift the focus from interpreting texts and guidelines or consulting legal experts to embedding data protection within the development process itself. There are, however, few examples in practice. We present a privacy-oriented, flow-based integrated development environment (IDE) for building domestic IoT applications. The IDE enables due diligence in (a) helping developers reason about personal data during the actual in vivo construction of IoT applications; (b) advising developers as to whether or not the design choices they are making occasion the need for a DPIA; and (c) attaching and making available to others (including data processors, data controllers, data protection officers, users and supervisory authorities) specific privacy-related information that has arisen during an application's development.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Sensors (Basel, Switzerland)",
"language": "en"
},
{
"id": "pubmed:31143459",
"title": "Genetic research and applicable law: the intra-EU conflict of laws as a regulatory challenge to cross-border genetic research.",
"authors": [
"Pormeister, Kärt"
],
"date": "2018-11-10",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1093/jlb/lsy023",
"pdfUrl": "",
"doi": "10.1093/jlb/lsy023",
"abstract": "EU law does not regulate genetic research per se , but the latter is governed to a certain extent by data protection law. Regardless of the harmonizing efforts of the General Data Protection Regulation (GDPR), research regulations remain fragmented in the data protection framework. This is mainly due to the vast discretion granted to Member States in this regard in the GDPR. Albeit the GDPR enabling data flows for research cooperation in the EU, it creates a hurdle for cross-border research by ignoring the intra-EU conflict of laws that inevitably arises in a fragmented regulatory framework. Imagining ways to solve the dilemma of applicable national law under the GDPR generally is not that difficult, but becomes trickier in a research context. Whether the national data protection law of one or the other Member State is to be applied, either the interests of data subjects or those of researchers might end up compromised.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Journal of law and the biosciences",
"language": "en"
},
{
"id": "pubmed:31057059",
"title": "Impossible, unknowable, accountable: Dramas and dilemmas of data law.",
"authors": [
"Cool, Alison"
],
"date": "2019-05-06",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1177/0306312719846557",
"pdfUrl": "",
"doi": "10.1177/0306312719846557",
"abstract": "On May 25, 2018, the European Union's General Data Protection Regulation (GDPR) came into force. EU citizens are granted more control over personal data while companies and organizations are charged with increased responsibility enshrined in broad principles like transparency and accountability. Given the scope of the regulation, which aims to harmonize data practices across 28 member states with different concerns about data collection, the GDPR has significant consequences for individuals in the EU and globally. While the GDPR is primarily intended to regulate tech companies, it also has important implications for data use in scientific research. Drawing on ethnographic fieldwork with researchers, lawyers and legal scholars in Sweden, I argue that the GDPR's flexible accountability principle effectively encourages researchers to reflect on their ethical responsibility but can also become a source of anxiety and produce unexpected results. Many researchers I spoke with expressed profound uncertainty about 'impossible' legal requirements for research data use. Despite the availability of legal texts and interpretations, I suggest we should take researchers' concerns about 'unknowable' data law seriously. Many researchers' sense of legal ambiguity led them to rethink their data practices and themselves as ethical subjects through an orientation to what they imagined as the 'real people behind the data', variously formulated as a Swedish population desiring data use for social benefit or a transnational public eager for research results. The intentions attributed to people, populations and publics - whom researchers only encountered in the abstract form of data - lent ethical weight to various and sometimes conflicting decisions about data security and sharing. Ultimately, researchers' anxieties about their inability to discern the desires of the 'real people' lent new appeal to solutions, however flawed, that promised to alleviate the ethical burden of personal data.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Social studies of science",
"language": "en"
},
{
"id": "pubmed:30510791",
"title": "How to set up a database?-a five-step process.",
"authors": [
"Brembilla, Alice",
"Martin, Bérenger",
"Parmentier, Anne-Laure",
"Desmarets, Maxime",
"Falcoz, Pierre-Emmanuel",
"Puyraveau, Marc",
"Mauny, Frédéric"
],
"date": "2018-10",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1016/j.ijsu.2014.07.013",
"pdfUrl": "https://hal.science/hal-03889652/document",
"doi": "10.1016/j.ijsu.2014.07.013",
"abstract": "Database set-up directly impacts the quality and viability of research data, and therefore is a crucial part of the quality of clinical research. Setting up a quality database implies following a strict data-management process. Too much collected information threatens the quality of the information required to achieve the objectives of the study. Therefore, the data that will be collected and managed have to be cautiously discussed and selected. Case report forms (CRF) are the tools the most frequently used to collect the data specified by the protocol. An informative and well-structured document simplifies database design and data validation. Key elements are about choice of sequential or thematic structuring, information and type of information that should be entered and the importance of data standards and coding guide. Final database must be structured with unique ID patient, with one record per subject or per measure. Specific information must be provided for each variable according to the database specifications. The quality of the results is directly related to the quality of the collected data. The CRF should then be completed as fully and accurately as possible. Data validation relies on three key points: the CRF completion guidelines, the Edit Checks process and the Data clarification process. Various open source or business software applications provide all functionalities to set up a clinical data base and CRF. The General Data Protection Regulation (GDPR) standardizes and strengthens the protection of personal data across the EU and for other country's data being \"processed\" within the EU. The General principles include lawfulness, fairness and transparency, restricted use of data, data minimization, accuracy, limited storage, confidentiality and probity, and accountability.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Journal of thoracic disease",
"language": "en"
},
{
"id": "pubmed:36433614",
"title": "A Privacy-Preserving, Two-Party, Secure Computation Mechanism for Consensus-Based Peer-to-Peer Energy Trading in the Smart Grid.",
"authors": [
"Li, Zhihu",
"Xu, Haiqing",
"Zhai, Feng",
"Zhao, Bing",
"Xu, Meng",
"Guo, Zhenwei"
],
"date": "2022-11-21",
"platform": "pubmed",
"sourceUrl": "https://doi.org/10.1007/s10207-010-0119-9",
"pdfUrl": "",
"doi": "10.1007/s10207-010-0119-9",
"abstract": "Consumers in electricity markets are becoming more proactive because of the rapid development of demand-response management and distributed energy resources, which boost the transformation of peer-to-peer (P2P) energy-trading mechanisms. However, in the P2P negotiation process, it is a challenging task to prevent private information from being attacked by malicious agents. In this paper, we propose a privacy-preserving, two-party, secure computation mechanism for consensus-based P2P energy trading. First, a novel P2P negotiation mechanism for energy trading is proposed based on the consensus + innovation (C + I) method and the power transfer distribution factor (PTDF), and this mechanism can simultaneously maximize social welfare and maintain physical network constraints. In addition, the C + I method only requires a minimum set of information to be exchanged. Then, we analyze the strategy of malicious neighboring agents colluding to attack in order to steal private information. To defend against this attack, we propose a two-party, secure computation mechanism in order to realize safe negotiation between each pair of prosumers based on Paillier homomorphic encryption (HE), a smart contract (SC), and zero-knowledge proof (ZKP). The energy price is updated in a safe way without leaking any private information. Finally, we simulate the functionality of the privacy-preserving mechanism in terms of convergence performance, computational efficiency, scalability, and SC operations.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "Sensors (Basel, Switzerland)",
"language": "en"
},
{
"id": "doaj:9bd77f00aa4f4a54bf6df257b4991058",
"title": "High-Performance Number Theoretic Transform on GPU Through radix2-CT and 4-Step Algorithms",
"authors": [
"Alisah Ozcan",
"Arsalan Javeed",
"Erkay Savas"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/11003946/",
"pdfUrl": "",
"doi": "10.1109/access.2025.3570024",
"abstract": "The number theoretic transform (NTT) provides a practical and efficient technique to perform multiplication of very large degree polynomials typically found in fully homomorphic encryption (FHE), lattice-based cryptography, and non-interactive succinct zero-knowledge proof systems such as zk-SNARK. In this paper, we focus on this aspect and present two robust algorithms for efficient NTT using readily available GPU cards as hardware accelerators. These algorithms are based on the radix-2 Cooley-Tukey (CT) and 4-Step techniques, which are rooted in classical FFT research. To this end, our algorithms leverage novel strategy to optimize memory access patterns adaptive to input size, which often is very large. Our approach: 1) reduces and optimizes the number of accesses required for global memory for thread synchronization on the GPU device, and 2) systematically improves and enhances the use of spatial locality. We achieve this effect by carefully controlling parameters such as the number of kernels, thread block size and shape, and thread layout, which directly impact overall NTT performance. The proposed optimizations enable our NTT implementation to handle very large polynomial sizes up to $2^{28}$ , which are usually a limiting factor in existing approaches, and achieve remarkable performance. To the best of our knowledge, our proposed technique is unique and provides a recipe for selecting suitable configurable parameter combinations to achieve top performance for a given polynomial degree. Furthermore, we perform thorough experiments and empirically assess the performance of our proposed algorithms on three mainstream commercial GPU cards by NVIDIA. Finally, we demonstrate that our algorithms compare favorably and outperform an existing commercial-grade open-source implementation in this arena.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "doaj:09eae18073b147d4baacba853f748150",
"title": "Novel Federated Graph Contrastive Learning for IoMT Security: Protecting Data Poisoning and Inference Attacks",
"authors": [
"Amarudin Daulay",
"Kalamullah Ramli",
"Ruki Harwahyu",
"Taufik Hidayat",
"Bernardi Pranggono"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://www.mdpi.com/2227-7390/13/15/2471",
"pdfUrl": "",
"doi": "10.3390/math13152471",
"abstract": "Malware evolution presents growing security threats for resource-constrained Internet of Medical Things (IoMT) devices. Conventional federated learning (FL) often suffers from slow convergence, high communication overhead, and fairness issues in dynamic IoMT environments. In this paper, we propose FedGCL, a secure and efficient FL framework integrating contrastive graph representation learning for enhanced feature discrimination, a Jain-index-based fairness-aware aggregation mechanism, an adaptive synchronization scheduler to optimize communication rounds, and secure aggregation via homomorphic encryption within a Trusted Execution Environment. We evaluate FedGCL on four benchmark malware datasets (Drebin, Malgenome, Kronodroid, and TUANDROMD) using 5 to 15 graph neural network clients over 20 communication rounds. Our experiments demonstrate that FedGCL achieves 96.3% global accuracy within three rounds and converges to 98.9% by round twenty—reducing required training rounds by 45% compared to FedAvg—while incurring only approximately 10% additional computational overhead. By preserving patient data privacy at the edge, FedGCL enhances system resilience without sacrificing model performance. These results indicate FedGCL’s promise as a secure, efficient, and fair federated malware detection solution for IoMT ecosystems.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "Mathematics",
"language": "en"
},
{
"id": "doaj:10e1556523cb495bb5459d0cd785c268",
"title": "A Decentralized Identity-Based Blockchain Solution for Privacy-Preserving Licensing of Individual-Controlled Data to Prevent Unauthorized Secondary Data Usage",
"authors": [
"Meng Kang",
"Victoria Lemieux"
],
"date": "2021",
"platform": "doaj",
"sourceUrl": "https://ledger.pitt.edu/ojs/ledger/article/view/239",
"pdfUrl": "",
"doi": "10.5195/ledger.2021.239",
"abstract": "This paper presents a design for a blockchain solution aimed at the prevention of unauthorized secondary use of data. This solution brings together advances from the fields of identity management, confidential computing, and advanced data usage control. In the area of identity management, the solution is aligned with emerging decentralized identity standards: decentralized identifiers (DIDs), DID communication and verifiable credentials (VCs). In respect to confidential computing, the Cheon-Kim-Kim-Song (CKKS) fully homomorphic encryption (FHE) scheme is incorporated with the system to protect the privacy of the individual’s data and prevent unauthorized secondary use when being shared with potential users. In the area of advanced data usage control, the solution leverages the PRIV-DRM solution architecture to derive a novel approach to licensing of data usage to prevent unauthorized secondary usage of data held by individuals. Specifically, our design covers necessary roles in the data-sharing ecosystem: the issuer of personal data, the individual holder of the personal data (i.e., the data subject), a trusted data storage manager, a trusted license distributor, and the data consumer. The proof-of-concept implementation utilizes the decentralized identity framework being developed by the Hyperledger Indy/Aries project. A genomic data licensing use case is evaluated, which shows the feasibility and scalability of the solution.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "Ledger",
"language": "en"
},
{
"id": "doaj:1998b594652a441ea03b1dd869ceb099",
"title": "Privacy-Preserving Outsourced Similarity Test for Access Over Encrypted Data in the Cloud",
"authors": [
"Dan Yang",
"Yu-Chi Chen",
"Shaozhen Ye",
"Raylin Tso"
],
"date": "2018",
"platform": "doaj",
"sourceUrl": "https://ieeexplore.ieee.org/document/8501911/",
"pdfUrl": "",
"doi": "10.1109/access.2018.2877036",
"abstract": "In the era of cloud computing, the cloud server always plays a significant role to carry the heavy tasks of computation. As for storage services, it provides an efficient manner for accessing data. For data privacy, encryption is usually referred to as a simple approach, but in fact cloud services cannot work with the traditional encryption. Therefore, outsourced computing over encrypted data receives attention of preserving privacy in the cloud setting. The notion, privacy-preserving outsourced similarity test (PPOS) over encrypted data, is introduced to capture the following scenario. The cloud stores encrypted data with the encrypted feature vector and then picks up the target data by testing similarity between those vectors and the search query. Recently, Zhang et al. proposed a PPOS scheme based on additive homomorphic encryption, garbled circuits, and ciphertext-policy attribute-based encryption. In this paper, we aim for presenting the formal security model and new scheme of PPOS. We use as few primitives as possible to minimize cryptographic building blocks. Our solution avoids using homomorphic encryption and constructs the PPOS scheme simply from garbled circuits and ciphertext-policy attribute-based encryption.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "IEEE Access",
"language": "en"
},
{
"id": "https://openalex.org/W4327730108",
"title": "Collecting, Processing and Secondary Using Personal and (Pseudo)Anonymized Data in Smart Cities",
"authors": [
"Silvio Sampaio",
"Patrícia R. Sousa",
"Cristina Martins",
"Ana Ferreira",
"Luís Antunes",
"Ricardo Cruz‐Correia"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.3390/app13063830",
"pdfUrl": "https://www.mdpi.com/2076-3417/13/6/3830/pdf?version=1678984771",
"doi": "https://doi.org/10.3390/app13063830",
"abstract": "Smart cities, leveraging IoT technologies, are revolutionizing the quality of life for citizens. However, the massive data generated in these cities also poses significant privacy risks, particularly in de-anonymization and re-identification. This survey focuses on the privacy concerns and commonly used techniques for data protection in smart cities, specifically addressing geolocation data and video surveillance. We categorize the attacks into linking, predictive and inference, and side-channel attacks. Furthermore, we examine the most widely employed de-identification and anonymization techniques, highlighting privacy-preserving techniques and anonymization tools; while these methods can reduce the privacy risks, they are not enough to address all the challenges. In addition, we argue that de-identification must involve properties such as unlikability, selective disclosure and self-sovereignty. This paper concludes by outlining future research challenges in achieving complete de-identification in smart cities.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "Applied Sciences",
"language": "en"
},
{
"id": "hal:5452059",
"title": "Blockchain, Secure Archiving and Data Protection in the Cloud: A Cross-Analysis of the Technical and Legal Challenges Related to Information Integrity and Sovereignty.",
"authors": [
"Abir Omri",
"Kawtar Aziz",
"Akkour Soumaya"
],
"date": "2025-12-31",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05452059v1",
"pdfUrl": "https://hal.science/hal-05452059/document",
"doi": "10.5281/zenodo.18099525",
"abstract": "Blockchain is frequently presented as a disruptive technology capable of transforming traditional mechanisms for securing, tracing, and ensuring the integrity of information. At the same time, the growing use of cloud computing raises significant concerns regarding the protection of personal data and digital sovereignty. This article offers a combined technical and legal analysis of blockchain applied to two key issues: the secure archiving of digital documents and data protection in cloud environments. Thestudy examines the guarantees provided by blockchain technology in terms of data integrity, traceability, and immutability, while confronting these promises with data protection law requirements (notably the GDPR). Using an analytical framework that combines technical architecture (distributed ledger, smart contracts, encryption) with normative issues (liability, right to erasure, data territoriality), we discuss the actual capacity of blockchain to address current challenges relating to compliance, security, and the governance of digital information. This reflection is grounded in an interdisciplinary perspective drawing on technology law, cybersecurity, and information systems engineering.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "African Scientific Journal",
"language": "en"
},
{
"id": "hal:1883615",
"title": "Blockchain-based Identity Management and Data Usage Control (Extended Abstract)",
"authors": [
"Ricardo Neisse",
"Gary Steri",
"Igor Nai Fovino"
],
"date": "2018",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-01883615v1",
"pdfUrl": "https://inria.hal.science/hal-01883615/document",
"doi": "10.1007/978-3-319-92925-5_15",
"abstract": "The General Data Protection Regulation (GDPR) [1], which will be enforceable from May 2018, introduces significant changes on the obligations of data controllers and processors in the context of the data protection legistlation of the European Union (EU). These obligations are defined by a single set of rules that should be adopted by all EU Member States including, among others, the need for explicit consent with the possibility of withdrawal and the right to erasure. The GDPR applies to data controllers (organizations) that access data of a data subject (persons) and data processors (organizations) that process data on behalf of the controller.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:4888548",
"title": "DPS-IIoT: non-interactive zero-knowledge poof-inspired access control towards information-centric industrial internet of things",
"authors": [
"Dun Li",
"Noel Crespi",
"Roberto Minerva",
"Wei Liang",
"Kuan-Ching Li",
"Joanna Kołodziejczyk"
],
"date": "2025-03-01",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04888548v1",
"pdfUrl": "https://hal.science/hal-04888548/document",
"doi": "10.1016/j.comcom.2025.108065",
"abstract": "The advancements in 5G/6G communication technologies have enabled the rapid development and expanded application of the Industrial Internet of Things (IIoT). However, the limitations of traditional host-centric networks are becoming increasingly evident, especially in meeting the growing demands of the IIoT for higher data speeds, enhanced privacy protections, and improved resilience to disruptions. In this work, we present the ZK-CP-ABE algorithm, a novel security framework designed to enhance security and efficiency in distributing content within the IIoT. By integrating a non-interactive zero-knowledge proof (ZKP) protocol for user authentication and data validation into the existing Ciphertext-Policy Attribute-Based Encryption (CP-ABE), the ZK-CP-ABE algorithm substantially improves privacy protections while efficiently managing bandwidth usage. Furthermore, we propose the Distributed Publish-Subscribe Industrial Internet of Things (DPS-IIoT) system, which uses Hyperledger Fabric blockchain technology to deploy access policies and ensure the integrity of ZKP from tampering and cyber-attacks, thus enhancing the security and reliability of IIoT networks. To validate the effectiveness of our approach, extensive experiments were conducted, demonstrating that the proposed ZK-CP-ABE algorithm significantly reduces bandwidth consumption, while maintaining robust security against unauthorized access. Experimental evaluation shows that the ZK-CP-ABE algorithm and DPS-IIoT system significantly enhance bandwidth efficiency and overall throughput in IIoT environments.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "Computer Communications",
"language": "en"
},
{
"id": "hal:5504789",
"title": "A homomorphic LWE based E-voting scheme",
"authors": [
"I. Chillotti",
"N. Gama",
"M. Georgieva",
"Malika Izabachène"
],
"date": "2016-02-24",
"platform": "hal",
"sourceUrl": "https://cea.hal.science/cea-01832761v1",
"pdfUrl": "https://cea.hal.science/cea-01832761/document",
"doi": "10.1007/978-3-319-29360-8_16",
"abstract": "In this paper we present a new post-quantum electronic voting protocol. Our construction is based on LWE fully homomorphic encryption and the protocol is inspired by existing e-voting schemes, in particular Helios. The strengths of our scheme are its simplicity and transparency, since it relies on public homomorphic operations. Further-more, the use of lattice-based primitives greatly simplifies the proofs of correctness, privacy and verifiability, as no zero-knowledge proof are needed to prove the validity of individual ballots or the correctness of the final election result. The security of our scheme is based on classical SIS/LWE assumptions, which are asymptotically as hard as worst case lattice problems and relies on the random oracle heuristic. We also propose a new procedure to distribute the decryption task, where each trustee provides an independent proof of correct decryption in the form of a publicly verifiable cipher-text trapdoor. In particular, our protocol requires only two trustees, unlike classical proposals using threshold decryption via Shamir’s secret sharing.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:5440963",
"title": "Footprints of Data in a Classifier: Understanding the Privacy Risks and Solution Strategies",
"authors": [
"Payel Sadhukhan",
"Tanujit Chakraborty"
],
"date": "2025-12-27",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05440963v1",
"pdfUrl": "",
"doi": "10.1007/s10796-025-10679-y",
"abstract": "The widespread deployment of Artificial Intelligence (AI) across government and private industries brings both advancements and heightened privacy and security concerns. Article 17 of the General Data Protection Regulation (GDPR) mandates the Right to Erasure, requiring data to be permanently removed from a system to prevent potential compromise. While existing research primarily focuses on erasing sensitive data attributes, several passive data compromise mechanisms remain underexplored and unaddressed. One such issue arises from the residual footprints of training data embedded within predictive models. Performance disparities between test and training data can inadvertently reveal which data points were part of the training set, posing a privacy risk. This study examines how two fundamental aspects of classifier systems—training data quality and classifier training methodology—contribute to privacy vulnerabilities. Our theoretical analysis demonstrates that classifiers exhibit universal vulnerability under conditions of data imbalance and distributional shifts. Empirical findings reinforce our theoretical results, highlighting the significant role of training data quality in classifier susceptibility. Additionally, our study reveals that a classifier’s operational mechanism and architectural design impact its vulnerability. We further investigate mitigation strategies through data obfuscation techniques and analyze their impact on both privacy and classification performance. To aid practitioners, we introduce a privacy-performance trade-off index, providing a structured approach to balancing privacy protection with model effectiveness. The findings offer valuable insights for selecting classifiers and curating training data in diverse real-world applications.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Information Systems Frontiers",
"language": "en"
},
{
"id": "hal:5474344",
"title": "Johnny Can’t Revoke Consent Either: Measuring Compliance of Consent Revocation on the Web",
"authors": [
"Gayatri Priyadarsini Kancherla",
"Nataliia Bielova",
"Cristiana Santos",
"Abhishek Bichhawat"
],
"date": "2025-07-14",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-05474344v1",
"pdfUrl": "https://hal.science/hal-05474344/document",
"doi": "10.56553/popets-2025-0133",
"abstract": "The EU General Data Protection Regulation (GDPR) requires websites to facilitate the right to revoke consent from Web users. Prior works have examined consent management by auditing that user choices are correctly stored, and comparing cookies set upon acceptance versus rejection to assess compliance. While these studies measured compliance of consent with respect to the various consent requirements, no prior work has studied consent revocation on the Web. Therefore, it is unclear how difficult it is to revoke consent on the websites’ interfaces, and whether the revoked consent is properly stored and communicated behind the user interface. Our work aims to fill this gap by measuring compliance of consent revocation on the Web on Tranco’s top-200 websites. We found that 19.87% of websites make it difficult for users to revoke consent throughout different interfaces, 20.5% of websites require more effort than acceptance, and 2.48% do not provide consent revocation at all, thus violating EU legal requirements for valid consent. 57.5% websites do not delete the cookies after consent revocation enabling continuous illegal processing of users’ data. Further, we analyzed 281 websites implementing the IAB Europe Transparency & Consent Framework, and found 22 websites that store a positive consent despite user’s revocation. Surprisingly, we found that on 101 websites, third parties that have received consent upon user’s acceptance, are not informed of revocation, leading to the illegal processing of users’ data by such third parties according to EU laws. Our findings emphasize the need for improved legal compliance of consent revocation, and proper, consistent, and uniform implementation of revocation communication to third-parties.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Proceedings on Privacy Enhancing Technologies",
"language": "en"
},
{
"id": "hal:3677025",
"title": "Not a Free Lunch, But a Cheap One: On Classifiers Performance on Anonymized Datasets",
"authors": [
"Mina Alishahi",
"Nicola Zannone"
],
"date": "2021-07-19",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/hal-03677025v1",
"pdfUrl": "https://inria.hal.science/hal-03677025/document",
"doi": "10.1007/978-3-030-81242-3_14",
"abstract": "The problem of protecting datasets from the disclosure of confidential information, while published data remains useful for analysis, has recently gained momentum. To solve this problem, anonymization techniques such as k-anonymity, $$\\ell $$ℓ-diversity, and t-closeness have been used to generate anonymized datasets for training classifiers. While these techniques provide an effective means to generate anonymized datasets, an understanding of how their application affects the performance of classifiers is currently missing. This knowledge enables the data owner and analyst to select the most appropriate classification algorithm and training parameters in order to guarantee high privacy requirements while minimizing the loss of accuracy. In this study, we perform extensive experiments to verify how the classifiers performance changes when trained on an anonymized dataset compared to the original one, and evaluate the impact of classification algorithms, datasets properties, and anonymization parameters on classifiers’ performance.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:1941187",
"title": "Towards end-to-end privacy for publish/subscribe architectures in the Internet of Things",
"authors": [
"Stevan Coroller",
"Sophie Chabridon",
"Maryline Laurent",
"Denis Conan",
"Jean Leneutre"
],
"date": "2018-12-10",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-01940866v1",
"pdfUrl": "https://hal.science/hal-01940866/document",
"doi": "10.1145/3286719.3286727",
"abstract": "The Internet of Things paradigm lacks end-to-end privacy solutions to consider its full adoption in real life scenarios in the near future. The recent enactment of the EU General Data Protection Regulation (GDPR) indeed emphasises the need for stronger security and privacy measures for personal data processing and free movement, including consent management and accountability by the data controller and processor. In this paper, we suggest an architecture to enforce end-to-end data usage control in Distributed Event-Based Systems (DEBS), from data producers to consumer services, taking into account some of the GDPR requirements concerning consent management and data processing transparency. Our architecture proposal is based on UCON ABC usage control models, which we overlap with a distributed hash table overlay for scalability and fault-tolerance concerns, and across and within systems data usage control. Our proposal highlights the benefits of combining both DEBS and end-user usage control architectures. To complete our approach, we quickly survey existing encryption models that ensure data confidentiality in topic-based Publish/Subscribe systems and highlight the remaining obstacles to transpose them to content-based DEBS with an overlay of brokers",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W3193730188",
"title": "Recherche sur données : aspects juridiques et éthiques à travers l’expérience de l’hôpital Foch",
"authors": [
"Elisabeth Hulier-Ammar",
"Amélie Chioccarello",
"Pauline Touche",
"Achille Ivasilevitch",
"H.-C. Stœklé",
"Christian Hervé"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1016/j.meddro.2021.06.003",
"pdfUrl": "https://doi.org/10.1016/j.meddro.2021.06.003",
"doi": "https://doi.org/10.1016/j.meddro.2021.06.003",
"abstract": "Les données de santé font l’objet de convoitise par de nombreux acteurs, bien entendu par les industriels de la santé, notamment du médicament et du dispositif médical, par les hôpitaux et les instituts de recherche, mais aussi par tout type d’entreprises marchandes qui souhaiteraient en retirer des bénéfices conséquents. Face à ce phénomène, les instances de l’Union Européenne, dans le cadre du règlement européen de 2016 (RGPD) remplaçant la directive européenne sur les données de santé de 1995, ont renforcé la protection des données de santé qui sont des données particulièrement sensibles pour tout un chacun et, en conséquence, la réalisation des études sur les données de santé. Les recherches n’impliquant pas la personne humaine, improprement appelées « Études sur données », sont très encadrées par le RGPD et, pour la France, par la Loi Informatique et Libertés (LIL) qui a été modifiée en conséquence. Cet article expose les étapes à réaliser pour la mise en place d’études sur données et les droits des participants/patients dans le cadre de ces recherches. Une vigilance éthique demanderait à ce que ces recherches soient examinées par un comité ad hoc. Health data is the object of covetousness by many actors, of course by the healthcare industry, in particular the drug and medical device industry, by hospitals and research institutes, but also by all types of merchant companies which would like to derive substantial benefits from it. Faced with this phenomenon, the European Commission, within the framework of the replacement of the European Directive on health data of 1995, by the General Data Protection Regulation of 2016 (GDPR) has strengthened the protection of health data which is particularly sensitive data for everyone and, consequently, carrying out studies on health data. Researches that does not involve human beings, improperly called “Data studies”, are closely regulated by the GDPR and, for France, by the Data Protection Act, which has been amended accordingly. This article describes the steps to be taken for the implementation of data studies and what are the rights of participants/patients in the context of these researchs. Ethical vigilance would require that such research be reviewed by an ad hoc committee.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Médecine & Droit",
"language": "fr"
},
{
"id": "https://openalex.org/W2899857038",
"title": "Machine Learning for Diagnosis and Treatment:",
"authors": [
"Robin Pierce"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.21552/edpl/2018/3/11",
"pdfUrl": "",
"doi": "https://doi.org/10.21552/edpl/2018/3/11",
"abstract": "Machine Learning (ML), a form of artificial intelligence (AI) that produces iterative refinement of outputs without human intervention, is gaining traction in healthcare as a promising way of streamlining diagnosis and treatment and is even being explored as a more efficient alternative to clinical trials. ML is increasingly being identified as an essential tool in the arsenal of Big Data for medicine. ML can process and analyse the data resulting in outputs that can inform treatment and diagnosis. Consequently, ML is likely to occupy a central role in precision medicine, an approach that tailors treatment based on characteristics of individual patients instead of traditional ‘average’ or one-size-fits-all medicine, potentially optimising outcomes as well as resource allocation. ML falls into a category of data-reliant technologies that have the potential to enhance healthcare in significant ways. However, as such, concerns about data protection and the GDPR may arise as ML assumes a growing role in healthcare, prompting questions about the extent to which the GDPR and related legislation will be able to provide adequate data protection for data subjects. Focusing on issues of transparency, fairness, storage limitation, purpose limitation and data minimisation as well as specific provisions supporting these principles, this article examines the interaction between ML and data protection law. Keywords: Machine Learning, GDPR, Data Protection, Artificial Intelligence in Medicine, Health Data, Automated Processing, Data Minimisation",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "European Data Protection Law Review",
"language": "en"
},
{
"id": "https://openalex.org/W2744031157",
"title": "Data Protection and the Role of Fairness",
"authors": [
"Damian Clifford",
"Jef Ausloos"
],
"date": "2018",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1093/yel/yey004",
"pdfUrl": "",
"doi": "https://doi.org/10.1093/yel/yey004",
"abstract": "The purpose of this article is to examine the principle of fairness as it appears in EU data protection law. Despite the fact that this principle is often referred to as a key tenet of the data protection framework, a precise understanding of its role remains elusive. As such, this article aims to provide the first steps towards a more thorough understanding of the fairness principle. This is significant as it is argued that fairness is delineated from the other data protection principles and thus this article aims to clarify its overarching role and importance in the General Data Protection Regulation (GDPR). The article divides the fairness principle into procedural fairness and fair balancing elements which are evident in the fairness checks and balances in the GDPR. Building on this analysis the article identifies gaps, shortcomings and areas for future research thus calling for further analysis on the precise contours of the fairness principle.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Yearbook of European Law",
"language": "en"
},
{
"id": "https://openalex.org/W4386156801",
"title": "Preserving Privacy and Security in Federated Learning",
"authors": [
"Truc Nguyen",
"My T. Thai"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/tnet.2023.3302016",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/tnet.2023.3302016",
"abstract": "Federated learning is known to be vulnerable to both security and privacy issues. Existing research has focused either on preventing poisoning attacks from users or on concealing the local model updates from the server, but not both. However, integrating these two lines of research remains a crucial challenge since they often conflict with one another with respect to the threat model. In this work, we develop a principle framework that offers both privacy guarantees for users and detection against poisoning attacks from them. With a new threat model that includes both an honest-but-curious server and malicious users, we first propose a secure aggregation protocol using homomorphic encryption for the server to combine local model updates in a private manner. Then, a zero-knowledge proof protocol is leveraged to shift the task of detecting attacks in the local models from the server to the users. The key observation here is that the server no longer needs access to the local models for attack detection. Therefore, our framework enables the central server to identify poisoned model updates without violating the privacy guarantees of secure aggregation.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "IEEE/ACM Transactions on Networking",
"language": "en"
},
{
"id": "https://openalex.org/W3092422523",
"title": "BOREALIS: Building Block for Sealed Bid Auctions on Blockchains",
"authors": [
"Erik-Oliver Blaß",
"Florian Kerschbaum"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1145/3320269.3384752",
"pdfUrl": "",
"doi": "https://doi.org/10.1145/3320269.3384752",
"abstract": "We focus on securely computing the ranks of sealed integers distributed among n parties. For example, we securely compute the largest or smallest integer, the median, or in general the kth-ranked integer. Such computations are a useful building block to securely implement a variety of sealed-bid auctions. Our objective is efficiency, specifically low interactivity between parties to support blockchains or other scenarios where multiple rounds are time-consuming. Hence, we dismiss powerful, yet highly-interactive MPC frameworks and propose BOREALIS, a special-purpose protocol for secure computation of ranks among integers. BOREALIS uses additively homomorphic encryption to implement core comparisons, but computes under distinct keys, chosen by each party to optimize the number of rounds. By carefully combining cryptographic primitives, such as ECC Elgamal encryption, encrypted comparisons, ciphertext blinding, secret sharing, and shuffling, BOREALIS sets up systems of multi-scalar equations which we efficiently prove with Groth-Sahai ZK proofs. Therewith, BOREALIS implements a multi-party computation of pairwise comparisons and rank zero-knowledge proofs secure against malicious adversaries. BOREALIS completes in at most 4 rounds which is constant in both bit length l of integers and the number of parties n. This is not only asymptotically optimal, but surpasses generic constant-round secure multi-party computation protocols, even those based on shared-key fully homomorphic encryption. Furthermore, our implementation shows that BOREALIS is very practical. Its main bottleneck, ZK proof computations, is small in practice. Even for a large number of parties (n=200) and high-precision integers (l=32), computation time of all proofs is less than a single Bitcoin block interval.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W3003794402",
"title": "Robustness and Explainability of Artificial Intelligence",
"authors": [
"Ronan Hamon",
"H. Junklewitz",
"Sanchez Martin Jose Ignacio"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://publications.jrc.ec.europa.eu/repository/handle/JRC119336",
"pdfUrl": "",
"doi": "https://doi.org/10.2760/57493",
"abstract": "In the light of the recent advances in artificial intelligence (AI), the serious negative consequences of its use for EU citizens and organisations have led to multiple initiatives from the European Commission to set up the principles of a trustworthy and secure AI. Among the identified requirements, the concepts of robustness and explainability of AI systems have emerged as key elements for a future regulation of this technology. \\nThis Technical Report by the European Commission Joint Research Centre (JRC) aims to contribute to this movement for the establishment of a sound regulatory framework for AI, by making the connection between the principles embodied in current regulations regarding to the cybersecurity of digital systems and the protection of data, the policy activities concerning AI, and the technical discussions within the scientific community of AI, in particular in the field of machine learning, that is largely at the origin of the recent advancements of this technology.\\nThe individual objectives of this report are to provide a policy-oriented description of the current perspectives of AI and its implications in society, an objective view on the current landscape of AI, focusing of the aspects of robustness and explainability. This also include a technical discussion of the current risks associated with AI in terms of security, safety, and data protection, and a presentation of the scientific solutions that are currently under active development in the AI community to mitigate these risks. \\nThis report puts forward several policy-related considerations for the attention of policy makers to establish a set of standardisation and certification tools for AI. First, the development of methodologies to evaluate the impacts of AI on society, built on the model of the Data Protection Impact Assessments (DPIA) introduced in the General Data Protection Regulation (GDPR), is discussed. Secondly, a focus is made on the establishment of methodologies to assess the robustness of systems that would be adapted to the context of use. This would come along with the identification of known vulnerabilities of AI systems, and the technical solutions that have been proposed in the scientific community to address them. Finally, the promotion of transparency systems in sensitive systems is discussed, through the implementation of explainability-by-design approaches in AI components that would provide guarantee of the respect of the fundamental rights.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W4309504924",
"title": "Practical fundamental rights impact assessments",
"authors": [
"Heleen Janssen",
"Michelle Seng Ah Lee",
"Jatinder Singh"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1093/ijlit/eaac018",
"pdfUrl": "https://academic.oup.com/ijlit/advance-article-pdf/doi/10.1093/ijlit/eaac018/47162766/eaac018.pdf",
"doi": "https://doi.org/10.1093/ijlit/eaac018",
"abstract": "Abstract The European Union’s General Data Protection Regulation tasks organizations to perform a Data Protection Impact Assessment (DPIA) to consider fundamental rights risks of their artificial intelligence (AI) system. However, assessing risks can be challenging, as fundamental rights are often considered abstract in nature. So far, guidance regarding DPIAs has largely focussed on data protection, leaving broader fundamental rights aspects less elaborated. This is problematic because potential negative societal consequences of AI systems may remain unaddressed and damage public trust in organizations using AI. Towards this, we introduce a practical, four-Phased framework, assisting organizations with performing fundamental rights impact assessments. This involves organizations (i) defining the system’s purposes and tasks, and the responsibilities of parties involved in the AI system; (ii) assessing the risks regarding the system’s development; (iii) justifying why the risks of potential infringements on rights are proportionate; and (iv) adopt organizational and/or technical measures mitigating risks identified. We further indicate how regulators might support these processes with practical guidance.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "International Journal of Law and Information Technology",
"language": "en"
},
{
"id": "https://openalex.org/W4379967696",
"title": "The Heart and Artificial Intelligence—How Can We Improve Medicine Without Causing Harm",
"authors": [
"Christoph Reich",
"Benjamin Meder"
],
"date": "2023",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1007/s11897-023-00606-0",
"pdfUrl": "https://link.springer.com/content/pdf/10.1007/s11897-023-00606-0.pdf",
"doi": "https://doi.org/10.1007/s11897-023-00606-0",
"abstract": "As medical data becomes smart, it is also becoming more valuable and vulnerable to malicious actors. In addition, the gap between what is technically possible and what is allowed by privacy legislation is growing. Principles of the General Data Protection Regulation that have been in force since May 2018, such as transparency, purpose limitation, and data minimization, seem to hinder the development and use of Artificial Intelligence. Concepts to secure data integrity and incorporate legal and ethical principles can help to avoid the potential risks of digitization and may result in an European leadership in regard to privacy protection and AI. The following review provides an overview of relevant aspects of Artificial Intelligence and Machine Learning, highlights selected applications in cardiology, and discusses central ethical and legal considerations.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Current Heart Failure Reports",
"language": "en"
},
{
"id": "https://openalex.org/W4319586706",
"title": "Generating Privacy Preserving Synthetic Medical Data",
"authors": [
"Fahim Faisal",
"Noman Mohammed",
"Carson K. Leung",
"Yan Wang"
],
"date": "2022",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.1109/dsaa54385.2022.10032429",
"pdfUrl": "",
"doi": "https://doi.org/10.1109/dsaa54385.2022.10032429",
"abstract": "Due to the recent development in the deep learning community and the availability of state-of-the-art models, medical practitioners are getting more interested in computer vision and deep learning for diagnosis tasks. Moreover, those medical diagnostic models can also increase the reliability of conventional findings. As radiology images can convey a lot of information for a patient’s diagnosis task, the problem is that such medical data may contain sensitive private information in their content header. De-anonymization (i.e., removal of sensitive header information) does not work well due to the re-identification risk, which may link those images to essential details (e.g., birth date, SSN, institution name, etc.), and such an approach can also reduce utility. In the medical domain, utility is significant because a less accurate diagnosis may lead to the wrong course of treatment and/or loss of life. In this paper, we developed a differentially private approach that can generate high-quality and high dimensional synthetic medical image data with guaranteed differential privacy. It can be used to create sufficient quality data to train a deep model. Moreover, we used W-GAN for bounded gradient guarantee, which eliminates the need for an extensive clipping hyperparameter search. We also added noise selectively to the generator to maintain the privacy-utility trade-off. Due to a noise-free discriminator and such selective noise addition to the generator, high-quality and reliable generated radiology images can be utilized for diagnosis tasks. Moreover, our approach can work in a distributed system where different hospitals can contain their private images in the local server and use a central server to generate synthetic radiology images without storing patient data.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "2022 IEEE 9th International Conference on Data Science and Advanced Analytics (DSAA)",
"language": "en"
},
{
"id": "s2:f75d5f18c3ececd025eb7dc80648d373bb86bcb5",
"title": "A Study on Re-Identification of Natural Language Data Considering Korean Attributes",
"authors": [
"S. Bang",
"Soeun Kim",
"Gaeun Ahn",
"Hyemin Hong",
"Junhyoung Oh"
],
"date": "2025",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/f75d5f18c3ececd025eb7dc80648d373bb86bcb5",
"pdfUrl": "",
"doi": "10.32604/cmc.2025.068221",
"abstract": ": This study analyzes the risks of re-identification in Korean text data and proposes a secure, ethical approach to data anonymization. Following the ‘Lee Luda’ AI chatbot incident, concerns over data privacy have increased. The Personal Information Protection Commission of Korea conducted inspections of AI services, uncovering 850 cases of personal information in user input datasets, highlighting the need for pseudonymization standards. While current anonymization techniques remove personal data like names, phone numbers, and addresses, linguistic features such as writing habits and language-specific traits can still identify individuals when combined with other data. To address this, we analyzed 50,000 Korean text samples from the X platform, focusing on language-specific features for authorship attribution. Unlike English, Korean features flexible syntax, honorifics, syllabic and grapheme patterns, and referential terms. These linguistic characteristics were used to enhance re-identification accuracy. Our experiments combined five machine learning models, six stopword processing methods, and four morphological analyzers. By using a tokenizer that captures word frequency and order, and employing the LSTM model, OKT morphological analyzer, and stopword removal, we achieved the maximum authorship attributions accuracy of 90.51%. This demonstrates the significant role of Korean linguistic features in re-identification. The findings emphasize the risk of re-identification through language data and call for a re-evaluation of anonymization methods, urging the consideration of linguistic traits in anonymization beyond simply removing personal information.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "Computers, Materials & Continua",
"language": "en"
},
{
"id": "s2:dd63db46800ed68ac3e559ec671a76ec4bfbdfd2",
"title": "pfb_fhir: A utility to extract clinical data systems into a portable format",
"authors": [
"B. Walsh",
"J. Lee",
"K. Ellrott"
],
"date": "2023-06-29",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/dd63db46800ed68ac3e559ec671a76ec4bfbdfd2",
"pdfUrl": "https://www.medrxiv.org/content/medrxiv/early/2023/06/29/2023.06.26.23291922.full.pdf",
"doi": "10.1101/2023.06.26.23291922",
"abstract": "Fast Healthcare Interoperability Resources (FHIR) is a server specification and data model that allows for EHR systems to represent clinical metadata using a consistent API. There is a critical mass of EHR and clinical trial data stored in FHIR based systems. Research analysts can take advantage of existing FHIR tooling for de-identification, pseudonymization, and anonymization. More recently the BiodataCatalyst consortium has proposed the Portable Format for Bioinformatics (PFB) which is a carrier format for describing raw data and the data model in which it is structured, based on an efficient binary format (AVRO). PFB allows an entire cohort of metadata to be loaded into a research data system. Here, we describe an open source utility that will scan FHIR based systems and create PFB based archives. pfb_fhir scans data from FHIR based clinical data systems and converts the data into a self contained PFB file. This utility identifies types, customizations (extensions), and element connections. It then converts all of these components into a graph model compatible for storage in the PFB specification. The structure of the original FHIR system is faithfully reproduced using the PFB schema description system. All records from the system are downloaded, converted and stored as vertices in a graph described by the PFB file. This system has been tested against a number of different FHIR installations, including ones hosted by dbGAP, The Kids First Data Resource and AnVIL. pfb_fhir helps to unlock the potential of EHR and clinical trial data. pfb_fhir allows researchers to easily scan and store FHIR resources and create self contained PFB archives, called FHIR in PFB. These archive files can easily be moved to new data systems, allowing the clinical data to be connected to more complex genomic analysis and data science platforms. The FHIR in PFB archives generated by pfb_fhir have been loaded into data platforms including the Broad's Terra system, Gen3 based data system, custom graph query engines and Jupyter notebooks. This flexibility will enable genomics investigators to do more integrated genotype to phenotype association analysis using whichever tools suit their line of research.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "medRxiv",
"language": "en"
},
{
"id": "s2:b87cd1cd18378c3d1584f10d0e445206dca50516",
"title": "Towards Private Medical Data Donations by Using Privacy Preserving Technologies",
"authors": [
"Arno Appenzeller",
"Nick Terzer",
"Erik Krempel",
"J. Beyerer"
],
"date": "2022-06-29",
"platform": "semantic_scholar",
"sourceUrl": "https://www.semanticscholar.org/paper/b87cd1cd18378c3d1584f10d0e445206dca50516",
"pdfUrl": "https://dl.acm.org/doi/pdf/10.1145/3529190.3534768",
"doi": "10.1145/3529190.3534768",
"abstract": "Through the growing amount of personal health data collected by the individual itself digital data donations become more and more attractive. Wearables like Apple Watch or Fitbit trackers make tracking of heart rate, daily step counts and other lifestyle data easier than ever. While this data is collected on the dedicated device, it can help research in many promising ways. Even if the potential benefit of this data is very clear, there are open questions regarding privacy. Traditional privatization measures like anonymization and pseudonymization can only provide limited privacy guarantees especially with the growing amount of personalized data. To mitigate those risks privacy enhancing technologies like differential privacy can be used. While the theoretical foundation of such technologies is strong, only limited data is available about their practical use in large scale applications and the trade-off between privacy and utility. In this paper we will present a data donation scenario that is inspired by a real-world use case using lifestyle data for its analyses. We will apply the local differential privacy technology ”RAPPOR” to improve the privacy protection for the data donors and evaluate the impact of this technique to the data utility.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "Petra",
"language": "en"
},
{
"id": "europepmc:40210906",
"title": "A secure and efficient deep learning-based intrusion detection framework for the internet of vehicles.",
"authors": [
"Khan H",
"Tejani GG",
"AlGhamdi R",
"Alasmari S",
"Sharma NK",
"Sharma SK."
],
"date": "2025-04-10",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1038/s41598-025-94445-9",
"pdfUrl": "https://europepmc.org/articles/PMC11985505?pdf=render",
"doi": "10.1038/s41598-025-94445-9",
"abstract": "This swift growth in Internet of Vehicle (IoV) networks has created serious security issues, primarily in intrusion detection due to the fact that these are complex, dynamic, and large-scale networks. AES-256 encryption for strong real-time security and access control, along with Secure Multi-Party Computation (SMPC) and Homomorphic Encryption (HE) for privacy-preserving collaborative data processing and encrypted computations, are some of the innovative contributions to IoV security that this work presents. Z-score normalization and median imputation are two excellent methods for prepping high-quality data for a deep learning-based intrusion detection system (IDS). Vision Transformer (ViT), wavelet transforms, and GAT ensure effective feature extraction, and a novel hybrid optimization known as Crayfish-Mother secure Optimization (CMSO) method is proposed to optimize feature selection to its maximum and reduce computational cost. DenseNet, GoogleNet, AlexNet, and SqueezeNet are also integrated in the newly proposed DAGSNet architecture to enhance feature detection and classification, enhancing the dependability and effectiveness of the IDS for IoV security. A highly secure, effective, and precise intrusion detection system in IoV environments is guaranteed by this holistic approach with the minimum time of encryption and decryption (0.02 s, 0.82 s) and maximum precision of two datasets (0.991, 0.984).",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "",
"language": "es"
},
{
"id": "https://openalex.org/W2943854960",
"title": "Mecanismos de prevención del acceso indebido a la historia clínica por parte del personal sanitario y nueva legislación de protección de datos",
"authors": [
"Andrea Salud Casanova Asencio"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.6018/bioderecho.360771",
"pdfUrl": "https://revistas.um.es/bioderecho/article/download/360771/260601",
"doi": "https://doi.org/10.6018/bioderecho.360771",
"abstract": "El acceso injustificado a la historia clínica por parte del personal sanitario es un problema práctico de marcada incidencia en la actualidad, que no ha conseguido resolverse a pesar de los avances de los últimos años en materia de historia clínica. Al mismo tiempo, la nueva legislación de protección de datos (RGPD y la nueva LOPDGDD) supone un cambio en el modelo de seguridad de los mismos, al requerir una responsabilidad proactiva por parte del responsable del tratamiento, que deberá estudiar el riesgo al que los datos están sometidos por dicho tratamiento con el fin de adoptar las medidas técnicas y organizativas más adecuadas para garantizar la seguridad de los datos ya desde el propio diseño del sistema. Con esta perspectiva, se realiza una exposición y análisis de una serie de mecanismos preventivos de diverso tipo que, aplicados en conjunto, habrían de ser útiles para gestionar de mejor manera el problema de los accesos indebidos a la historia clínica por parte del personal sanitario sin vinculación asistencial. Access to the medical history by health personnel that isn’t justified by the supplying of the adequate health care –hence being deemed as an unjustified access- is currently a prominent practical problem which hasn’t been solved despite the advance shown by medical history regulations in the last few years. At the same time, the new data protection regulation (GDPR and Spanish LOPDGDD) introduces a new model for the security of the data, emphasizing what is known as “accountability” by the controller of the data, which translates into data protection by design and by default. From this perspective, a series of preventive mechanisms to avoid unjustified access to a medical history is analysed and presented, assuming that the problem requires the joint application of at least several of these preventive tools.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Bioderecho es",
"language": "es"
},
{
"id": "https://openalex.org/W3180753442",
"title": "La adopción de instrumentos de certificación como garantía eficiente en la protección de los datos personales",
"authors": [
"Jorge Viguri Cordero"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "http://hdl.handle.net/10234/194225",
"pdfUrl": "http://hdl.handle.net/10234/194225",
"doi": "https://doi.org/10.2436/rcdp.i62.2021.3571",
"abstract": "The purpose of this paper is to analyse the certification mechanisms in force since the effective application of the
\\nGeneral Data Protection Regulation (GDPR). As a starting point, we approach these mechanisms from their eminently
\\ntechnical focus and their approximation to the field of data protection law. Next, we examine the regulation of certification mechanisms in the GDPR and the initiatives that have recently been promoted in Spain, France and the United
\\nKingdom by their respective data protection agencies. We then move on to the study of the ISO/IEC 27000 series of
\\ninternational standards, and more specifically ISO/IEC 27001 (information security) and 27701 (privacy information
\\nmanagement) and their corresponding updates. Finally, the most immediate benefits of these initiatives and their scope
\\nfor improvement in the short-term future are highlighted, once the most relevant limitations affecting effective compliance with the aforementioned regulation have been identified.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Repositori UJI (Universitat Jaume I)",
"language": "es"
},
{
"id": "europepmc:38152698",
"title": "Trust Beyond Border: Lightweight, Verifiable User Isolation for Protecting In-Enclave Services.",
"authors": [
"Wang W",
"Liu W",
"Chen H",
"Wang X",
"Tian H",
"Lin D."
],
"date": "2021-12-28",
"platform": "europe_pmc",
"sourceUrl": "https://doi.org/10.1109/tdsc.2021.3138427",
"pdfUrl": "https://europepmc.org/articles/PMC10751023?pdf=render",
"doi": "10.1109/tdsc.2021.3138427",
"abstract": "Due to the absence of in-enclave isolation, today's trusted execution environment (TEE), specifically Intel's Software Guard Extensions (SGX), does not have the capability to securely run different users' tasks within a single enclave, which is required for supporting real-world services, such as an in-enclave machine learning model that classifies the data from various sources, or a microservice (e.g., data search) that performs a very small task (within sub-seconds) for a user and therefore cannot afford the resources and the delay for creating a separate enclave for each user. To address this challenge, we developed Liveries, a technique that enables lightweight, verifiable in-enclave user isolation for protecting time-sharing services. Our approach restricts an in-enclave thread's privilege when configuring an enclave, and further performs integrity check and sanitization on critical enclave data upon user switches. For this purpose, we developed a novel technique that ensures the protection of sensitive user data (e.g., session keys) even in the presence of the adversary who may have compromised the enclave. Our study shows that the new technique is lightweight (1% overhead) and verifiable (about 3200 lines of code), making a step towards assured protection of real-world in-enclave services.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "",
"language": "fr"
},
{
"id": "https://openalex.org/W3094472504",
"title": "L’éthique des mégadonnées (Big Data) en recherche",
"authors": [
"Nicolae Sfetcu"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://philarchive.org/rec/SFELDM",
"pdfUrl": "https://doi.org/10.13140/rg.2.2.10128.56328",
"doi": "https://doi.org/10.13140/rg.2.2.10128.56328",
"abstract": "Les principaux problèmes rencontrés par les scientifiques qui travaillent avec des ensembles de données massives (mégadonnées, Big Data), en soulignant les principaux problèmes éthiques, tout en tenant compte de la législation de l'Union européenne. Après une brève Introduction au Big Data, la section Technologie présente les applications spécifiques de la recherche. Il suit une approche des principales questions philosophiques spécifiques dans Aspects philosophiques, et Aspects juridiques en soulignant les problèmes éthiques spécifiques du règlement de l'UE sur la protection des données 2016/679 (General Data Protection Regulation, « GDPR »). La section Problèmes éthiques détaille les problèmes spécifiques générés par le big data. Après une brève section de Recherche de big data, sont présentées les Conclusions sur l’éthique de la recherche dans l’utilisation du big data. SOMMAIRE: Abstract 1. Introduction - 1.1 Définitions - 1.2 Les dimensions du big data 2. La technologie - 2.1 Applications - - 2.1.1 En recherche 3. Aspects philosophiques 4 Aspects juridiques - 4.1 RGPD (GDPR) - - Étapes du traitement des données personnelles - - Principes du traitement des données - - Politique de confidentialité et transparence - - Finalités du traitement des données - - Confidentialité par conception et confidentialité implicite - - Le paradoxe (juridique) des mégadonnées 5. Problèmes éthiques - L'éthique dans la recherche - Prise de conscience - Consentement - Contrôle - Transparence - Confiance - Propriété - Surveillance et sécurité - Identité numérique - Réalité ajustée - De-anonymisation - Inégalité numérique - Confidentialité 6. Recherche des mégadonnées Conclusions Bibliographie DOI: 10.13140/RG.2.2.10128.56328",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "PhilPapers (PhilPapers Foundation)",
"language": "fr"
},
{
"id": "https://openalex.org/W4407791174",
"title": "A GAMIFICAÇÃO APLICADA ÀS LEIS PROTEÇÃO DE DADOS: UMA ESTRATÉGIA DE CONSCIENTIZAÇÃO PARA PROMOVER A PRIVACIDADE NAS EMPRESAS",
"authors": [
"Davis Souza Alves",
"Luiz Antônio de Lima",
"Paulo Pereira",
"Juliana Heller",
"Márcio Magera Conceição"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://doi.org/10.47820/recima21.v6i2.6253",
"pdfUrl": "https://recima21.com.br/index.php/recima21/article/download/6253/4248",
"doi": "https://doi.org/10.47820/recima21.v6i2.6253",
"abstract": "O presente artigo tem como objetivo abordar o uso da gamificação como uma estratégia inovadora para promover a conscientização e o aprendizado das boas práticas da Lei Geral de Proteção de Dados Pessoais (LGPD) no Brasil, a Lei da Pretecção de Dados Pessoais (LPDP) de Angola, o Regulamento Geral de Proteção de Dados (RGPD) - General Data Protection Regulation (GDPR) na Europa, e demais leis de proteção de dados pessoais ao redor do mundo. A gamificação é apresentada como uma abordagem que utiliza elementos de jogos para engajar os participantes de forma lúdica e interativa. Desse modo, a pergunta problema dessa pesquisa é “Como a gamificação pode ser utilizada para conscientização para promover as práticas de privacidade de dados? Para essa investigação faz-se uso da pesquisa de campo, realizada com colaboradores de quatro empresas brasileiras do setor de saúde. Os resultados obtidos demonstram que a maioria dos colaboradores apresentava dificuldades em entender as boas práticas de LGPD, porém a avaliação do jogo de tabuleiro foi eficaz em estimular o aprendizado e a adoção das práticas de proteção de dados. Como contribuição da pesquisa, é apresentado um Modelo de Gamificação Empresarial que foi permitido a proposição por meio dos resultados obtidos na pesquisa de campo, sendo passíveis de uso em outras empresas.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "RECIMA21 - Revista Científica Multidisciplinar - ISSN 2675-6218",
"language": "pt"
},
{
"id": "gdprhub:3131",
"title": "AEPD (Spain) - PS/00220/2020",
"authors": [],
"date": "2023-12-13",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00220/2020",
"pdfUrl": "",
"doi": "",
"abstract": "Article 17 of the RGPD, called the right to erasure ("the right to be forgotten") in which precept the right of deletion of the claimant is governed, stating",
"topics": [
"gdpr_compliance",
"data_anonymization",
"power_knowledge_asymmetry",
"privacy_engineering",
"jurisdiction_regulatory",
"biometric_surveillance",
"pii_entity_types"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement",
"Sector Regulations",
"Solutions Market",
"User Behavior / PII Communities"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "gdprhub:5622",
"title": "ANSPDCP (Romania) - 18.01.2023",
"authors": [],
"date": "2023-12-13",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_18.01.2023",
"pdfUrl": "",
"doi": "",
"abstract": "controller had violated their right to erasure (‘right to be forgotten’) pursuant to Article 17 GDPR. The DPA decided to investigate the matter. During",
"topics": [
"gdpr_compliance",
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization",
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "gdprhub:2216",
"title": "NAIH (Hungary) - NAIH/2020/32/4",
"authors": [],
"date": "2023-11-17",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH/2020/32/4",
"pdfUrl": "",
"doi": "",
"abstract": "campaign? The data controller violated the right of access under Article 15 GDPR, the right to erasure (‘right to be forgotten’) of the data subject under",
"topics": [
"gdpr_compliance",
"privacy_engineering"
],
"painPointTracks": [
"Enforcement",
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "gdprhub:3593",
"title": "Gerechtshof Amsterdam - 200.280.852/01",
"authors": [],
"date": "2021-10-04",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=Gerechtshof_Amsterdam_-_200.280.852/01",
"pdfUrl": "",
"doi": "",
"abstract": "asked its own DPO (Data Protection Officer) for advice and received a positive response. The UvA then conducted a DPIA (Data Protection Impact Assessment)",
"topics": [
"gdpr_compliance",
"data_anonymization",
"biometric_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "gdprhub:2206",
"title": "DSB (Austria) - D130.206/0006-DSB/2019",
"authors": [],
"date": "2023-05-12",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=DSB_(Austria)_-_D130.206/0006-DSB/2019",
"pdfUrl": "",
"doi": "",
"abstract": "your personal data within the framework of the provisions of the Basic Data Protection Regulation (DSGVO) and the national data protection law. In the following",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "fr"
},
{
"id": "gdprhub:4541",
"title": "FG München - 15 K 118/20",
"authors": [],
"date": "2022-02-09",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=FG_M%C3%BCnchen_-_15_K_118/20",
"pdfUrl": "",
"doi": "",
"abstract": "General Data Protection Regulation from the tax office chains of standards: DSGVO Art. 15 Para. 1 AO § 32b, § 32c Guiding principles: 1. The GDPR applies to",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "de"
},
{
"id": "gdprhub:4538",
"title": "LSG Hamburg - L 3 R 7/21",
"authors": [],
"date": "2022-01-25",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=LSG_Hamburg_-_L_3_R_7/21",
"pdfUrl": "",
"doi": "",
"abstract": "Regulation. Article 16 sentence 2 of the General Data Protection Regulation (DSGVO). Pursuant to Article 16 sentence 2 of the GDPR, the data subject had the",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "de"
},
{
"id": "arxiv:2501.06953",
"title": "ByzSFL: Achieving Byzantine-Robust Secure Federated Learning with Zero-Knowledge Proofs",
"authors": [
"Yongming Fan",
"Rui Zhu",
"Zihao Wang",
"Chenghong Wang",
"Haixu Tang",
"Ye Dong",
"Hyunghoon Cho",
"Lucila Ohno-Machado"
],
"date": "2025-01-12",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2501.06953v1",
"pdfUrl": "https://arxiv.org/pdf/2501.06953v1",
"doi": "",
"abstract": "The advancement of AI models, especially those powered by deep learning, faces significant challenges in data-sensitive industries like healthcare and finance due to the distributed and private nature of data. Federated Learning (FL) and Secure Federated Learning (SFL) enable collaborative model training without data sharing, enhancing privacy by encrypting shared intermediate results. However, SFL currently lacks effective Byzantine robustness, a critical property that ensures model performance remains intact even when some participants act maliciously. Existing Byzantine-robust methods in FL are incompatible with SFL due to the inefficiency and limitations of encryption operations in handling complex aggregation calculations. This creates a significant gap in secure and robust model training. To address this gap, we propose ByzSFL, a novel SFL system that achieves Byzantine-robust secure aggregation with high efficiency. Our approach offloads aggregation weight calculations to individual parties and introduces a practical zero-knowledge proof (ZKP) protocol toolkit. This toolkit supports widely used operators for calculating aggregation weights, ensuring correct computations without compromising data privacy. Not only does this method maintain aggregation integrity, but it also significantly boosts computational efficiency, making ByzSFL approximately 100 times faster than existing solutions. Furthermore, our method aligns with open-source AI trends, enabling plaintext publication of the final model without additional information leakage, thereby enhancing the practicality and robustness of SFL in real-world applications.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "arxiv:2007.09141",
"title": "Diversifying Anonymized Data with Diversity Constraints",
"authors": [
"Mostafa Milani",
"Yu Huang",
"Fei Chiang"
],
"date": "2020-07-17",
"platform": "arxiv",
"sourceUrl": "https://arxiv.org/abs/2007.09141v1",
"pdfUrl": "https://arxiv.org/pdf/2007.09141v1",
"doi": "",
"abstract": "Recently introduced privacy legislation has aimed to restrict and control the amount of personal data published by companies and shared to third parties. Much of this real data is not only sensitive requiring anonymization, but also contains characteristic details from a variety of individuals. This diversity is desirable in many applications ranging from Web search to drug and product development. Unfortunately, data anonymization techniques have largely ignored diversity in its published result. This inadvertently propagates underlying bias in subsequent data analysis. We study the problem of finding a diverse anonymized data instance where diversity is measured via a set of diversity constraints. We formalize diversity constraints and study their foundations such as implication and satisfiability. We show that determining the existence of a diverse, anonymized instance can be done in PTIME, and we present a clustering-based algorithm. We conduct extensive experiments using real and synthetic data showing the effectiveness of our techniques, and improvement over existing baselines. Our work aligns with recent trends towards responsible data science by coupling diversity with privacy-preserving data publishing.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od_______217::1d5c3d79cf2eb4a93014b437b18a3226",
"title": "Privacy-preserving synthetic image data generation and classification",
"authors": [
"Faisal, Fahim"
],
"date": "2023-05-24",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od_______217::1d5c3d79cf2eb4a93014b437b18a3226",
"pdfUrl": "",
"doi": "",
"abstract": "Computer vision, generative models (e.g., ChatGPT, etc.), and deep learning are now widely used across various sectors, from large corporations to end devices, simplifying people’s lives and improving the reliability of medical findings. Sensitive image data and deep learning’s high memorization capacity pose privacy risks, particularly for medical images containing sensitive private information. De-anonymization does not work due to the re-identification risk and reduced utility. So, we developed a differentially private approach with selective noise in addition to generating high-dimensional synthetic medical image data with guaranteed differential privacy. In addition to ensuring data privacy, protecting the classification model’s privacy is crucial due to its vulnerability to “membership inference attacks.” State-of-the-art (e.g., differential privacy, etc.) defenses compromised task accuracy to preserve privacy, and some methods reuse private data or require more public data, which is impractical in some domains. To address privacy concerns while maintaining utility, we propose a collaborative distillation approach that transfers knowledge using minimal synthetic data, resulting in a compact private classifier model.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:4913768",
"title": "Two worlds apart! Closing the gap between regulating EU consent and user studies",
"authors": [
"Nataliia Bielova",
"Cristiana Santos",
"Colin M Gray"
],
"date": "2024-06-01",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04913768v1",
"pdfUrl": "https://hal.science/hal-04913768/document",
"doi": "",
"abstract": "The EU ePrivacy Directive requires consent before using cookies or other tracking technologies, while the EU General Data Protection Regulation (\"GDPR\") sets high-level and principle-based requirements for such consent to be valid. However, the translation of such requirements into concrete design interfaces for consent banners is far from straightforward. This situation has given rise to the use of manipulative tactics in user experience (\"UX\"), commonly known as dark patterns, which influence users' decision-making and may violate the GDPR requirements for valid consent. To address this problem, EU regulators aim to interpret GDPR requirements and to limit the design space of consent banners within their guidelines. Academic researchers from various disciplines address the same problem by performing user studies to evaluate the impact of design and dark patterns on users' decision making. Regrettably, the guidelines and user studies rarely impact each other. In this Essay, we collected and analyzed seventeen official guidelines issued by EU regulators and the EU Data Protection Board (\"EDPB\"), as well as eleven consent-focused empirical user studies which we thoroughly studied from a User Interface (\"UI\") design perspective. We identified numerous gaps between consent banner designs recommended by regulators and those evaluated in user studies. By doing so, we contribute to both the regulatory discourse and future user studies. We pinpoint EU regulatory inconsistencies and provide actionable recommendations for regulators. For academic scholars, we synthesize insights on design elements discussed by regulators requiring further user study evaluations. Finally, we recommend that EDPB and EU regulators, alongside usability, Human-Computer Interaction (“HCI”), and design researchers, engage in transdisciplinary dialogue in order to close the gap between EU guidelines and user studies.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Harvard Journal of Law and Technology",
"language": "en"
},
{
"id": "openaire:50|od______2852::25210d0aaf7d7b82bbdaa49faa832318",
"title": "Anonymizace dat v uživatelské aplikaci",
"authors": [
"Zachoval, Tadeáš"
],
"date": "",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______2852::25210d0aaf7d7b82bbdaa49faa832318",
"pdfUrl": "",
"doi": "",
"abstract": "The master thesis is focused on de-identification of personal data. The thesis consists of theoretical and practical parts. The theoretical part describes the legal view of personal data and is mainly focused on the concepts and possible de-identification methods and the difference between them. The core of the theoretical part is a description of basic and some advanced anonymization and pseudonymization techniques. The practical part of the thesis then focuses on programming an application in the Python programming language with a graphical user interface. The application implements an algorithm to generate a testing fake dataset that can be used for de-identification. However, the main functionality of the application is the anonymization and pseudonymization of personal data. For this purpose, selected de-identification techniques are applied in the application.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "openaire:oai:asep.lib.cas.cz:CavUnEpca/0552476",
"title": "Ochrana osobních údajů v kriminologickém výzkumu",
"authors": [
"Nová, K. (Karolína)",
"Drápal, J. (Jakub)"
],
"date": "2021-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=oai:asep.lib.cas.cz:CavUnEpca/0552476",
"pdfUrl": "",
"doi": "",
"abstract": "Empirical researchers often use secondary data collected by others, especially state institutions. Due to the increasing availability of data online and the ever-growing ease of merging various datasets, the protection of personal data and adherence to the principles of data processing is becoming increasingly important for researchers. In criminal justice research, the protection of personal data is especially important, as information on convictions or criminal proceedings is under special protection. This article presents the basic principles for conducting research using personal data, focusing on their application in criminological research and especially on the use of secondary data. The article further discusses the responsibilities of personal data administrators and their role in the context of processing data for research purposes, data security, creating databases and their various forms, and the process of anonymization and pseudonymization. The article concludes with practical recommendations for ensuring ethical and legal practices in the field of criminological research vis-à-vis personal data protection.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|dris___01166::6f24702bf60c751356c0b72a7f8a96ac",
"title": "PROTECT (Pervasive and UseR Focused BiomeTrics BordEr ProjeCT)",
"authors": [
"Dumortier, Franck"
],
"date": "2018-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|dris___01166::6f24702bf60c751356c0b72a7f8a96ac",
"pdfUrl": "",
"doi": "",
"abstract": "This document is Deliverable D2.2 of Task T2.2, WP2 – Privacy of the PROTECT project. The aim of D2.2 is to explore the current and proposed European legal framework regulating biometric Schengen border control in order to identify legal, privacy and data protection constraints which should be taken into account by PROTECT scenarios described in D3.11.
In order to be able to identify the legal constraints under current and proposed EU law for the usage of the multimodal biometric “on the move” solutions developed within the PROTECT project scenarios in D3.1, the first preliminary question which should be raised is: “Which is the exact purpose/extent of the border checks that could be “facilitated” thanks to the PROTECT system?”. Indeed, according to article 5 of the General Data Protection Regulation (GDPR), one of the main principles relating to the processing of personal data is the purpose limitation principle, according to which “personal data shall be collected for specified, explicit and legitimate purposes”.
In this Deliverable, it is assumed that the purpose of D3.1 scenarios is to “facilitate” public border control authorities to speed up their public interest missions of border control management by enrolling additional biometrics in travel documents (or smartphone apps acting as travel documents).
Bearing this public interest purpose fact in mind, the purpose of this Deliverable is to thoroughly analyse:
Legal constraints deriving from legislation regulating EU travel documents (E-Passports, residence permits, visas), Schengen IT systems (in particular, VIS, SIS, EES, SLTD, API and ETIAS) and more generally legislation regulating cross-border movements at the Schengen external borders (the Schengen Borders Code)
Legal privacy constraints related to the collection, storage and proc",
"topics": [
"gdpr_compliance",
"biometric_surveillance"
],
"painPointTracks": [
"Biometric & Immutable PII",
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "openaire:50|od______4291::e66ba0330fb4891431a8b4d6681c3af6",
"title": "PROTECT (Pervasive and UseR Focused BiomeTrics BordEr ProjeCT):D2.2 Legal framework of biometric border control",
"authors": [
"Dumortier, Franck"
],
"date": "2018-01-01",
"platform": "openaire",
"sourceUrl": "https://explore.openaire.eu/search/publication?pid=50|od______4291::e66ba0330fb4891431a8b4d6681c3af6",
"pdfUrl": "",
"doi": "",
"abstract": "
This document is Deliverable D2.2 of Task T2.2, WP2 – Privacy of the PROTECT project. The aim of D2.2 is to explore the current and proposed European legal framework regulating biometric Schengen border control in order to identify legal, privacy and data protection constraints which should be taken into account by PROTECT scenarios described in D3.11.
In order to be able to identify the legal constraints under current and proposed EU law for the usage of the multimodal biometric “on the move” solutions developed within the PROTECT project scenarios in D3.1, the first preliminary question which should be raised is: “Which is the exact purpose/extent of the border checks that could be “facilitated” thanks to the PROTECT system?”. Indeed, according to article 5 of the General Data Protection Regulation (GDPR), one of the main principles relating to the processing of personal data is the purpose limitation principle, according to which “personal data shall be collected for specified, explicit and legitimate purposes”.
In this Deliverable, it is assumed that the purpose of D3.1 scenarios is to “facilitate” public border control authorities to speed up their public interest missions of border control management by enrolling additional biometrics in travel documents (or smartphone apps acting as travel documents).
Bearing this public interest purpose fact in mind, the purpose of this Deliverable is to thoroughly analyse:
Legal constraints deriving from legislation regulating EU travel documents (E-Passports, residence permits, visas), Schengen IT systems (in particular, VIS, SIS, EES, SLTD, API and ETIAS) and more generally legislation regulating cross-border movements at the Schengen external borders (the Schengen Borders Code)
Legal privacy constraints related to the collection, storage and proc",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "gdprhub:9609",
"title": "BVwG - W137 2311069-1",
"authors": [],
"date": "2025-11-12",
"platform": "gdprhub",
"sourceUrl": "https://gdprhub.eu/index.php?title=BVwG_-_W137_2311069-1",
"pdfUrl": "",
"doi": "",
"abstract": "of the data subject, (…) (3) – (4) (…) Article 17 GDPR – Right to erasure (“right to be forgotten”): Article 17 GDPR – Right to erasure (“right to be forgotten”):",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:4828770",
"title": "Optimized blockchain deployment and application for trusted industrial internet of things",
"authors": [
"Dun Li"
],
"date": "2024-09-24",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-04828770v1",
"pdfUrl": "https://theses.hal.science/tel-04828770/document",
"doi": "",
"abstract": "The continued advancement of the Industrial Internet of Things (IIoT) presents promising prospects and numerous opportunities for improving the operational frameworks of industrial systems. However, IIoT architectures face significant challenges, including centralized control, vulnerability to cyber attacks, privacy violations, and data accuracy issues.These challenges create significant obstacles in securing data, which is crucial for the growth of this technology. To address these issues, many researchers suggest integrating blockchain technology as a stable means to safeguard data within IIoT systems.Blockchain's features of distributed storage, decentralization, and immutability offer distinct advantages in data secure storage, identity verification, and access control. Despite these benefits, as IIoT applications diversify and data scales expand, the high resource demand of blockchain systems clashes with the limited resources of IIoT devices, leading to unresolved contradictions and persistent issues within this solution. Existing blockchain architectures still lack anonymous and efficient IIoT identity authentication, with complex encryption and decryption processes inducing excessive system overhead. To address these issues, the thesis builds on prior research to optimize blockchain performance, aiming to resolve the shortcomings and bottlenecks in current blockchain-based IIoT architectures regarding data security protection. Firstly, this thesis introduces a lightweight blockchain-enabled protocol designed for secure data storage in the dynamic IIoT environment. It incorporates bilinear mapping for system initialization, entity registration, and authentication technology to authenticate IIoT entities efficiently and securely, along with an off-chain data storage approach to ensure data integrity with reduced resource consumption.Furthermore, the thesis addresses the limitations of Hyperledger fabric systems in high availability scenarios by proposing Trie-Fabric, which enhances transaction processing through a Directed Acyclic Graph (DAG) based transaction sorting algorithm. This approach significantly reduces terminated transactions, optimizes conflict handling, and increases efficiency by more than 60% in its best case, according to comparative experimental results.To manage the increasingly sophisticated industrial processes and privacy-sensitive data generated by IIoT devices, the thesis proposes a smart contract-assisted access control scheme utilizing the Attribute-Based Access Control (ABAC) model.This scheme, supported by bloom filter components, demonstrates controlled contract execution times, stable system throughput, and a rapid consensus process in real-world simulations, making it highly capable of handling high-throughput and effective consensus even under large-scale request scenarios.Lastly, the thesis introduces the Zero-Knowledge Proof (ZKP) algorithm, which integrates a non-interactive zero-knowledge proof protocol with Ciphertext-Policy Attribute-Based Encryption (CP-ABE) to enhance security and efficiency in IIoT content distribution. Combined with the Distributed Publish-Subscribe IIoT (DPS-IIoT) system using Hyperledger fabric, it significantly improves bandwidth efficiency and overall throughput in IIoT environments.Through comprehensive security performance evaluations and experimental results, this research confirms the protocols' effectiveness in minimizing system overhead, improving storage reliability, and enhancing overall IIoT data management and application security. This thesis provides an in-depth examination of advanced data management protocols and systems for the IIoT, which are crucial for advancing the manufacturing sector. Consequently, this work makes a significant contribution to the field of IIoT data security, offering scalable and robust solutions for current and future industrial systems.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:2973666",
"title": "Enhancing Transparency and Consent in the Internet of Things",
"authors": [
"Victor Morel"
],
"date": "2020-09-24",
"platform": "hal",
"sourceUrl": "https://inria.hal.science/tel-02973666v1",
"pdfUrl": "https://inria.hal.science/tel-02973666/document",
"doi": "",
"abstract": "In an increasingly connected world, the Internet permeates every aspect of our lives. The number of devices connected to the global network is rising, with prospects foreseeing 75 billions devices by 2025. The Internet of Things envisioned twenty years ago is now materializing at a fast pace, but this growth is not without consequence. The increasing number of devices raises the possibility of surveillance to a level never seen before. A major step has been taken in 2018 to safeguard privacy, with the introduction of the General Data Protection Regulation (GDPR) in the European Union. It imposes obligations to data controllers on the content of information about personal data collection and processing, and on the means of communication of this information to data subjects. This information is all the more important that it is required for consent, which is one of the legal grounds to process personal data. However, the Internet of Things can pose difficulties to implement lawful information communication and consent management. The tension between the requirements of the GDPR for information and consent and the Internet of Things cannot be easily solved. It is however possible. The goal of this thesis is to provide a solution for information communication and consent management in the Internet of Things from a technological point of view. To do so, we introduce a generic framework for information communication and consent management in the Internet of Things. This framework is composed of a protocol to communicate and negotiate privacy policies, requirements to present information and interact with data subjects, and requirements over the provability of consent. We support the feasibility of this generic framework with different options of implementation. The communication of information and consent through privacy policies can be implemented in two different manners: directly and indirectly. We then propose ways to implement the presentation of information and the provability of consent. A design space is also provided for systems designers, as a guide for choosing between the direct and the indirect implementations. Finally, we present fully functioning prototypes devised to demonstrate the feasibility of the framework’s implementations. We illustrate how the indirect implementation of the framework can be developed as a collaborative website named Map of Things. We then sketch the direct implementation combined with the agent presenting information to data subjects under the mobile application CoIoT.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:4943229",
"title": "Health data : Exploring emerging privacy enhancing mechanisms",
"authors": [
"Thomas Lebrun"
],
"date": "2024-12-05",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-04943229v2",
"pdfUrl": "https://theses.hal.science/tel-04943229/document",
"doi": "",
"abstract": "Health data represents a large volume of information, generated daily and sensitive by nature. However, sharing this data is essential for advancing research and, ultimately, improving patient care. The use of medical data faces limitations due to its sensitivity and the need to ensure confidentiality, which is governed by current regulations. This necessitates enhanced protection. Interest in alternatives to sharing raw data, such as pseudonymization or anonymization, is increasing alongside the growing need for access to training data for the use of artificial intelligence, which requires large amounts of data to function effectively as a medical assistant. In this thesis, we explore new privacy-preserving mechanism made possible by the rapid advancements in artificial intelligence. More specifically, my analysis focuses on improving alternatives to the centralization of sensitive data: federated learning, a decentralized method of training artificial intelligence models that do not need sensitive data sharing, as well as synthetic data generation, which creates artificial data similar statistical properties to real data. Given the lack of consensus on evaluating the privacy of these new approaches, our work focuses on the systematic measurement of privacy leakage and the balance with the utility of synthetic data or the federated learning model. My contributions include a mechanism to enhance the privacy properties of federated learning, as well as a new method for conditional synthetic data generation. This thesis aims to contribute to the development of more robust frameworks for the secure sharing of health data, in compliance with regulatory requirements, thereby facilitating innovations in healthcare.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:3752063",
"title": "Semi-supervised learning in insurance : fairness and active learning",
"authors": [
"François Hu"
],
"date": "2022-06-15",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-03752063v1",
"pdfUrl": "https://theses.hal.science/tel-03752063/document",
"doi": "",
"abstract": "Insurance organisations store voluminous textual data sources on a daily basis (free text fields used by telephonists, emails, customer reviews, ...). However, this mass of textual data involves specific issues in terms of regulations, such as compliance with the privacy constraints imposed in Europe by the recent General Data Protection Regulation (GDPR) : this textual data may contain information that is not compliant with the RGPD standards, thus raising ethical issues and cannot be retained by the insurer. Today, this textual data is tagged by experts (oracles) and this process is not suitable for managing large volumes and near real-time information. Therefore, the implementation of an accurate (in terms of prediction), low-cost (in terms of labelling) and ethical (in terms of fairness) learning system is needed in insurance and this thesis addresses and solves some of these challenges. The first challenge is to reduce the labelling effort (thus focusing on data quality) with the help of active learning, a feedback loop between model inference and an oracle: since in insurance unlabelled data is usually abundant, active learning can become an important asset to reduce the cost of labelling. Another major challenge is the issue of fairness in Machine Learning model inferences. Since inequalities and discriminations can be found in the data, learning models are likely to reproduce some unfairness, making them unusable in production. This thesis explores these problems and proposes solutions, especially for multi-class classification tasks. In particular, we propose an algorithmic fairness method that guarantees either exact fairness at the expense of model accuracy, or a compromise between fairness and accuracy called epsilon-fairness. In addition, we propose a fair active learning method that requests informative instances while making the model fair. The proposed methodologies have the advantage of being agnostic with respect to the statistical learning model. These results are studied and applied on real and synthetic datasets.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:3234126",
"title": "Publishing set-valued dataset : strengthening the Disassociation approach to improve both privacy preservation and utility",
"authors": [
"Nancy Awad"
],
"date": "2020-09-17",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-03234126v1",
"pdfUrl": "https://theses.hal.science/tel-03234126/document",
"doi": "",
"abstract": "This thesis addresses the problematic of anonymization for set-valued datasets, also known as transactional data. The work is based on an anonymization technique specific for set-valued data defined by Terrovitis as “Disassociation”. This technique works under the assumption that data values should not be altered, contrary to differential privacy, or suppressed, unlike k-anonymity. The duality character of disassociation is investigated. First, the position of disassociation facing data utility and knowledge extraction is evaluated and improved. Second, the truthfulness of disassociation towards protection of individuals’ private life under its own privacy model, is studied and adjusted. On a first observation on disassociation, the utility of the information in a disassociated dataset is investigated. By reason of probabilistic analysis, it is proven that various associations in a disassociated dataset suffer from information loss. Therefore, to increase the utility value of a predefined set of associations, specified as “utility rules” by the user, the clustering process of disassociation is optimized, using ant-based clustering for the utility rules in question. Disassociation suffers from a privacy breach for homogeneity attacks, defined as the “cover problem” in 2016. To address this problem, a solution is proposed by using partial suppression and noise addition. The correctness of the solution is investigated and proven, where every cover problem is resolved and no new cover problem is generated by the proposed solution. Finally, as disassociation isn’t a common data form, it is hard for machine Learning algorithms and data analyst to extract information and exploit the data in its current form. Re-expressing the data of the anonymized set-value datasets by disassociation in its original form, is a theoretical solution that can bring back data analysis techniques closer to anonymized data. A probabilistic re-association algorithm is thus proposed, sensitive to the probabilistic distribution of the associations in a cluster. This solution relies on an elaborated definition of neighbor datasets to prove its sensitivity and respect to the privacy constraints. The fidelity of the solution to data utility preservation is evaluated using the most exploited data analysis techniques over set-value data: mining frequent itemsets and association rules. In conclusion, this work digs deep in the field of anonymization for set-valued datasets. Starting from a defined anonymization technique known as disassociation, a privacy breach, the “cover problem”, is addressed for a solution and data utility is investigated within the disassociated dataset and for future uses. Results are impressive in terms of data utility and privacy preservation.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:4299405",
"title": "Toward training NLP models to take into account privacy leakages",
"authors": [
"Gaspard Berthelier",
"Antoine Boutet",
"Antoine Richard"
],
"date": "2023-12-15",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04299405v1",
"pdfUrl": "https://hal.science/hal-04299405/document",
"doi": "",
"abstract": "With the rise of machine learning and data-driven models especially in the field of Natural Language Processing (NLP), a strong demand for sharing data between organisations has emerged. However datasets are usually composed of personal data and thus subject to numerous regulations which require anonymization before disseminating the data. In the medical domain for instance, patient records are extremely sensitive and private, but the de-identification of medical documents is a complex task. Recent advances in NLP models have shown encouraging results in this field, but the question of whether deploying such models is safe remains. In this paper, we evaluate three privacy risks on NLP models trained on sensitive data. Specifically, we evaluate counterfactual memorization, which corresponds to rare and sensitive information which has too much influence on the model. We also evaluate membership inference as well as the ability to extract verbatim training data from the model. With this evaluation, we can cure data at risk from the training data and calibrate hyper parameters to provide a supplementary utility and privacy tradeoff to the usual mitigation strategies such as using differential privacy. We exhaustively illustrate the privacy leakage of NLP models through a use-case using medical texts and discuss the impact of both the proposed methodology and mitigation schemes.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:563316",
"title": "Secure Data Aggregation in Wireless Sensor Networks. Homomorphism versus Watermarking Approach",
"authors": [
"Jacques Bahi",
"Christophe Guyeux",
"Abdallah Makhoul"
],
"date": "2010",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-00563316v1",
"pdfUrl": "https://hal.science/hal-00563316/document",
"doi": "",
"abstract": "Wireless sensor networks are now in widespread use to monitor regions, detect events and acquire information. Since the deployed nodes are separated, they need to cooperatively communicate sensed data to the base station. Hence, transmissions are a very energy consuming operation. To reduce the amount of sending data, an aggregation approach can be applied along the path from sensors to the sink. However, usually the carried information contains confidential data. Therefore, an end-to-end secure aggregation approach is required to ensure a healthy data reception. End-to-end encryption schemes that support operations over cypher-text have been proved important for private party sensor network implementations. These schemes offer two main advantages: end-to-end concealment of data and ability to operate on cipher text, then no more decryption is required for aggregation. Unfortunately, nowadays these methods are very complex and not suitable for sensor nodes having limited resources. In this paper, we propose a secure end-to-end encrypted-data aggregation scheme. It is based on elliptic curve cryptography that exploits a smaller key size. Additionally, it allows the use of higher number of operations on cypher-texts and prevents the distinction between two identical texts from their cryptograms. These properties permit to our approach to achieve higher security levels than existing cryptosystems in sensor networks. Our experiments show that our proposed secure aggregation method significantly reduces computation and communication overhead and can be practically implemented in on-the-shelf sensor platforms. By using homomorphic encryption on elliptic curves, we thus have realized an efficient and secure data aggregation in sensor networks. Lastly, to enlarge the aggregation functions that can be used in a secure wireless sensor network, a watermarking-based authentication scheme is finally proposed.",
"topics": [
"privacy_engineering"
],
"painPointTracks": [
"Solutions Market"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:4887946",
"title": "Cyber Disputes Are Not Just About Hacking and CyberAttacks: European Litigation on Surveillance Issues and International Negotiations on Government Access to Data",
"authors": [
"Karine Bannelier-Christakis",
"Theodore Christakis"
],
"date": "2021-03-04",
"platform": "hal",
"sourceUrl": "https://hal.science/hal-04887946v1",
"pdfUrl": "",
"doi": "",
"abstract": "International lawyers focus on cyber attacks and cyber espionage, issues that have led to little, if any, international litigation till now. However, the issue of “legal” access to data by foreign governments is equally important and has been marked by major decisions of European Courts. It has led to extremely important international negotiations in order to find solutions to the fundamental underlying problems. This paper will discuss how some recent decisions, starting with the July 2020 Schrems II Judgment of the CJEU, severely affect international and transnational relations and transactions. It will focus on ongoing bilateral negotiations, such as the ones aiming for a successor to the EU/US Privacy Shield arrangement or for a UK adequacy decision after Brexit, as well as multilateral processes such as the “Data Free Flow with Trust” initiative by Japan or the negotiation of a new Protocol to the Budapest Cybercrime Convention. It will finally enquire whether democracies could be able, through international cooperation, to respond to the challenge of setting satisfactory global standards for intelligence and law enforcement agencies access to data and to find solid and long lasting solutions for international data transfers.",
"topics": [
"jurisdiction_regulatory"
],
"painPointTracks": [
"Sector Regulations"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "https://openalex.org/W2995838753",
"title": "Special problems in information security: from privacy to emerging technologies for hyperconnected systems",
"authors": [
"Francisco García Martínez"
],
"date": "2019",
"platform": "OpenAlex",
"sourceUrl": "http://oa.upm.es/57396/",
"pdfUrl": "",
"doi": "",
"abstract": "Desde las ultimas elecciones en Estados Unidos, Francia y otros paises, las “fake news” se han convertido en una herramienta para manipular a los votantes. Esta creacion de “fake news” crea un problema que se extiende por toda una sociedad creando division. Sin embargo, los medios de comunicacion no han escudrinado lo suficiente en el uso indebido de los datos. A diario, parece que hay brechas de que causan que millones de usuarios vean su informacion personal recogida, expuesta y vendida en la “Dark Web” a cambio de criptomonedas. Recientemente, han aparecido noticias en las redes sociales anunciando casos de correos electronicos leidos sin el consentimiento del usuario. Estas cuestiones suscitan preocupacion por el uso indebido de los datos personales y, lo que es mas importante, por la forma en que pueden utilizarse para la guerra de la informacion y la explotacion de grupos especificos mediante el uso de Internet. Es esencial que las organizaciones revisen continuamente las politicas de datos actuales para asegurarse de que no se conviertan en victimas de la guerra de la informacion. Sin embargo, no solo es responsabilidad de las organizaciones preservar los derechos y libertades de sus empleados y clientes, sino tambien de los gobiernos y las naciones. Por eso, actualmente se estan elaborando normativas en materia de proteccion de datos. En Europa, la creacion del Reglamento General de Proteccion de Datos (RGPD) ha constituido un enorme avance en la privacidad de datos, otorgando mayor poder a los consumidores online, que estaban condenados a la perdida total del control de su informacion personal. Aunque a primera vista pueda parecer que solo afecta a las empresas de la Union Europea, el Reglamento establece claramente que toda empresa que tenga negocios en la UE debe cumplir con el GDPR. Otros paises no pertenecientes a la UE, como los Estados Unidos, han visto los beneficios del RGPD y ya estan desarrollando sus propias leyes de privacidad. Inicialmente, estas regulaciones eran exclusivamente a nivel estatal, pero ultimamente se estan proponiendo iniciativas nacionales. Presentaremos algunos ejemplos representativos y los compararemos con el GDPR. Ademas, nada de esto tendria sentido sin el desarrollo de tecnologias y aplicaciones seguras que preserven la privacidad y la confidencialidad. Numerosos estandares y codigos de buenas practicas recomiendan la implementacion de practicas de desde las primeras etapas del proceso de desarrollo de aplicaciones. Comunmente conocidas como seguridad por defecto, estas practicas consisten en programar teniendo en cuenta la para empezar a abordar las amenazas y vulnerabilidades antes de que la integracion de las medidas de resulte demasiado tediosa. Una manera efectiva de averiguar si la aplicacion es segura es mediante tecnicas de analisis del codigo fuente. Estos analisis reportan debilidades o malas practicas en el codigo una vez que se evaluan frente un conjunto predefinido de reglas. De esa forma, los programadores son capaces de detectar y corregir estos problemas, evitando la explotacion de dichas vulnerabilidades en el futuro y garantizando la proteccion de los datos personales de los usuarios. En este proyecto, se ha realizado un analisis estatico del codigo fuente para evaluar la aplicacion de escritorio de un Sistema Nacional de Denuncias para la Policia Nacional de un pais latinoamericano. Finalmente, para educar a los usuarios en estos temas, proponemos un marco que permita el desarrollo de un laboratorio virtual que incorpore tecnologias emergentes, como la Internet Industrial de los Objetos y los sistemas hiperconectados, incorporando componentes de codigo abierto. Este laboratorio virtual proporcionaria un entorno de aprendizaje en el que los conceptos de ciberseguridad y de la informacion podrian ensenarse en un entorno exploratorio.---ABSTRACT---Since the last elections in the United States, France, and other nations, fake news has become a tool to manipulate voters. This creation of fake news creates a problem that ripples through an entire society creating division. However, the media has not scrutinized enough on data misuse. Daily it appears that there are breaches causing millions of users to have their personal information taken, exposed, and sold on the Dark Web in exchange of encrypted currencies. Recently, news has surfaced of major social media sites allowing emails to be read without user consent. These issues bring upon concern for the misuse of data and more importantly, how can this be used for information warfare and the exploitation of targeted groups through the use of the Internet. It is essential that organizations continuously review current data policies to ensure that they do not become victims of information warfare. Nevertheless, it is not only the organizations’ responsibility to preserve the rights and freedoms of their employees and customers, but also governments and nations should have a word in this matter. That is why data protection regulations are being developed. In Europe, the creation of the General Data Protection Regulation (GDPR) constituted an enormous advance in data privacy, empowering the online consumers, who were doomed to the complete loss of control of their personal information. Although it may first seem that it only affects companies within the European Union, the regulation clearly states that every company who has businesses in the EU must be compliant with the GDPR. Other non-EU countries, like the United States, have seen the benefits of the GDPR and are already developing their own privacylaws. Initially, these regulations were exclusively at the state level, but national initiatives are lately being proposed. We will present some representative examples and compare them to the GDPR. Furthermore, none of this would make sense without the development of secure technologies and applications that preserve privacy and confidentiality. Numerous standards and codes of best practice recommend the implementation of security practices since the early stages of the application development process. Commonly known as ‘security-as-default’, these practices consist in coding while keeping security in mind to start addressing threats and vulnerabilities before integrating security measures becomes too laborious. An effective way to find out whether the application is secure is by performing source code analysis. These analysis report weaknesses or poor practices in the code once run against predefined set of rules. Consequently, developers are able to detect and correct these issues, preventing the application from future exploits and ensuring individuals’ data is protected. A static source code analysis was performed to assess the desktop application of a National Crime Reporting System for a Latin American country’s National Police. Finally, to educate users in these issues, we are proposing a framework that allows for the development of a virtual lab that incorporates emerging technologies, such as the Industrial Internet of Things and hyperconnected systems while incorporating open source components. This virtual lab would provide a learning environment where cybersecurity and information security concepts can be taught in an exploratory environment.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "en"
},
{
"id": "hal:2053043",
"title": "Publication de données individuelles respectueuse de la vie privée : une démarche fondée sur le co-clustering",
"authors": [
"Tarek Benkhelif"
],
"date": "2018-11-27",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-02053043v1",
"pdfUrl": "https://theses.hal.science/tel-02053043/document",
"doi": "",
"abstract": "There is a strong economic and civic demand for the opening of individual data. However, the publication of such data poses a risk to the individuals represented in it. This thesis focuses on the problem of anonymizing multidimensional data tables containing individual data for publishing purposes. In particular, two data anonymization approaches families will be focused on: the first aims to merge each individual into a group of individuals, the second is based on the addition of disruptive noise to the original data. Two new approaches are developed in the context of group anonymization. They aggregate the data using a co-clustering technique and then use the produced model, to generate synthetic records, in the case of the first solution. While the second proposal seeks to achieve the formalism of k-anonymity. Finally, we present a new anonymization algorithm “DPCocGen” that ensures differential privacy. First, a data-independent partitioning on the domains is used to generate a perturbed multidimensional histogram, a multidimensional co-clustering is then performed on the noisy histogram resulting in a partitioning scheme. Finally, the resulting schema is used to partition the original data in a differentially private way. Synthetic individuals can then be drawn from the partitions.",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "fr"
},
{
"id": "hal:4195071",
"title": "Anonymisation dans le contexte des graphes de connaissances",
"authors": [
"Maxime Thouvenot"
],
"date": "2022-12-06",
"platform": "hal",
"sourceUrl": "https://theses.hal.science/tel-04195071v1",
"pdfUrl": "https://theses.hal.science/tel-04195071/document",
"doi": "",
"abstract": "L'avènement d'Internet tel qu'il est apparu dans les années 1990 a permis la mise en place d'échanges de données dans des proportions comme jamais vu auparavant. Cette évolution en termes de volume, de vitesse et de diversité au niveau des échanges a atteint son paroxysme avec l'émergence du phénomène Big Data il y a un peu plus d'une quinzaine d'années. L'information est aujourd'hui une ressource extrêmement précieuse, stockée principalement à l'intérieur de data-centers afin d'être analysée dans le but de générer encore plus de nouvelles connaissances. Parallèlement au Big Data, la dernière décennie a également vu naître le mouvement Open Data plaidant pour davantage de transparence et de partage des données de la part des acteurs publics et privés. Cela s'est traduit par la publication d'un plus large nombre de jeux de données ainsi que la mise en ligne de plusieurs plateformes permettant de rendre plus accessibles des ressources pouvant relever de l'intérêt général e.g. data.gouv. Néanmoins, un problème de taille est qu'une partie non négligeable de ces données peuvent concerner des individus et correspondre à ce que l'on appelle des informations \"sensibles\" telles que le salaire, l'orientation sexuelle, la religion, etc. Face à ce défi, l'anonymisation s'est vite imposée comme un processus de calcul essentiel. D'abord un sujet abordé par la communauté des statistiques mathématiques dans les années 80/90, les informaticiens s'en sont emparés au tournant des années 2000, leur travail aboutissant à la création de nombreux principes de confidentialité e.g. k-anonymity, l-diversity, differential privacy, etc. Pour chaque méthode se pose la difficulté de trouver un compromis entre la confidentialité des données et leur utilité. D'un côté, le jeu de données doit être transformé de manière à empêcher l'établissement de tout lien entre une information sensible et un individu mais de l'autre, cela ne doit pas se faire au détriment de la capacité à analyser le jeu. Des approches ont déjà été proposées cependant la majorité d'entre elles tentent de traiter le problème dans le contexte de bases de données suivant le modèle de données relationnel. Les modèles basés sur les graphes ont en comparaison fait l'objet de beaucoup moins de travaux, en particulier ceux concernant le modèle de données RDF. Dans le cadre de cette thèse, nos recherches ont principalement porté sur l'anonymisation de graphe des connaissances (knowledge graphs) notamment par l'adaptation de techniques développées à l'origine pour le modèle relationnel.Dans un premier temps, nous avons repris une technique nommée anatomie, dont le principe consiste à supprimer le lien direct entre une entité et son attribut sensible, et l'avons étendu en y intégrant des aspects sémantiques. Ce travail a par la suite été approfondi avec l'intégration d'un autre principe de confidentialité, à savoir k-anonymity. Nous défendons le bien-fondé d'utiliser les 2 approches simultanément en expliquant de quelle manière cela peut permettre de prévenir un certain nombre d'attaques. Nous proposons également 2 algorithmes pour appliquer k-anonymity sur un graphe RDF. Pour finir, nous présentons un système placé au-dessus d'un RDF-store afin d'anonymiser des graphes de connaissance. Conformément aux principes du \"privacy-by-design\", nous prenons le parti que l'anonymisation est une tâche délicate qui ne devrait pas relever de la responsabilité des ingénieurs mais être intégrée directement au sein d'un SGBD. En nous reposant sur une stratégie de partitionnement couplé à un mécanisme de contrôle d'accès, nous établissons une distinction entre d'un côté des données sensibles non-anonymisées, accessibles uniquement à des utilisateurs privilégiés, et de l'autre, leur équivalent anonymisé, publié publiquement. L'anonymisation est déléguée à un autre composant capable de suivre les différentes modifications appliquées aux données au fur et à mesure afin de les anonymiser en conséquence",
"topics": [
"data_anonymization"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.537,
"venue": "",
"language": "fr"
},
{
"id": "hal:2068974",
"title": "Big data en sciences sociales et protection des données personnelles",
"authors": [
"Émilie Debaets"
],
"date": "2018-10",
"platform": "hal",
"sourceUrl": "https://amu.hal.science/hal-02068974v1",
"pdfUrl": "https://amu.hal.science/hal-02068974/document",
"doi": "",
"abstract": "Big data brings new possibilities for researches led in social sciences. Aggregating vast quantities of data, and in particular personal data, facilitates the emergence of new knowledges. In consequence, it raises many specific questions on how to reconcile the right to protection of personal data with a freely led scientific research. Can one be prioritized over another? If data protection laws, and especially the new European regulation known as General Data Protection Regulation (GDPR), is applicable to research led in social sciences based on Big data, those laws do not necessarily constitute an excessive constraint for researchers. The rights of data subjects (such as the right to information, the right of access, the right to rectification and the right to erasure) and the obligations and responsibilities for researchers are rendered more flexible to facilitate their researches. The difficulty mainly resides in continuing researchers’ acculturation to data protection right",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "fr"
},
{
"id": "https://openalex.org/W7113639246",
"title": "Gegevensbescherming door ontwerp: ontleding, toepassing van en ondersteuning voor Artikel 25(1) AVG",
"authors": [
"Dewitte, Pierre"
],
"date": "2025",
"platform": "OpenAlex",
"sourceUrl": "https://lirias.kuleuven.be/handle/20.500.12942/762223",
"pdfUrl": "https://lirias.kuleuven.be/handle/20.500.12942/762223",
"doi": "",
"abstract": "Article 24(1) of the General Data Protection Regulation (GDPR) compels controllers to 'implement appropriate technical and organisational measures to ensure and demonstrate compliance with the Regulation', while Article 25(1) requires them to do so 'both at the time of the determination of the means for processing and at the time of the processing itself'. The switch to such a 'risk-based' approach follows from the legislator's ambition to ensure the flexibility and future-proofness of the data protection law reform. Yet, if the motivations behind that paradigm shift are clear, translating it in practice remains challenging for controllers. For three reasons, mostly. First, the material scope of data protection by design, and therefore the extent of controllers' compliance exercise, is unclear. This leads to uncertainties as to the type of risks controllers ought to identify and mitigate. Second, lawyers and software engineers, while both conducting a form of risk identification and mitigation process, work in relative isolation, operate on the basis of discipline-specific assumptions and rely on different representations of the same system. That disconnect results in the implementation of inconsequential or inconsistent countermeasures. Third, the GDPR purposefully leaves controllers a wide margin of appreciation when it comes to transposing its principles and rules into the planning, design, implementation and deployment of concrete software systems. That flexibility shifts the burden of compliance onto controllers, and comes at the cost of upfront legal certainty. Against this background, this thesis pursues three objectives. First, it sheds light on the material scope of data protection by design (Part I). To do so, Chapter 2 first unravels the history of data protection by design by delving into its technical roots and outlining comparable initiatives that have preceded the entry into force of the GDPR. Chapter 3 then outlines the constitutive elements, role and addressees of that obligation, and delves into the argumentation that brought us before the Court of Justice of the European Union (CJEU) in case C-604/22. Lastly, Chapter 4 draws from the findings of a case law review spanning 177 decisions issued by 26 National Supervisory Authorities (NSAs) in 24 countries to break down the components of data protection by design. Second, it puts the 'raison d'ëtre' of data protection by design to the test by leveraging Articles 24(1) and 25(1) GDPR to try and address the risks raised by companion chatbots (Part II). More specifically, Chapter 5 outlines the pivotal role played by data protection by design in the reasoning that served as the basis for a formal complaint lodged against Chai Research Corp. before the Autorité de Protection des Données (APD). Third, it proposes, implements, validates and evaluates the Data Protection Modeling Framework (DPMF), a concrete solution to support controllers in complying with their obligations pursuant to Articles 24(1) and 25(1) GDPR (Part III). The framework presented in Chapter 6 is the product of an interdisciplinary collaboration between the KU Leuven Centre for IT & IP Law (CITIP) and the DistriNet Research Unit. Building on the above, this thesis highlights two key takeaways. First, the vagueness of data protection by design is a feature rather than a bug. Providing clear guidance on how to substantiate Articles 24(1) and 25(1) GDPR within the text of the Regulation itself would have defeated its very purpose, that is, compelling controllers to continuously monitor the risks raised by their processing activities and adapt their mitigation strategies accordingly. While this comes at the cost of upfront legal certainty, it is a necessary trade-off to guarantee the relevance of the Regulation in the long run. The true value of data protection by design, I argue, lies in the enforcement ecosystem built around it, which is comprised of NSAs acting in their enforcement and advisory capacity under the umbrella of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS). Second, the broad interpretation of Articles 24(1) and 25(1) GDPR defended in this thesis requires controllers to look beyond their own activities and consider the risks that downstream or upstream usage of their respective contribution to the processing might pose for data subjects, and natural persons more generally. In that sense, data protection by design sparks an essential reflection as to the broader ecosystem in which each individual actor operates. By forcing each actor to consider the impact of its contribution to the overall chain, I conclude, Articles 24(1) and 25(1) GDPR foster a deeper conversation as to the desirability of software products and services that depend on interorganisational data sharing.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Lirias (KU Leuven)",
"language": "en"
},
{
"id": "https://openalex.org/W3129379735",
"title": "Avaliações de impacto sobre a proteção de dados na União Europeia: complementando o novo regime jurídico em direção a uma proteção mais robusta dos indivíduos",
"authors": [
"Dariusz Kloza",
"Niels van Dijk",
"Raphaël Gellert",
"Istvan Mate Borocz",
"Alessia Tanas",
"Eugenio Mantovani",
"Paul Quinn",
"Mariana Rielli"
],
"date": "2020",
"platform": "OpenAlex",
"sourceUrl": "https://biblio.ugent.be/publication/8738549",
"pdfUrl": "https://biblio.ugent.be/publication/8738549",
"doi": "",
"abstract": "Este documento fornece recomendações para a União Europeia (UE) que facilitam o cumprimento da exigência legal de elaboração de relatórios de Avaliação de Impacto sobre a Proteção de Dados (AIPD), conforme definido pelo Regulamento Geral de Proteção de Dados (RGPD), com o objetivo de atingir uma proteção de dados pessoais mais robusta. Em abril de 2016, a UE concluiu a parte central da reforma do seu regime jurídico de proteção de dados pessoais. A UE está, atualmente, preparando medidas e diretrizes de implementação e manuais para dar pleno efeito às novas disposições jurídicas antes da sua entrada em vigor em maio de 2018. Tal reforma introduziu, dentre outras ‘novidades’, uma obrigação legal de elaboração de um AIPD. Entretanto, tal exigência padece de alguns pontos fracos. De forma a remediar essas limitações e para alimentar esse processo contínuo de elaboração de políticas, este documento de política (‘policy brief’) busca esboçar boas práticas para um tipo genérico de avaliação de impacto, i.e., recomendado para diferentes áreas (seção II). A seção III faz uma avaliação preliminar sobre como essas boas práticas se relacionam com os requerimentos específicos determinados pelo RGPD para relatórios de avaliação de impacto, i.e., Data Protection Impact Assessment (DPIA). Essas seções são precedidas por informações contextuais sucintas sobre avaliações de impacto como por exemplo: definição, panorama histórico, suas vantagens e desvantagens (seção I). A Seção IV conclui com recomendações para o cumprimento da exigência de AIPDs pelo RGPD de forma a: (1) expandir o âmbito de aplicação dessa obrigação legal; (2) desenvolver métodos para a realização dessas avaliações de impacto; (3) estabelecer ‘centros de referência’ em AIPD nas autoridades nacionais de controle dos tratamentos de dados pessoais. Este documento de política é endereçado principalmente a formuladores de políticas públicas na União Europeia e em seus Estados-membros, sem prejuízo do potencial interesse que possa despertar nos seus pares ao redor do mundo.",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "Ghent University Academic Bibliography (Ghent University)",
"language": "pt"
},
{
"id": "https://openalex.org/W3207311351",
"title": "Fundamental Issues in Researching the Relationship between the Law of the European Union and the International Arbitration (Elemente esențiale în cercetarea relației dintre dreptul Uniunii Europene și arbitrajul internațional)",
"authors": [
"Daniel Mihail Şandru"
],
"date": "2021",
"platform": "OpenAlex",
"sourceUrl": "",
"pdfUrl": "",
"doi": "",
"abstract": "English Abstract:The relationship between the European Union law and arbitration is assessed from several perspectives: from the point of view of a researcher in European Union law and from the experience in the field of arbitration. This discussion is not only academic one, but has important consequences for the application of law, especially the application of European Union law by arbitral tribunals. It is also a paradox: on the one hand, in some cases it may be conceded that a preliminary reference would favour the correct and uniform application of European Union law, but, on the other hand, when this procedure is misused it could bring about great harm to arbitration. Another argument for the importance of studying this relationship is the application of a famous European Union regulation, namely the General Data Protection Regulation (“GDPR”), in arbitration proceedings and in arbitration institutions. Last but not least, the cold attitude of the Court of Justice of the European Union (hereinafter “the Court of Justice”) in the field of consumer protection arbitration cannot be ignored. Competition and public procurement are areas that could change in the coming years, if not in the field of legislation, at least from the perspective of the Court of Justice, which is an important player in defining this relationship. Without discussing in military terms, the higher legal force of European Union law has to be acknowledged, perhaps also because it is a public law applicable to chiefly private law, meaning that of international arbitration, but also because it is a law with its own system of rules, organized by solid institutions. Unlike the European Union, trade arbitration does not have a pre-established centre, much less a coordination or leadership that underpins or imposes a point of view. And perhaps the role of arbitration is not to get involved in public policies of the judiciary, states or international organizations, although there is at least one example of the recognition and enforcement of arbitral awards in which greater attention of the European Union would promote the free movement of such judgments.\r\n\r\nRomanian Abstract:Relația dintre dreptului Uniunii Europene și arbitraj este privita mai multe perspective: a unui cercetator in dreptul Uniunii Europene și a experienței in domeniul arbitrajului. Aceasta discuție nu este academica, de fațada, ci are consecințe importante in privința aplicarii dreptului, in special a aplicarii dreptului Uniunii Europene de catre instanțele arbitrale. Ea releva și un paradox: pe de o parte, in unele situații se poate concede ca o trimitere preliminara ar favoriza aplicarea corecta și uniforma a dreptului Uniunii Europene, dar, pe de alta parte, aceasta procedura, utilizata incorect ar aduce mari deservicii arbitrajului. Un alt argument al importanței studierii acestei relații este dat de aplicarea unui regulament celebru al Uniunii Europene, Regulamentul general privind protecția datelor („RGPD”), in procedura arbitrala și in cadrul instituțiilor arbitrale. Nu in ultimul rând, nu putem sa trecem cu vedere atitudinea rece a Curții de Justiție a Uniunii Europene (in continuare „Curtea de Justiție”) fața de arbitraj in materia protecției consumatorului. Concurența și achizițiile publice sunt domenii care ar putea suferi modificari in anii urmatori, daca nu legislativ, cel puțin din perspectiva Curții de Justiție care este un actor important in definirea acestei relații. Fara a discuta in termeni militari, trebuie sa recunoaștem forța juridica superioara a dreptului Uniunii Europene, poate și pentru ca este drept public aplicabil in dreptul eminamente privat, al arbitrajului internațional, dar și pentru ca este un drept, un sistem de reguli propriu, organizat de instituții puternice. Spre deosebire de Uniunea Europeana, arbitrajul comercial nu are un centru predefinit și cu atât mai puțin o coordonare sau o conducere care sa susțina ori sa impuna un punct de vedere. Și poate ca rolul arbitrajului nu este de a se implica in politici publice, ale justiției, statelor sau organizațiilor internaționale, deși exista cel puțin exemplul recunoașterii și executarii hotarârilor arbitrale in care o atenție mai mare a Uniunii Europene ar favoriza libera circulație a acestor hotarâri.\r\n\r\nCuvinte-cheie: dreptul Uniunii Europene, arbitraj comercial internațional, arbitraj investițional, procedura trimiterii preliminare, protecția datelor, achiziții publice, dreptul UE al concurenței, dreptul UE al ajutoarelor de stat, dreptul internațional privat in UE, protecția consumatorilor in UE, interpretarea și aplicarea dreptului UE, mediere, dreptul la o cale de atac eficienta și la un proces echitabil, autonomia dreptului UE, drepturile omului, „Brexit”, cooperare judiciara in materie civila",
"topics": [
"gdpr_compliance"
],
"painPointTracks": [
"Enforcement"
],
"relevanceScore": 0.537,
"venue": "",
"language": "ro"
},
{
"id": "eurlex:32021D0915",
"title": "Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (Text with EEA relevance)",
"authors": [],
"date": "2021-06-04",
"platform": "eurlex",
"sourceUrl": "https://eur-lex.europa.eu/legal-content/AUTO/?uri=CELEX:32021D0915",
"pdfUrl": "",
"doi": "",
"abstract": "",
"topics": [
"jurisdiction_regulatory"
],
"painPointTracks": [
"Sector Regulations"
],
"relevanceScore": 0.508,
"venue": "",
"language": "en"
},
{
"id": "doaj:05063cd79bde4b24837ed3fc0f2b6a5a",
"title": "Hybrid natural language processing tool for semantic annotation of medical texts in Spanish",
"authors": [
"Leonardo Campillos-Llanos",
"Ana Valverde-Mateos",
"Adrián Capllonch-Carrión"
],
"date": "2025",
"platform": "doaj",
"sourceUrl": "https://doi.org/10.1186/s12859-024-05949-6",
"pdfUrl": "",
"doi": "10.1186/s12859-024-05949-6",
"abstract": "Abstract Background Natural language processing (NLP) enables the extraction of information embedded within unstructured texts, such as clinical case reports and trial eligibility criteria. By identifying relevant medical concepts, NLP facilitates the generation of structured and actionable data, supporting complex tasks like cohort identification and the analysis of clinical records. To accomplish those tasks, we introduce a deep learning-based and lexicon-based named entity recognition (NER) tool for texts in Spanish. It performs medical NER and normalization, medication information extraction and detection of temporal entities, negation and speculation, and temporality or experiencer attributes (Age, Contraindicated, Negated, Speculated, Hypothetical, Future, Family_member, Patient and Other). We built the tool with a dedicated lexicon and rules adapted from NegEx and HeidelTime. Using these resources, we annotated a corpus of 1200 texts, with high inter-annotator agreement (average F1 = 0.841% ± 0.045 for entities, and average F1 = 0.881% ± 0.032 for attributes). We used this corpus to train Transformer-based models (RoBERTa-based models, mBERT and mDeBERTa). We integrated them with the dictionary-based system in a hybrid tool, and distribute the models via the Hugging Face hub. For an internal validation, we used a held-out test set and conducted an error analysis. For an external validation, eight medical professionals evaluated the system by revising the annotation of 200 new texts not used in development. Results In the internal validation, the models yielded F1 values up to 0.915. In the external validation with 100 clinical trials, the tool achieved an average F1 score of 0.858 (± 0.032); and in 100 anonymized clinical cases, it achieved an average F1 score of 0.910 (± 0.019). Conclusions The tool is available at https://claramed.csic.es/medspaner . We also release the code ( https://github.com/lcampillos/medspaner ) and the annotated corpus to train the models.",
"topics": [
"pii_entity_types",
"sector_healthcare",
"nlp_ner_tools"
],
"painPointTracks": [
"AI Anonymization",
"Health & Genomic PII"
],
"relevanceScore": 0.504,
"venue": "BMC Bioinformatics",
"language": "en"
},
{
"id": "openaire:10.1007/978-3-031-70890-9_23",
"title": "RedactBuster: Entity Type Recognition from Redacted Documents",
"authors": [
"Beltrame M.",
"Conti M.",
"Guglielmin P.",
"Marchiori F.",
"Orazi G."
],
"date": "2024-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1007/978-3-031-70890-9_23",
"pdfUrl": "",
"doi": "10.1007/978-3-031-70890-9_23",
"abstract": "The widespread exchange of digital documents in various domains has resulted in abundant private information being shared. This proliferation necessitates redaction techniques to protect sensitive content and user privacy. While numerous redaction methods exist, their effectiveness varies, with some proving more robust than others. As such, the literature proposes several deanonymization techniques, raising awareness of potential privacy threats. However, while none of these methods are successful against the most effective redaction techniques, these attacks only focus on the anonymized tokens and ignore the sentence context. In this paper, we propose RedactBuster, the first deanonymization model using sentence context to perform Named Entity Recognition on reacted text. Our methodology leverages fine-tuned state-of-the-art Transformers and Deep Learning models to determine the anonymized entity types in a document. We test RedactBuster against the most effective redaction technique and evaluate it using the publicly available Text Anonymization Benchmark (TAB). Our results show accuracy values up to 0.985 regardless of the document nature or entity type. In raising awareness of this privacy issue, we propose a countermeasure we call character evasion that helps strengthen the secrecy of sensitive information. Furthermore, we make our model and testbed open-source to aid researchers and practitioners in evaluating the resilience of novel redaction techniques and enhancing document privacy.",
"topics": [
"pii_entity_types",
"data_anonymization",
"nlp_ner_tools"
],
"painPointTracks": [
"AI Anonymization"
],
"relevanceScore": 0.504,
"venue": "European Symposium on Research in Computer Security",
"language": "en"
},
{
"id": "crossref:10.56553/popets-2025-0125",
"title": "Measuring the Accuracy and Effectiveness of PII Removal Services",
"authors": [
"Jiahui He",
"Peter Snyder",
"Hamed Haddadi",
"Fabián E. Bustamante",
"Gareth Tyson"
],
"date": "2025-10",
"platform": "crossref",
"sourceUrl": "https://doi.org/10.56553/popets-2025-0125",
"pdfUrl": "",
"doi": "10.56553/popets-2025-0125",
"abstract": "This paper presents the first large-scale empirical study of commercial personally identifiable information (PII) removal systems --- commercial services that claim to improve privacy by automating the removal of PII from data broker's databases. Popular examples of such services include DeleteMe, Mozilla Monitor, Incogni, among many others. The claims these services make may be very appealing to privacy-conscious Web users, but how effective these services actually are at improving privacy has not been investigated. This work aims to improve our understanding of commercial PII removal services in multiple ways. First, we conduct a user study where participants purchase subscriptions from four popular PII removal services, and report (i) what PII the service find, (ii) from which data brokers, (iii) whether the service is able to have the information removed, and (iv) whether the identified information actually is PII describing the participant. And second, by comparing the claims and promises the services makes (e.g. which and how many data brokers each service claims to cover). We find that these services have significant accuracy and coverage issues that limit the usefulness of these services as a privacy-enhancing technology. For example, we find that the measured services are unable to remove the majority of the identified PII records from data broker's (48.2% of the successfully removed found records) and that most records identified by these services are not PII about the user (study participants found that only 41.1% of records identified by these services were PII about themselves).",
"topics": [
"privacy_engineering",
"linkability_tracking",
"data_broker_surveillance"
],
"painPointTracks": [
"Data Brokers",
"Re-identification",
"Solutions Market"
],
"relevanceScore": 0.504,
"venue": "Proceedings on Privacy Enhancing Technologies",
"language": "en"
},
{
"id": "openaire:10.1109/infocom.2019.8737579",
"title": "Making Big Money from Small Sensors: Trading Time-Series Data under Pufferfish Privacy",
"authors": [
"Chaoyue Niu",
"Zhenzhe Zheng",
"Shaojie Tang",
"Xiaofeng Gao",
"Fan Wu"
],
"date": "2019-04-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/infocom.2019.8737579",
"pdfUrl": "",
"doi": "10.1109/infocom.2019.8737579",
"abstract": "With the commoditization of personal data, pricing privacy has become an intriguing topic. In this paper, we study time-series data trading from the perspective of a data broker in data markets. We thus propose HORAE, which is a PufferfisH privacy based framewOrk for tRAding timE-series data. HORAE first employs Pufferfish privacy to quantity privacy losses under temporal correlations, and compensates data owners with distinct privacy strategies in a satisfying way. Besides, HORAE not only guarantees good profitability at the data broker, but also ensures arbitrage freeness against cunning data consumers. We further apply HORAE to physical activity monitoring, and extensively evaluate its performance on the real-world Activity Recognition with Ambient Sensing (ARAS) dataset. Our analysis and evaluation results reveal that HORAE compensates data owners in a more fine-grained manner than entry/group differential privacy based approaches, well controls the profit ratio of the data broker, and thwarts arbitrage attacks launched by data consumers.",
"topics": [
"data_anonymization",
"linkability_tracking",
"data_broker_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Data Brokers",
"Re-identification"
],
"relevanceScore": 0.504,
"venue": "IEEE Conference on Computer Communications",
"language": "en"
},
{
"id": "openaire:10.1145/3384943.3409425",
"title": "Incentive Mechanism for Social Network Data Pricing under Privacy Preservation",
"authors": [
"Mengxiao Zhang",
"Fernando Beltran",
"Jiamou Liu"
],
"date": "2020-10-06",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/3384943.3409425",
"pdfUrl": "",
"doi": "10.1145/3384943.3409425",
"abstract": "Online social networks have become very important sources of personal data that contain preferences, tastes, interests and friendships of their users. The potential that these data may be exploited poses a rising concern over how privacy is protected by these social network platforms. As a consequence, users are starting to demand privacy protection and privacy compensation when their data are used. This situation begs the question: How to properly compensate social network users for the disclosure of their data hosted in the network while preserving their privacy? In this paper, we consider data trade between a large amount of privacy-aware social network users, and a data broker with a budget who wants to find out aggregate friendship information of this social network. We propose an incentive mechanism for pricing social network data and privacy preservation. We prove that the proposed mechanism satisfies many desirable properties, including incentive compatibility, individual rationality, budget balance, and node differential privacy. Further, the accuracy of the proposed mechanism is theoretically analysed and its effectiveness is validated by experiments on real-world datasets.",
"topics": [
"data_anonymization",
"linkability_tracking",
"data_broker_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Data Brokers",
"Re-identification"
],
"relevanceScore": 0.504,
"venue": "International Symposium on Blockchain and Secure Critical Infrastructure",
"language": "en"
},
{
"id": "openaire:10.1109/jiot.2021.3112186",
"title": "Distributed and Privacy Preserving Graph Data Collection in Internet of Thing Systems",
"authors": [
"Xu Zheng",
"Ling Tian",
"Bei Hui",
"Xin Liu"
],
"date": "2022-06-15",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/jiot.2021.3112186",
"pdfUrl": "",
"doi": "10.1109/jiot.2021.3112186",
"abstract": "Internet-of-Thing systems have been treated as a novel platform for graph data acquisition. Contents like dynamic network topology, organization and control flows, and interactions among monitored objects all contribute to the huge volumes of graph data generated in IoTs. These data are believed to brought significant benefits to both the operation and functionalities of IoT systems, especially when combined with cutting-edge Artificial Intelligence techniques. However, these graph data are usually locally collected by data contributors with sensing devices, which could be both partially overlapped as they record same environment, and sensitive as they can indicate private physical status of contributors. Considering all challenges, current solutions for graph data collection in IoTs are incapable. Therefore, this paper proposes a novel framework for privacy-preserving distributed graph data collection for IoTs. The framework allows the graphs kept by data contributors to be partially overlapped, and can help the data broker to efficiently derive the universal view by combining these graphs. The differential privacy is applied for privacy preservation during data collection. The proposed problem aims at minimizing the total bandwidth consumption for graph collection, which is proved to be NP-complete. Then three algorithms are proposed for different circumstances, based on the diverse knowledge and purposes held by the data broker. Finally, both theoretical and numerical analysis have demonstrated the advancement of these methods.",
"topics": [
"data_anonymization",
"linkability_tracking",
"data_broker_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Data Brokers",
"Re-identification"
],
"relevanceScore": 0.504,
"venue": "",
"language": "en"
},
{
"id": "openaire:10.1145/3219819.3220013",
"title": "Unlocking the Value of Privacy",
"authors": [
"Chaoyue Niu",
"Zhenzhe Zheng",
"Fan Wu",
"Shaojie Tang",
"Xiaofeng Gao",
"Guihai Chen"
],
"date": "2018-07-19",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1145/3219819.3220013",
"pdfUrl": "",
"doi": "10.1145/3219819.3220013",
"abstract": "With the commoditization of personal privacy, pricing private data has become an intriguing problem. In this paper, we study noisy aggregate statistics trading from the perspective of a data broker in data markets. We thus propose ERATO, which enables aggrEgate statistics pRicing over privATe cOrrelated data. On one hand, ERATO guarantees arbitrage freeness against cunning data consumers. On the other hand, ERATO compensates data owners for their privacy losses using both bottom-up and top-down designs. We further apply ERATO to three practical aggregate statistics, namely weighted sum, probability distribution fitting, and degree distribution, and extensively evaluate their performances on MovieLens dataset, 2009 RECS dataset, and two SNAP large social network datasets, respectively. Our analysis and evaluation results reveal that ERATO well balances utility and privacy, achieves arbitrage freeness, and compensates data owners more fairly than differential privacy based approaches.",
"topics": [
"data_anonymization",
"linkability_tracking",
"data_broker_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Data Brokers",
"Re-identification"
],
"relevanceScore": 0.504,
"venue": "Knowledge Discovery and Data Mining",
"language": "en"
},
{
"id": "openaire:10.1109/tkde.2019.2934100",
"title": "ERATO: Trading Noisy Aggregate Statistics over Private Correlated Data",
"authors": [
"Chaoyue Niu",
"Zhenzhe Zheng",
"Fan Wu",
"Shaojie Tang",
"Xiaofeng Gao",
"Guihai Chen"
],
"date": "2019-01-01",
"platform": "openaire",
"sourceUrl": "https://doi.org/10.1109/tkde.2019.2934100",
"pdfUrl": "",
"doi": "10.1109/tkde.2019.2934100",
"abstract": "With the commoditization of personal privacy, pricing private data has become an intriguing problem. In this paper, we study noisy aggregate statistics trading from the perspective of a data broker in data markets. We thus propose ERATO, which enables aggr E gate statistics p R icing over priv AT e c O rrelated data. On one hand, ERATO guarantees arbitrage freeness against cunning data consumers. On the other hand, ERATO compensates data owners for their privacy losses using both bottom-up and top-down designs. We further apply ERATO to three practical aggregate statistics, namely weighted sum, probability distribution fitting, and degree distribution, and extensively evaluate their performances on MovieLens dataset, 2009 RECS dataset, and two SNAP large social network datasets, respectively. Our analysis and evaluation results reveal that ERATO well balances utility and privacy, achieves arbitrage freeness, and compensates data owners more fairly than differential privacy based approaches.",
"topics": [
"data_anonymization",
"linkability_tracking",
"data_broker_surveillance"
],
"painPointTracks": [
"AI Anonymization",
"Data Brokers",
"Re-identification"
],
"relevanceScore": 0.504,
"venue": "IEEE Transactions on Knowledge and Data Engineering",
"language": "en"
}
]