Other publications

@article{RN3423,

title = {A question of strategic legislation: Can the EU deal with cybersecurity issues in space?},

author = {Francesco Cappelletti and Vagelis Papakonstantinou},

url = {https://www.sciencedirect.com/science/article/pii/S0308596125000515},

doi = {https://doi.org/10.1016/j.telpol.2025.102954},

issn = {0308-5961},

year  = {2025},

date = {2025-01-01},

urldate = {2025-01-01},

journal = {Telecommunications Policy},

volume = {49},

number = {5},

pages = {102954},

abstract = {This paper explores the impact of novel and forthcoming regulations on the European Union's (EU) strategic projection, focusing on space systems and their wide-ranging effects on services for European citizens and related industries. By examining space legislation and cybersecurity, this research provides an analytical perspective on whether the EU has implemented strategic regulations in shared competency, focusing on space and international security. While European Member States face the challenge of implementing national space strategies, the relevance of the EU extends beyond internal market and industry considerations, showcasing the Union's capabilities in implementing regulations defined in this study as ‘strategic’. This paper aims to contribute to the academic discourse by bridging the gap between legislative studies and cybersecurity in space. The idea is to use the space domain, examine the intersection of space systems and cybersecurity and its unique challenges, and propose a new framework for evaluating EU regulations as instruments of strategic power. The relevance of these domains allows the authors to present the concept of strategic legislation and its relevance for the future of the domains studied in this paper. The EU's unique characteristics of shared competencies in a shared domain (i.e., space) offer unique perspectives on the Union's potential to lead in establishing international standards for space cybersecurity while presenting theoretical insights and practical recommendations for further research.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3422,

title = {Democratic legitimacy of AI in judicial decision-making},

author = {Anastasia Nefeli Vidaki and Vagelis Papakonstantinou},

url = {https://dx.doi.org/10.1007/s00146-025-02411-w},

doi = {10.1007/s00146-025-02411-w},

issn = {0951-5666},

year  = {2025},

date = {2025-01-01},

journal = {AI & Society},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3402,

title = {The AI Act and a (sorely missing!) right to AI individualization; Why are we building Skynet?},

author = {Vagelis Papakonstantinou},

doi = {10.21428/9885764c.ca76e2e9},

year  = {2024},

date = {2024-01-01},

journal = {European Law Blog},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3424,

title = {Five years after the annus mirabilis for EU data protection: Where we stand and the outlook ahead},

author = {Vagelis Papakonstantinou},

year  = {2024},

date = {2024-01-01},

journal = {Technology and Communications Law - DITE},

pages = {35–47},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3425,

title = {Codes of conduct in German employment relationships – A measure to adequately implementing compliance and data protection?},

author = {Daniel Wasser and Vagelis Papakonstantinou},

url = {http://www.kluwerlawonline.com/api/Product/CitationPDFURL?file=JournalsEULREULR2024014.pdf},

doi = {https://doi.org/10.54648/eulr2024014},

issn = {0959-6941},

year  = {2024},

date = {2024-01-01},

journal = {European Business Law Review},

pages = {157–182},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3426,

title = {Does the future hold more rights or more proportionality?},

author = {Paul De Hert and Vagelis Papakonstantinou},

doi = {10.21552/edpl/2023/4/5},

issn = {23642831 

2364284X},

year  = {2023},

date = {2023-01-01},

journal = {European Data Protection Law Review},

volume = {9},

number = {4},

pages = {393–398},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3427,

title = {A preliminary study on artificial intelligence oracles and smart contracts: A legal approach to the interaction of two novel technological breakthroughs},

author = {Vasiliki Papadouli and Vagelis Papakonstantinou},

url = {https://www.sciencedirect.com/science/article/pii/S0267364923000791},

doi = {https://doi.org/10.1016/j.clsr.2023.105869},

issn = {2212-473X},

year  = {2023},

date = {2023-01-01},

journal = {Computer Law & Security Review},

volume = {51},

pages = {105869},

abstract = {Artificial Intelligence and Smart Contracts are two cutting-edge technological achievements of the so-called 4th Industrial Revolution era. Both have already had a significant impact on various aspects of modern life, including transactions, and each one has already been under scientific investigation. Instead, their interaction has not become the subject of a debate, although it can further (positively) affect the transactions. This interconnection takes place through specific mechanisms, called Oracles, which can be, among others, highly sophisticated Artificial Intelligence systems (autonomous systems). The present article aims to present the role of the Artificial Intelligence Oracles throughout the ‘smart contractual procedure’, as well as to shed light on the potential (new) legal issues this interconnection may raise. The main result of this article is to indicate the appropriate legal directions in case of Artificial Intelligence Oracles’ failures, based on the most prevalent current approaches to AI's (the user's) contractual and/or non-contractual liability. The major research's conclusion is that the Artificial Intelligence Oracle's failures may result in one of the following situations: (a) breach of a (smart) contract, (b) unjust enrichment, (c) conclusion of a (voidable) smart contract that should not have been concluded, or (d) non-conclusion of a smart contract that should have been concluded. The responsibility of each person participating in the ‘smart contractual procedure’, i.e. the contractual parties, the blockchain platform and the Artificial Intelligence user/owner (or even the Artificial Intelligence system itself), as well as the AI provider or designer, is examined in each of the afore-mentioned situations separately. Given that legislative initiatives have already begun, the present article aspires to contribute to the consistent address of the newly raised legal issues.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN2821,

title = {The (new) role of states in a ‘States-As-Platforms’ approach},

author = {Vagelis Papakonstantinou},

url = {https://constitutionaldiscourse.com/vagelis-papakonstantinou-the-new-role-of-states-in-a-states-as-platforms-approach/},

year  = {2023},

date = {2023-01-01},

urldate = {2023-01-01},

publisher = {Constitutional Discourse},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3428,

title = {Il caso Clearview Ai: uno stress test per il Regolamento generale per la protezione dei dati e la proposta di Regolamento sull'intelligenza artificiale in relazione alle nuove sfide poste dal riconoscimento facciale},

author = {Jacopo Piemonte and Vagelis Papakonstantinou},

issn = {2281-1028},

year  = {2023},

date = {2023-01-01},

journal = {Ciberspazio e diritto: rivista internazionale di informatica giuridica},

pages = {43–58},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3429,

title = {Surveillance in schools across Europe: A new phenomenon in light of the COVID-19 pandemic? The cases of Greece and France},

author = {Anastasia Karagianni and Vagelis Papakonstantinou},

url = {https://doi.org/10.12973/eu-jer.11.2.1219},

doi = {10.12973/eu-jer.11.2.1219},

year  = {2022},

date = {2022-01-01},

journal = {European Journal of Educational Research},

volume = {11},

number = {2},

pages = {1219–1229},

abstract = {Surveillance technology is more and more used in educational environments, which results in mass privacy violations of kids and, thus, the processing of huge amount of children’s data in the name of safety. Methodology used is doctrinal, since the focus of this research was given in the implementation of the legal doctrine of data protection law in the educational environments. More than that, the cases of Greece and France regarding the use of surveillance technologies in schools are carefully studied in this article. Privacy risks that both children and educators are exposed to are underlined. In these terms, this research paper focuses on the proper implementation of the European data protection framework and the role of Data Protection Authorities as control mechanisms, so that human rights risks from the perspective of privacy and data protection to be revealed, and the purposes of the use of such technologies to be evaluated. This study is limited in the legal examination of the European General Data Protection Regulation, and its implementation in the legal orders of Greece and France, and practice pertaining to the case studies of Greece and France respectively.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN1320,

title = {Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity?},

author = {Vagelis Papakonstantinou},

doi = {https://doi.org/10.1016/j.clsr.2022.105653},

year  = {2022},

date = {2022-01-01},

journal = {Computer Law & Security Review},

volume = {44},

pages = {1–14},

note = {Open Access},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN2618,

title = {States as platforms following the new EU regulations on online platforms},

author = {Vagelis Papakonstantinou},

url = {https://www.martenscentre.eu/wp-content/uploads/2022/12/13.pdf},

year  = {2022},

date = {2022-01-01},

journal = {European View},

volume = {21},

number = {2},

pages = {214–222},

abstract = {The recent adoption by the European Parliament of the Digital Services Act means that, when it comes into effect, it will formally introduce into EU law the term ?online platforms?. In effect, between the Digital Services Act and the Digital Markets Act, a comprehensive framework for the regulation of online platforms is being introduced into EU law, the first of its kind both in Europe and internationally. However, European regulatory innovation invites a different viewpoint: Could states be considered platforms? What if this new regulatory framework was applied to states themselves? This article first outlines the regulations on online platforms in EU law. Then it discusses the role of states as information brokers in order to support its main argument, that states can be viewed as (online) platforms. A discussion of the consequences of such a conclusion is included in the final part of this analysis.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN2806,

title = {The cybersecurity obligations of states perceived as platforms: Are current European national cybersecurity strategies enough?},

author = {Vagelis Papakonstantinou},

doi = {10.5604/01.3001.0016.1237},

year  = {2022},

date = {2022-01-01},

journal = {Applied Cybersecurity & Internet Governance (ACIG)},

volume = {1},

number = {1},

pages = {1–12},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN2582,

title = {The regulation of digital Technologies in the EU: The law-making phenomena of “act-ification”, “GDPR mimesis” and “EU law brutality”},

author = {Vagelis Papakonstantinou and Paul De Hert},

url = {https://techreg.org/article/view/11459},

year  = {2022},

date = {2022-01-01},

journal = {Technology and Regulation},

volume = {2022},

pages = {48–60},

abstract = {EU regulatory initiatives on technology-related topics has spiked over the past few years. On the basis of its Priorities Programme 2019-2024, while creating “Europe fit for the Digital Age”, the EU Commission has been busy releasing new texts aimed at regulating a number of technology topics, including, among others, data uses, online platforms, cybersecurity, or artificial intelligence. This paper identifies three basic phenomena common to all, or most, EU new technology-relevant regulatory initiatives, namely (a) “act-ification”, (b) “GDPR mimesis”, and (c) “regulatory brutality”. These phenomena divulge new-found confidence on the part of the EU technology legislator, who has by now asserted for itself the right to form policy options and create new rules in the field for all of Europe. These three phenomena serve as indicators or early signs of a new European technology law-making paradigm that by now seems ready to emerge.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3432,

title = {Framing Big Data in the Council of Europe and the EU data protection law systems: Adding ‘should’ to ‘must’ via soft law to address more than only individual harms},

author = {Paul De Hert and Vagelis Papakonstantinou},

url = {https://www.sciencedirect.com/science/article/pii/S0267364920301011},

doi = {https://doi.org/10.1016/j.clsr.2020.105496},

issn = {2212-473X},

year  = {2021},

date = {2021-01-01},

journal = {Computer Law & Security Review},

volume = {40},

pages = {1–12},

abstract = {On 19 November 2019 the Council of Europe hosted an international conference, immediately preceding the annual plenary meeting of its Committee of Convention 108, on “Convention 108+ and the future data protection global standard”. One of the authors made a presentation on “Comparing the EU and Council of Europe approach to Big Data”, and it is its contents and findings that are further elaborated in this paper; Its aim is, in essence, to incorporate the feedback received and to adapt past research on Big Data, that was mostly relevant to the EU, also on the Council of Europe data protection system. After a few preliminary remarks on Big Data terminology and possible regulatory approaches, Big Data regulation is examined against the EU and the Council of Europe data protection systems. Particular emphasis is given to the Council of Europe regulatory approach both in terms of Convention 108+ and with regard to its Guidelines on Big Data and AI. The authors believe that, because both the EU and the Council of Europe have avoided to refer to Big Data in their basic data protection regulatory texts (a most likely intentional omission), guidance is indeed needed, and it may well come in the form of soft law. The Council of Europe has taken the lead in this through its Guidelines; Their timely, comprehensive and balanced approach showcases the Council's will for such processing to indeed take place, but within a well-regulated environment, albeit not under a rigid regulatory construction.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3430,

title = {Digitalisation of water services and the water sector cyber threat landscape: Is the EU regulatory framework adequate?},

author = {Dimitra Markopoulou and Vagelis Papakonstantinou},

year  = {2021},

date = {2021-01-01},

journal = {Journal of Water Law},

volume = {27},

number = {4},

pages = {119–133},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3431,

title = {The regulatory framework for the protection of critical infrastructures against cyberthreats: Identifying shortcomings and addressing future challenges: The case of the health sector in particular},

author = {Dimitra Markopoulou and Vagelis Papakonstantinou},

url = {https://www.sciencedirect.com/science/article/pii/S0267364920301072},

doi = {https://doi.org/10.1016/j.clsr.2020.105502},

issn = {2212-473X},

year  = {2021},

date = {2021-01-01},

journal = {Computer Law & Security Review},

volume = {41},

pages = {1–12},

abstract = {The concept of “Critical Infrastructures” is constantly evolving in order to reflect current concerns and to respond to new challenges, especially in terms of (cyber)security and resilience. Protection of critical infrastructures against numerous threats has therefore developed into a high priority at national and EU level. During the last two decades a new type of threat has prevailed in the Critical Infrastructure threat landscape, that of cyberattacks; Protection against them is the primary focus of this paper. In order to do so the analysis first aims to drop some light into the differences between Critical Infrastructures and Critical Information Infrastructures, terms that are often confused, and to indicate possible inadequacies in the applicable protection regulatory regime. Finally, the health sector has been chosen as a sector-specific case in an effort to demonstrate how protection of a Critical Infrastructure, challenged as it has been with a constantly increasing number of cyber incidents, could be sufficiently protected in the new digitalised era.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3403,

title = {The act-ification of EU law: The (long-overdue) move towards eponymous EU legislation},

author = {Vagelis Papakonstantinou},

doi = {10.21428/9885764c.023eb33c},

year  = {2021},

date = {2021-01-01},

journal = {European Law Blog},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3404,

title = {Post GDPR EU laws and their GDPR mimesis. DGA, DSA, DMA and the EU regulation of AI},

author = {Vagelis Papakonstantinou and Paul De Hert},

doi = {10.21428/9885764c.d17ee622},

year  = {2021},

date = {2021-01-01},

journal = {European Law Blog},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3405,

title = {EU lawmaking in the Artificial Intelligent Age: Act-ification, GDPR mimesis, and regulatory brutality},

author = {Vagelis Papakonstantinou and Paul De Hert},

doi = {https://doi.org/10.21428/9885764c.e38a5afe},

year  = {2021},

date = {2021-01-01},

journal = {European Law Blog},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3406,

title = {EU sanctions against cyber-attacks and defense rights: Wanna Cry?},

author = {Franck Dumortier and Paul De Hert and Vagelis Papakonstantinou},

doi = {10.21428/9885764c.e38a5afe},

year  = {2020},

date = {2020-01-01},

journal = {European Law Blog},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3433,

title = {Big data analytics in electronic communications: A reality in need of granular regulation (even if this includes an interim period of no regulation at all)},

author = {Vagelis Papakonstantinou and Paul De Hert},

url = {https://dx.doi.org/10.1016/j.clsr.2020.105397},

doi = {10.1016/j.clsr.2020.105397},

issn = {2212-473X},

year  = {2020},

date = {2020-01-01},

journal = {Computer Law & Security Review},

volume = {36},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN2676,

title = {Data protection and the EPPO},

author = {Paul De Hert and Vagelis Papakonstantinou},

doi = {https://doi.org/10.1177/2032284419837381},

year  = {2019},

date = {2019-01-01},

journal = {New Journal of European Criminal Law},

volume = {10},

number = {1},

pages = {34–43},

abstract = {The European Public Prosecutor’s Office (the ‘EPPO’) necessarily processes personal data in order to fulfil its mission; As such, it falls squarely within the European Union (EU) data protection regulatory landscape. However, because the EU data protection regulatory landscape itself is currently found at a crossroads, an analysis of the EPPO data protection model may be twofold: First, placing it within the proper cross-organization dialogue currently taking place on the future regulatory model of personal data processing for law enforcement purposes carried out at EU level. Second, at an EPPO-specific level, whereby the actual data protection regime afforded to it may be assessed. This article purports to elaborate upon the above two data protection dimensions of EPPO personal data processing activities: It presents considerations and policy options during the lawmaking period that resulted in the establishment of the EPPO, it analyses the data protection regime ultimately awarded to it and attempts to, critically, place the EPPO data protection model within its proper operational and legislative environment.},

note = {Open Access},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3435,

title = {The new EU cybersecurity framework: The NIS Directive, ENISA's role and the General Data Protection Regulation},

author = {Dimitra Markopoulou and Vagelis Papakonstantinou and Paul Hert},

url = {https://www.sciencedirect.com/science/article/pii/S0267364919300512},

doi = {https://doi.org/10.1016/j.clsr.2019.06.007},

issn = {2212-473X},

year  = {2019},

date = {2019-01-01},

journal = {Computer Law & Security Review},

volume = {35},

number = {6},

abstract = {The NIS Directive is the first horizontal legislation undertaken at EU level for the protection of network and information systems across the Union. During the last decades e-services, new technologies, information systems and networks have become embedded in our daily lives. It is by now common knowledge that deliberate incidents causing disruption of IT services and critical infrastructures constitute a serious threat to their operation and consequently to the functioning of the Internal Market and the Union. This paper first discusses the Directive's addressees particularly with regard to their compliance obligations as well as Member States’ obligations as regards their respective national strategies and cooperation at EU level. Subsequently, the critical role of ENISA in implementing the Directive, as reinforced by the proposal for a new Regulation on ENISA (the EU Cybersecurity Act), is brought forward, before elaborating upon the, inevitable, relationship of the NIS Directive with EU's General Data Protection Regulation.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3315,

title = {The right to data portability in the GDPR: Towards user-centric interoperability of digital services},

author = {Paul De Hert and Vagelis Papakonstantinou and Gianclaudio Malgieri and Laurent Beslay and Ignacio Sanchez},

doi = {https://doi.org/10.1016/j.clsr.2017.10.003},

year  = {2018},

date = {2018-01-01},

journal = {Computer Law & Security Review},

volume = {34},

number = {2},

pages = {193–203},

note = {Open Access},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3436,

title = {Structuring modern life running on software. Recognizing (some) computer programs as new “digital persons”},

author = {Vagelis Papakonstantinou and Paul De Hert},

url = {https://www.sciencedirect.com/science/article/pii/S0267364918302309},

doi = {https://doi.org/10.1016/j.clsr.2018.05.032},

issn = {2212-473X},

year  = {2018},

date = {2018-01-01},

journal = {Computer Law & Security Review},

volume = {34},

number = {4},

pages = {732–738},

abstract = {Saudi Arabia grants nationality to an AI robot; the first “clash of robots” took place in Japan; and, Bill Gates suggests that robots start paying taxes. We believe that these developments justify new legal fiction interventions. Software has long now exceeded the intellectual property boundaries. It is no longer merely property; it has assumed life of its own. It does not matter that such life is imaginary today. Legal persons were brought to life through legal fiction intervention that was based on much less motivation – merely the human incentive for profit. Software is certainly connected today with profit, given that the world's most valued corporations are software companies. However, it has moved much further than that, to assume in many ways artificial life of its own. We think that it is time that the dichotomy between natural and legal persons, that has served humanity so well over the past centuries, now be trisected: A new, digital person, ought to be added to it.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3437,

title = {The rich UK contribution to the field of EU data protection: Let's not go for “third country” status after Brexit},

author = {Paul De Hert and Vagelis Papakonstantinou},

url = {https://dx.doi.org/10.1016/j.clsr.2017.03.008},

doi = {10.1016/j.clsr.2017.03.008},

issn = {2212-473X},

year  = {2017},

date = {2017-01-01},

journal = {Computer Law & Security Review},

volume = {33},

number = {3},

pages = {354–360},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN1934,

title = {The new General Data Protection Regulation: Still a sound system for the protection of individuals?},

author = {Paul De Hert and Vagelis Papakonstantinou},

url = {http://www.sciencedirect.com/science/article/pii/S0267364916300346},

doi = {10.1016/j.clsr.2016.02.006},

issn = {0267-3649},

year  = {2016},

date = {2016-01-01},

journal = {Computer Law & Security Review},

volume = {32},

number = {2},

pages = {179–194},

abstract = {The five-year wait is finally over; a few days before expiration of 2015 the “trilogue” that had started a few months earlier between the Commission, the Council and the Parliament suddenly bore fruit and the EU data protection reform package has finally been concluded. As planned since the beginning of this effort a Regulation, the General Data Protection Regulation is going to replace the 1995 Directive and a Directive, the Police and Criminal Justice Data Protection Directive, the 2008 Data Protection Framework Decision. In this way a long process that started as early as in 2009, peaked in early 2012, and required another three years to pass through the Parliament's and the Council's scrutiny is finished. Whether this reform package and its end-result is cause to celebrate or to lament depends on the perspective, the interests and the expectations of the beholder. Four years ago we published an article in this journal under the title “The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals”. This paper essentially constitutes a continuation of that article: now that the General Data Protection Regulation's final provisions are at hand it is possible to present differences with the first draft prepared by the Commission, to discuss the issues raised through its law-making passage over the past few years, and to attempt to assess the effectiveness of its final provisions in relation to their declared purposes.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN2677,

title = {The new Police and Criminal Justice Data Protection Directive: A first analysis},

author = {Paul De Hert and Vagelis Papakonstantinou},

doi = {https://doi.org/10.1177/203228441600700102},

year  = {2016},

date = {2016-01-01},

journal = {New Journal of European Criminal Law},

volume = {7},

number = {1},

pages = {7–19},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3439,

title = {The cloud computing standard ISO/IEC 27018 through the lens of the EU legislation on data protection},

author = {Paul De Hert and Vagelis Papakonstantinou and Irene Kamara},

url = {https://www.sciencedirect.com/science/article/pii/S0267364915001703},

doi = {https://doi.org/10.1016/j.clsr.2015.12.005},

issn = {2212-473X},

year  = {2016},

date = {2016-01-01},

journal = {Computer Law & Security Review},

volume = {32},

number = {1},

pages = {16–30},

abstract = {In July 2014 ISO and IEC published a standard relating to public cloud computing and data protection. The standard aims to address the down-sides of cloud computing and the concerns of the cloud clients, mainly the lack of trust and transparency, by developing controls and recommendations for cloud service providers acting as PII processors. At the same time, the standard aims to assist providers to demonstrate transparency and accountability in the handling of data and information in the cloud. This paper looks briefly at the data protection and security challenges of cloud computing. It discusses the provisions and added value of the standard in the context of the European data protection legislation and also looks at the uptake of the standard one year after its publication.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3438,

title = {The future of privacy certification in Europe: An exploration of options under article 42 of the GDPR},

author = {Rowena Rodrigues and David Barnard-Wills and Paul De Hert and Vagelis Papakonstantinou},

url = {https://doi.org/10.1080/13600869.2016.1189737},

doi = {10.1080/13600869.2016.1189737},

issn = {1360-0869},

year  = {2016},

date = {2016-01-01},

journal = {International Review of Law, Computers & Technology},

volume = {30},

number = {3},

pages = {248–270},

abstract = {The EU faces substantive legislative reform in data protection, specifically in the form of the General Data Protection Regulation (GDPR). One of the new elements in the GDPR is its call to establish data protection certification mechanisms, data protection seals and marks to help enhance transparency and compliance with the Regulation and allow data subjects to quickly assess the level of data protection of relevant products and services. To this effect, it is necessary to review privacy and data protection seals afresh and determine how data protection certification mechanisms, seals or marks might work given the role they will be called to play, particularly in Europe, in facilitating data protection. This article reviews the current state of play of privacy seals, the EU policy and regulatory thrusts for privacy and data protection certification, and the GDPR provisions on certification of the processing of personal data. The GDPR leaves substantial room for various options on data protection certification, which might play out in various ways, some of which are explored in this article.},

note = {doi: 10.1080/13600869.2016.1189737},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3440,

title = {Repeating the mistakes of the past will do little good for air passengers in the EU: The comeback of the EU PNR Directive and a lawyer's duty to regulate profiling},

author = {Paul De Hert and Vagelis Papakonstantinou},

doi = {https://doi.org/10.1177/203228441500600201},

issn = {2032-2844},

year  = {2015},

date = {2015-01-01},

journal = {New Journal of European Criminal Law},

volume = {6},

number = {2},

pages = {160–165},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3441,

title = {Google Spain: Addressing critiques and misunderstandings one year later},

author = {Paul De Hert and Vagelis Papakonstantinou},

url = {https://journals.sagepub.com/doi/abs/10.1177/1023263X1502200409},

doi = {10.1177/1023263x1502200409},

year  = {2015},

date = {2015-01-01},

journal = {Maastricht Journal of European and Comparative Law},

volume = {22},

number = {4},

pages = {624–638},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN2150,

title = {The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition},

author = {Paul De Hert and Vagelis Papakonstantinou},

url = {https://linkinghub.elsevier.com/retrieve/pii/S0267364914001526},

doi = {10.1016/j.clsr.2014.09.002},

issn = {02673649},

year  = {2014},

date = {2014-01-01},

journal = {Computer Law & Security Review},

volume = {30},

number = {6},

pages = {633–642},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN1567,

title = {Three scenarios for international governance of data privacy: Towards an international data privacy organization, preferably a UN agency?},

author = {Paul De Hert and Vagelis Papakonstantinou},

url = {https://litigation-essentials.lexisnexis.com/webcd/app?action=DocumentDisplay&crawlid=1&doctype=cite&docid=9+ISJLP+271&srctype=smi&srcid=3B15&key=0206606bfb84355920e4b493d7c9b2b7},

year  = {2013},

date = {2013-01-01},

journal = {I/S: A Journal of Law and Policy for the Information Society},

volume = {9},

number = {2},

pages = {271–327},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN790,

title = {The proposed Regulation and the construction of a principles-driven system for individual data protection},

author = {Paul De Hert and Vagelis Papakonstantinou and David Wright and Serge Gutwirth},

doi = {10.1080/13511610.2013.734047},

issn = {1351-1610 

1469-8412},

year  = {2013},

date = {2013-01-01},

journal = {Innovation: The European Journal of Social Science Research},

volume = {26},

number = {1-2},

pages = {133–144},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN838,

title = {The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals},

author = {Paul De Hert and Vagelis Papakonstantinou},

doi = {10.1016/j.clsr.2012.01.011},

issn = {02673649},

year  = {2012},

date = {2012-01-01},

journal = {Computer Law & Security Review},

volume = {28},

number = {2},

pages = {130–142},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3443,

title = {The police and criminal justice data protection directive: Comment and analysis},

author = {Paul De Hert and Vagelis Papakonstantinou},

issn = {0140-3249},

year  = {2012},

date = {2012-01-01},

journal = {Computers and Law - UK Society for Computers & Law},

volume = {22},

number = {6},

pages = {21},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3442,

title = {Legal challenges posed by online aggregation of museum content: The cases of Europeana and the Google Art Project},

author = {Vagelis Papakonstantinou and Paul De Hert},

year  = {2012},

date = {2012-01-01},

journal = {SCRIPTed},

volume = {9},

number = {3},

pages = {314–339},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3444,

title = {The amended EU law on ePrivacy and electronic communications after its 2011 implentation; New rules on data protection, spam, data breaches and protection of intellectual property rights},

author = {Vagelis Papakonstantinou and Paul De Hert},

issn = {1078-4128},

year  = {2011},

date = {2011-01-01},

journal = {UIC John Marshall Journal of Information Technology & Privacy Law},

volume = {29},

number = {1},

pages = {29–74},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN1072,

title = {The EU PNR framework decision proposal: Towards completion of the PNR processing scene in Europe},

author = {Paul De Hert and Vagelis Papakonstantinou},

doi = {10.1016/j.clsr.2010.05.008},

issn = {02673649},

year  = {2010},

date = {2010-01-01},

journal = {Computer Law & Security Review},

volume = {26},

number = {4},

pages = {368–376},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN1488,

title = {The data protection framework decision of 27 November 2008 regarding police and judicial cooperation in criminal matters – A modest achievement however not the improvement some have hoped for},

author = {Paul De Hert and Vagelis Papakonstantinou},

doi = {10.1016/j.clsr.2009.07.008},

issn = {02673649},

year  = {2009},

date = {2009-01-01},

journal = {Computer Law & Security Review},

volume = {25},

number = {5},

pages = {403–414},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3445,

title = {The PNR Agreement and transatlantic anti-terrorism cooperation: No firm human rights framework on either side of the Atlantic},

author = {Vagelis Papakonstantinou and Paul De Hert},

doi = {https://doi.org/10.54648/cola2009036},

issn = {0165-0750},

year  = {2009},

date = {2009-01-01},

journal = {Common Market Law Review},

volume = {46},

number = {3},

pages = {885–919},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3446,

title = {The agreement on Passenger-Data Transfer (PNR) and the EU-US cooperation in data communication},

author = {Kay Hailbronner and Vagelis Papakonstantinou and Marcel Kau},

doi = {https://doi.org/10.1111/j.1468-2435.2008.00449.x},

issn = {0020-7985},

year  = {2008},

date = {2008-01-01},

journal = {International Migration},

volume = {46},

number = {2},

pages = {187–197},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{RN3447,

title = {A data protection approach to data matching operations among public bodies},

author = {Vagelis Papakonstantinou},

doi = {https://doi.org/10.1093/ijlit/9.1.39},

issn = {1464-3693},

year  = {2001},

date = {2001-01-01},

journal = {International Journal of Law and Information Technology},

volume = {9},

number = {1},

pages = {39–64},

keywords = {},

pubstate = {published},

tppubtype = {article}

}