Articles (by year)
Journal Articles
Cappelletti, Francesco; Papakonstantinou, Vagelis
A question of strategic legislation: Can the EU deal with cybersecurity issues in space? Journal Article
In: Telecommunications Policy, vol. 49, no. 5, 2025, ISSN: 0308-5961.
@article{RN3423,
title = {A question of strategic legislation: Can the EU deal with cybersecurity issues in space?},
author = {Francesco Cappelletti and Vagelis Papakonstantinou},
url = {https://www.sciencedirect.com/science/article/pii/S0308596125000515},
doi = {https://doi.org/10.1016/j.telpol.2025.102954},
issn = {0308-5961},
year = {2025},
date = {2025-06-16},
urldate = {2025-01-01},
journal = {Telecommunications Policy},
volume = {49},
number = {5},
abstract = {This paper explores the impact of novel and forthcoming regulations on the European Union's (EU) strategic projection, focusing on space systems and their wide-ranging effects on services for European citizens and related industries. By examining space legislation and cybersecurity, this research provides an analytical perspective on whether the EU has implemented strategic regulations in shared competency, focusing on space and international security. While European Member States face the challenge of implementing national space strategies, the relevance of the EU extends beyond internal market and industry considerations, showcasing the Union's capabilities in implementing regulations defined in this study as ‘strategic’. This paper aims to contribute to the academic discourse by bridging the gap between legislative studies and cybersecurity in space. The idea is to use the space domain, examine the intersection of space systems and cybersecurity and its unique challenges, and propose a new framework for evaluating EU regulations as instruments of strategic power. The relevance of these domains allows the authors to present the concept of strategic legislation and its relevance for the future of the domains studied in this paper. The EU's unique characteristics of shared competencies in a shared domain (i.e., space) offer unique perspectives on the Union's potential to lead in establishing international standards for space cybersecurity while presenting theoretical insights and practical recommendations for further research.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
This paper explores the impact of novel and forthcoming regulations on the European Union's (EU) strategic projection, focusing on space systems and their wide-ranging effects on services for European citizens and related industries. By examining space legislation and cybersecurity, this research provides an analytical perspective on whether the EU has implemented strategic regulations in shared competency, focusing on space and international security. While European Member States face the challenge of implementing national space strategies, the relevance of the EU extends beyond internal market and industry considerations, showcasing the Union's capabilities in implementing regulations defined in this study as ‘strategic’. This paper aims to contribute to the academic discourse by bridging the gap between legislative studies and cybersecurity in space. The idea is to use the space domain, examine the intersection of space systems and cybersecurity and its unique challenges, and propose a new framework for evaluating EU regulations as instruments of strategic power. The relevance of these domains allows the authors to present the concept of strategic legislation and its relevance for the future of the domains studied in this paper. The EU's unique characteristics of shared competencies in a shared domain (i.e., space) offer unique perspectives on the Union's potential to lead in establishing international standards for space cybersecurity while presenting theoretical insights and practical recommendations for further research.
Vidaki, Anastasia Nefeli; Papakonstantinou, Vagelis
Democratic legitimacy of AI in judicial decision-making Journal Article
In: AI & Society, 2025, ISSN: 0951-5666.
@article{RN3422,
title = {Democratic legitimacy of AI in judicial decision-making},
author = {Anastasia Nefeli Vidaki and Vagelis Papakonstantinou},
url = {https://dx.doi.org/10.1007/s00146-025-02411-w
https://vpapakonstantinou.com/wp-content/uploads/2025/10/s00146-025-02411-w.pdf, Open access PDF
},
doi = {10.1007/s00146-025-02411-w},
issn = {0951-5666},
year = {2025},
date = {2025-01-01},
urldate = {2025-01-01},
journal = {AI & Society},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Papakonstantinou, Vagelis
The AI Act and a (sorely missing!) right to AI individualization; Why are we building Skynet? Journal Article
In: European Law Blog, 2024.
@article{RN3402,
title = {The AI Act and a (sorely missing!) right to AI individualization; Why are we building Skynet?},
author = {Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/yolhro68qw1j5ec5e3xyz83dc8p0yv2u.pdf, Open access PDF
https://www.europeanlawblog.eu/pub/04y8qbam/release/1, Publisher's website (blog post)},
doi = {10.21428/9885764c.ca76e2e9},
year = {2024},
date = {2024-01-01},
urldate = {2024-01-01},
journal = {European Law Blog},
abstract = {The industry has tricked us; Scientists and regulators have failed us. AI is developing not individually (as humans become individuals) but collectively. A huge collective hive to collect, store and process all of humanity’s information; a single entity (or a few, interoperability as an open issue today as their operation itself) to process all our questions, wishes and knowledge. The AI Act that has just been released ratifies, for the moment at least, this approach: EU’s ambitious attempt to regulate AI deals with it as if it was simply a phenomenon in need of better organisation, without granting any rights (or participation, thus a voice) to individuals. This is not only a missed opportunity but also a potentially risky approach; while we may not be building Skynet as such, we are accepting an industry-imposed shortcut that will ultimately hurt individual rights, if not individual development per se.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The industry has tricked us; Scientists and regulators have failed us. AI is developing not individually (as humans become individuals) but collectively. A huge collective hive to collect, store and process all of humanity’s information; a single entity (or a few, interoperability as an open issue today as their operation itself) to process all our questions, wishes and knowledge. The AI Act that has just been released ratifies, for the moment at least, this approach: EU’s ambitious attempt to regulate AI deals with it as if it was simply a phenomenon in need of better organisation, without granting any rights (or participation, thus a voice) to individuals. This is not only a missed opportunity but also a potentially risky approach; while we may not be building Skynet as such, we are accepting an industry-imposed shortcut that will ultimately hurt individual rights, if not individual development per se.
Papakonstantinou, Vagelis
Five years after the annus mirabilis for EU data protection: Where we stand and the outlook ahead Journal Article
In: Technology and Communications Law - DITE, pp. 35–47, 2024.
@article{RN3424,
title = {Five years after the annus mirabilis for EU data protection: Where we stand and the outlook ahead},
author = {Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Five-years-after-the-annus-mirabilis.pdf, Accepted manuscript PDF},
year = {2024},
date = {2024-01-01},
urldate = {2024-01-01},
journal = {Technology and Communications Law - DITE},
pages = {35–47},
abstract = {The law has an ambivalent relationship with the future. It is not only that it is hard to make predictions, especially
about the future, but also that a single word (in the future) by the lawmaker can quickly make years of law
implementation (and relevant case law and legal theory) obsolete. Notwithstanding incertitude, however, path
dependence (“the tendency of institutions or technologies to become committed to develop in certain ways as a result
of their structural properties or their beliefs and values”) perhaps helps make predictions a bit less hopeless. It is
around these thoughts, and concerns, that the analysis that follows unfolds. Five years have passed after 2018, the
annus mirabilis for EU data protection when both the GDPR and the LED became effective, and this anniversary invites
a retrospective assessment and a, modest, attempt to look into the future.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The law has an ambivalent relationship with the future. It is not only that it is hard to make predictions, especially
about the future, but also that a single word (in the future) by the lawmaker can quickly make years of law
implementation (and relevant case law and legal theory) obsolete. Notwithstanding incertitude, however, path
dependence (“the tendency of institutions or technologies to become committed to develop in certain ways as a result
of their structural properties or their beliefs and values”) perhaps helps make predictions a bit less hopeless. It is
around these thoughts, and concerns, that the analysis that follows unfolds. Five years have passed after 2018, the
annus mirabilis for EU data protection when both the GDPR and the LED became effective, and this anniversary invites
a retrospective assessment and a, modest, attempt to look into the future.
about the future, but also that a single word (in the future) by the lawmaker can quickly make years of law
implementation (and relevant case law and legal theory) obsolete. Notwithstanding incertitude, however, path
dependence (“the tendency of institutions or technologies to become committed to develop in certain ways as a result
of their structural properties or their beliefs and values”) perhaps helps make predictions a bit less hopeless. It is
around these thoughts, and concerns, that the analysis that follows unfolds. Five years have passed after 2018, the
annus mirabilis for EU data protection when both the GDPR and the LED became effective, and this anniversary invites
a retrospective assessment and a, modest, attempt to look into the future.
Wasser, Daniel; Papakonstantinou, Vagelis
Codes of conduct in German employment relationships – A measure to adequately implementing compliance and data protection? Journal Article
In: European Business Law Review, pp. 157–182, 2024, ISSN: 0959-6941.
@article{RN3425,
title = {Codes of conduct in German employment relationships – A measure to adequately implementing compliance and data protection?},
author = {Daniel Wasser and Vagelis Papakonstantinou},
doi = {https://doi.org/10.54648/eulr2024014},
issn = {0959-6941},
year = {2024},
date = {2024-01-01},
urldate = {2024-01-01},
journal = {European Business Law Review},
pages = {157–182},
abstract = {Compliance as well as Compliance-Management-Systems, Codes of Conduct and General Data Protection Regulation are widely known terms in any (multinational) corporation. In daily legal practice, however, Codes of Conduct containing or being combined with Codes of Conduct according to Art. 40 GDPR (GDPR codes) are unlikely to being drafted or published. Particularly by employers and thus corporations. This is for a good reason. Addressing codes of conduct within corporations, it is not yet comprehensively analyzed whether GDPR codes may be lawfully drafted by corporations or – if drafted lawfully – whether these are appropriate measures within employers’ Corporate Compliance-Management-Systems.
Aiming to contribute to the discussion in this respect, this paper contours possible considerations of the analysis explicitly encouraging colleagues to critically think of this topic as well. Eventually, if GDPR codes are appropriate measures, lawfully and comprehensively implementing compliance codes is nevertheless essential in any case.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Compliance as well as Compliance-Management-Systems, Codes of Conduct and General Data Protection Regulation are widely known terms in any (multinational) corporation. In daily legal practice, however, Codes of Conduct containing or being combined with Codes of Conduct according to Art. 40 GDPR (GDPR codes) are unlikely to being drafted or published. Particularly by employers and thus corporations. This is for a good reason. Addressing codes of conduct within corporations, it is not yet comprehensively analyzed whether GDPR codes may be lawfully drafted by corporations or – if drafted lawfully – whether these are appropriate measures within employers’ Corporate Compliance-Management-Systems.
Aiming to contribute to the discussion in this respect, this paper contours possible considerations of the analysis explicitly encouraging colleagues to critically think of this topic as well. Eventually, if GDPR codes are appropriate measures, lawfully and comprehensively implementing compliance codes is nevertheless essential in any case.
Aiming to contribute to the discussion in this respect, this paper contours possible considerations of the analysis explicitly encouraging colleagues to critically think of this topic as well. Eventually, if GDPR codes are appropriate measures, lawfully and comprehensively implementing compliance codes is nevertheless essential in any case.
Hert, Paul De; Papakonstantinou, Vagelis
Does the future hold more rights or more proportionality? Journal Article
In: European Data Protection Law Review, vol. 9, no. 4, pp. 393–398, 2023, ISSN: 23642831 2364284X.
@article{RN3426,
title = {Does the future hold more rights or more proportionality?},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2023-Does-the-Future-Hold-More-Rights.pdf, Accepted manuscript PDF},
doi = {10.21552/edpl/2023/4/5},
issn = {23642831 2364284X},
year = {2023},
date = {2023-01-01},
urldate = {2023-01-01},
journal = {European Data Protection Law Review},
volume = {9},
number = {4},
pages = {393–398},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Papadouli, Vasiliki; Papakonstantinou, Vagelis
In: Computer Law & Security Review, vol. 51, pp. 105869, 2023, ISSN: 2212-473X.
@article{RN3427,
title = {A preliminary study on artificial intelligence oracles and smart contracts: A legal approach to the interaction of two novel technological breakthroughs},
author = {Vasiliki Papadouli and Vagelis Papakonstantinou},
url = {https://www.sciencedirect.com/science/article/pii/S0267364923000791
https://vpapakonstantinou.com/wp-content/uploads/2025/10/1-s2.0-S0267364923000791-main.pdf, Open access PDF},
doi = {https://doi.org/10.1016/j.clsr.2023.105869},
issn = {2212-473X},
year = {2023},
date = {2023-01-01},
urldate = {2023-01-01},
journal = {Computer Law & Security Review},
volume = {51},
pages = {105869},
abstract = {Artificial Intelligence and Smart Contracts are two cutting-edge technological achievements of the so-called 4th Industrial Revolution era. Both have already had a significant impact on various aspects of modern life, including transactions, and each one has already been under scientific investigation. Instead, their interaction has not become the subject of a debate, although it can further (positively) affect the transactions. This interconnection takes place through specific mechanisms, called Oracles, which can be, among others, highly sophisticated Artificial Intelligence systems (autonomous systems). The present article aims to present the role of the Artificial Intelligence Oracles throughout the ‘smart contractual procedure’, as well as to shed light on the potential (new) legal issues this interconnection may raise. The main result of this article is to indicate the appropriate legal directions in case of Artificial Intelligence Oracles’ failures, based on the most prevalent current approaches to AI's (the user's) contractual and/or non-contractual liability. The major research's conclusion is that the Artificial Intelligence Oracle's failures may result in one of the following situations: (a) breach of a (smart) contract, (b) unjust enrichment, (c) conclusion of a (voidable) smart contract that should not have been concluded, or (d) non-conclusion of a smart contract that should have been concluded. The responsibility of each person participating in the ‘smart contractual procedure’, i.e. the contractual parties, the blockchain platform and the Artificial Intelligence user/owner (or even the Artificial Intelligence system itself), as well as the AI provider or designer, is examined in each of the afore-mentioned situations separately. Given that legislative initiatives have already begun, the present article aspires to contribute to the consistent address of the newly raised legal issues.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Artificial Intelligence and Smart Contracts are two cutting-edge technological achievements of the so-called 4th Industrial Revolution era. Both have already had a significant impact on various aspects of modern life, including transactions, and each one has already been under scientific investigation. Instead, their interaction has not become the subject of a debate, although it can further (positively) affect the transactions. This interconnection takes place through specific mechanisms, called Oracles, which can be, among others, highly sophisticated Artificial Intelligence systems (autonomous systems). The present article aims to present the role of the Artificial Intelligence Oracles throughout the ‘smart contractual procedure’, as well as to shed light on the potential (new) legal issues this interconnection may raise. The main result of this article is to indicate the appropriate legal directions in case of Artificial Intelligence Oracles’ failures, based on the most prevalent current approaches to AI's (the user's) contractual and/or non-contractual liability. The major research's conclusion is that the Artificial Intelligence Oracle's failures may result in one of the following situations: (a) breach of a (smart) contract, (b) unjust enrichment, (c) conclusion of a (voidable) smart contract that should not have been concluded, or (d) non-conclusion of a smart contract that should have been concluded. The responsibility of each person participating in the ‘smart contractual procedure’, i.e. the contractual parties, the blockchain platform and the Artificial Intelligence user/owner (or even the Artificial Intelligence system itself), as well as the AI provider or designer, is examined in each of the afore-mentioned situations separately. Given that legislative initiatives have already begun, the present article aspires to contribute to the consistent address of the newly raised legal issues.
Papakonstantinou, Vagelis
The (new) role of states in a ‘States-As-Platforms’ approach Journal Article
In: 2023.
@article{RN2821,
title = {The (new) role of states in a ‘States-As-Platforms’ approach},
author = {Vagelis Papakonstantinou},
url = {https://constitutionaldiscourse.com/vagelis-papakonstantinou-the-new-role-of-states-in-a-states-as-platforms-approach/
https://vpapakonstantinou.com/wp-content/uploads/2025/10/constitutionaldiscourse.com-Vagelis-PAPAKONSTANTINOU_-The-New-Role-of-States-in-a-‘States-As-Platforms-Approach-1.pdf, Publisher's website (blog post) PDF},
year = {2023},
date = {2023-01-01},
urldate = {2023-01-01},
publisher = {Constitutional Discourse},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Piemonte, Jacopo; Papakonstantinou, Vagelis
In: Ciberspazio e diritto: rivista internazionale di informatica giuridica, pp. 43–58, 2023, ISSN: 2281-1028.
@article{RN3428,
title = {Il caso Clearview Ai: uno stress test per il Regolamento generale per la protezione dei dati e la proposta di Regolamento sull'intelligenza artificiale in relazione alle nuove sfide poste dal riconoscimento facciale},
author = {Jacopo Piemonte and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Piemonte-2023-Il-caso-Clearview-Ai_-uno-stress.pdf, Accepted manuscript PDF},
issn = {2281-1028},
year = {2023},
date = {2023-01-01},
urldate = {2023-01-01},
journal = {Ciberspazio e diritto: rivista internazionale di informatica giuridica},
pages = {43–58},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Karagianni, Anastasia; Papakonstantinou, Vagelis
Surveillance in schools across Europe: A new phenomenon in light of the COVID-19 pandemic? The cases of Greece and France Journal Article
In: European Journal of Educational Research, vol. 11, no. 2, pp. 1219–1229, 2022.
@article{RN3429,
title = {Surveillance in schools across Europe: A new phenomenon in light of the COVID-19 pandemic? The cases of Greece and France},
author = {Anastasia Karagianni and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/EU-JER_11_2_1219-1.pdf, Open access PDF},
doi = {https://doi.org/10.12973/eu-jer.11.2.1219},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
journal = {European Journal of Educational Research},
volume = {11},
number = {2},
pages = {1219–1229},
abstract = {Surveillance technology is more and more used in educational environments, which results in mass privacy violations of kids and, thus, the processing of huge amount of children’s data in the name of safety. Methodology used is doctrinal, since the focus of this research was given in the implementation of the legal doctrine of data protection law in the educational environments. More than that, the cases of Greece and France regarding the use of surveillance technologies in schools are carefully studied in this article. Privacy risks that both children and educators are exposed to are underlined. In these terms, this research paper focuses on the proper implementation of the European data protection framework and the role of Data Protection Authorities as control mechanisms, so that human rights risks from the perspective of privacy and data protection to be revealed, and the purposes of the use of such technologies to be evaluated. This study is limited in the legal examination of the European General Data Protection Regulation, and its implementation in the legal orders of Greece and France, and practice pertaining to the case studies of Greece and France respectively.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Surveillance technology is more and more used in educational environments, which results in mass privacy violations of kids and, thus, the processing of huge amount of children’s data in the name of safety. Methodology used is doctrinal, since the focus of this research was given in the implementation of the legal doctrine of data protection law in the educational environments. More than that, the cases of Greece and France regarding the use of surveillance technologies in schools are carefully studied in this article. Privacy risks that both children and educators are exposed to are underlined. In these terms, this research paper focuses on the proper implementation of the European data protection framework and the role of Data Protection Authorities as control mechanisms, so that human rights risks from the perspective of privacy and data protection to be revealed, and the purposes of the use of such technologies to be evaluated. This study is limited in the legal examination of the European General Data Protection Regulation, and its implementation in the legal orders of Greece and France, and practice pertaining to the case studies of Greece and France respectively.
Papakonstantinou, Vagelis
Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity? Journal Article
In: Computer Law & Security Review, vol. 44, 2022, (Open Access).
@article{RN1320,
title = {Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity?},
author = {Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/1-s2.0-S0267364922000012-main.pdf, Open access PDF},
doi = {https://doi.org/10.1016/j.clsr.2022.105653},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
journal = {Computer Law & Security Review},
volume = {44},
abstract = {The end of the second decade of the 21st century has been the best of times for EU's cybersecurity law and policy: Its NIS Directive has been transposed into all Member States’ national law, creating a new administrative structure at EU and Member State level and mandating relevant policies and strategies to update and harmonise those that were already in place. Its Cybersecurity Act of 2019 incorporated the EU Agency for Cybersecurity (ENISA), and promises to install a new European cybersecurity certification scheme. To support policy with funding, large sums of research money have been spent on the development of cybersecurity tools and the relevant framework. However, EU's significant regulatory activity is faced with substantial difficulties. While cybersecurity concerns are placed high on the list of issues that worry Europeans making a regulatory response pressing, the cybersecurity theoretical framework is far from concluded: Difficulties start as early as when attempting to define the term, ultimately divulging a lack of common understanding. Different actors understand cybersecurity differently under different circumstances. A distinction that could perhaps prove useful in creating clarity as to its exact meaning would distinguish between cybersecurity as praxis and cybersecurity as a state. Cybersecurity as praxis would then be understood as the activities and measures that need to be undertaken in order to accomplish cybersecurity's aims and objectives. Accordingly, cybersecurity as a state would mean the condition that is achieved once cybersecurity as praxis has succeeded; Within cybersecurity as a state persons need to be protected against any cyber threat. A distinction between cybersecurity as praxis and cybersecurity as a state would not only be useful in delineating the term's content but could also constitute the necessary theoretical groundwork for development, ultimately, of a new right to cybersecurity. EU law has already taken positive steps towards acknowledgement of a new right to cybersecurity. However, a lot more needs to be done; Past progress needs to be continued and updated. A conceivable next step could take the form of formal acknowledgement of such a new right in EU law, in a future amendment of the Act's provisions or otherwise.},
note = {Open Access},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The end of the second decade of the 21st century has been the best of times for EU's cybersecurity law and policy: Its NIS Directive has been transposed into all Member States’ national law, creating a new administrative structure at EU and Member State level and mandating relevant policies and strategies to update and harmonise those that were already in place. Its Cybersecurity Act of 2019 incorporated the EU Agency for Cybersecurity (ENISA), and promises to install a new European cybersecurity certification scheme. To support policy with funding, large sums of research money have been spent on the development of cybersecurity tools and the relevant framework. However, EU's significant regulatory activity is faced with substantial difficulties. While cybersecurity concerns are placed high on the list of issues that worry Europeans making a regulatory response pressing, the cybersecurity theoretical framework is far from concluded: Difficulties start as early as when attempting to define the term, ultimately divulging a lack of common understanding. Different actors understand cybersecurity differently under different circumstances. A distinction that could perhaps prove useful in creating clarity as to its exact meaning would distinguish between cybersecurity as praxis and cybersecurity as a state. Cybersecurity as praxis would then be understood as the activities and measures that need to be undertaken in order to accomplish cybersecurity's aims and objectives. Accordingly, cybersecurity as a state would mean the condition that is achieved once cybersecurity as praxis has succeeded; Within cybersecurity as a state persons need to be protected against any cyber threat. A distinction between cybersecurity as praxis and cybersecurity as a state would not only be useful in delineating the term's content but could also constitute the necessary theoretical groundwork for development, ultimately, of a new right to cybersecurity. EU law has already taken positive steps towards acknowledgement of a new right to cybersecurity. However, a lot more needs to be done; Past progress needs to be continued and updated. A conceivable next step could take the form of formal acknowledgement of such a new right in EU law, in a future amendment of the Act's provisions or otherwise.
Papakonstantinou, Vagelis
States as platforms following the new EU regulations on online platforms Journal Article
In: European View, vol. 21, no. 2, pp. 214–222, 2022.
@article{RN2618,
title = {States as platforms following the new EU regulations on online platforms},
author = {Vagelis Papakonstantinou},
url = {https://www.martenscentre.eu/wp-content/uploads/2022/12/13.pdf
https://vpapakonstantinou.com/wp-content/uploads/2025/10/13.pdf, Open access PDF},
doi = {https://doi.org/10.1177/17816858221134748},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
journal = {European View},
volume = {21},
number = {2},
pages = {214–222},
abstract = {The recent adoption by the European Parliament of the Digital Services Act means that, when it comes into effect, it will formally introduce into EU law the term ?online platforms?. In effect, between the Digital Services Act and the Digital Markets Act, a comprehensive framework for the regulation of online platforms is being introduced into EU law, the first of its kind both in Europe and internationally. However, European regulatory innovation invites a different viewpoint: Could states be considered platforms? What if this new regulatory framework was applied to states themselves? This article first outlines the regulations on online platforms in EU law. Then it discusses the role of states as information brokers in order to support its main argument, that states can be viewed as (online) platforms. A discussion of the consequences of such a conclusion is included in the final part of this analysis.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The recent adoption by the European Parliament of the Digital Services Act means that, when it comes into effect, it will formally introduce into EU law the term ?online platforms?. In effect, between the Digital Services Act and the Digital Markets Act, a comprehensive framework for the regulation of online platforms is being introduced into EU law, the first of its kind both in Europe and internationally. However, European regulatory innovation invites a different viewpoint: Could states be considered platforms? What if this new regulatory framework was applied to states themselves? This article first outlines the regulations on online platforms in EU law. Then it discusses the role of states as information brokers in order to support its main argument, that states can be viewed as (online) platforms. A discussion of the consequences of such a conclusion is included in the final part of this analysis.
Papakonstantinou, Vagelis
The cybersecurity obligations of states perceived as platforms: Are current European national cybersecurity strategies enough? Journal Article
In: Applied Cybersecurity & Internet Governance (ACIG), vol. 1, no. 1, 2022.
@article{RN2806,
title = {The cybersecurity obligations of states perceived as platforms: Are current European national cybersecurity strategies enough?},
author = {Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/The-Cybersecurity-1.pdf, Open access PDF},
doi = {10.5604/01.3001.0016.1237},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
journal = {Applied Cybersecurity & Internet Governance (ACIG)},
volume = {1},
number = {1},
abstract = {Cybersecurity is a relatively recent addition to the list of preoccupations for modern states. The forceful emergence of the internet and computer networks and their subsequent prevalence quickly brought this to the fore. By now, it is inconceivable that
modern administrations, whether public or private, can exist entirely outside the digital realm. Nevertheless, with great opportunities also comes great risk. Attacks against computer systems quickly evolved from marginalised incidents to matters of state concern. The exponential increase in the importance of cybersecurity over the past few years has led to a multi-level response. New policies, followed by relevant laws and regulations, have been introduced at national and international levels. While modern states have therefore been compelled to devise concrete cybersecurity strategies in response to potential threats, the most notable aspect of these strategies is their resemblance to one another. Such uniform thinking could develop into a risk per se: challenges may appear unexpectedly, given the dynamic nature of the internet and the multitude of actors and sources of risk, which could put common knowledge, or what may be called conventional wisdom, to the test at
a stage where the scope for response is limited. This paper builds upon the idea of national states being perceived as platforms within the contemporary digital and regulatory environment. Platforms are in this context information structures or systems, whereby the primary role of states acting as platforms is that of an information broker for its citizens or subjects. This role takes precedence even over the fundamental obligation of states to provide security; it calls upon them first to co-create (basic) personal data, and then to safely store and further transmit such data. Once the key concept of states as platforms has been elaborated in section 2, this paper then presents the concrete consequences of this approach within the cybersecurity field. In section 3, former off-line practices for safely storing personal information, undertaken by states within their role as platforms, are contrasted with the challenges posed by the digitisation of information. The focus is then turned in section
4 to the EU, and the NIS Directive’s obligation upon Member States to introduce and implement national cybersecurity strategies, which are therefore examined under the lens introduced in section 2. Finally, specific points for improvement and relevant recommendations for these cybersecurity strategies are presented in section 5.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Cybersecurity is a relatively recent addition to the list of preoccupations for modern states. The forceful emergence of the internet and computer networks and their subsequent prevalence quickly brought this to the fore. By now, it is inconceivable that
modern administrations, whether public or private, can exist entirely outside the digital realm. Nevertheless, with great opportunities also comes great risk. Attacks against computer systems quickly evolved from marginalised incidents to matters of state concern. The exponential increase in the importance of cybersecurity over the past few years has led to a multi-level response. New policies, followed by relevant laws and regulations, have been introduced at national and international levels. While modern states have therefore been compelled to devise concrete cybersecurity strategies in response to potential threats, the most notable aspect of these strategies is their resemblance to one another. Such uniform thinking could develop into a risk per se: challenges may appear unexpectedly, given the dynamic nature of the internet and the multitude of actors and sources of risk, which could put common knowledge, or what may be called conventional wisdom, to the test at
a stage where the scope for response is limited. This paper builds upon the idea of national states being perceived as platforms within the contemporary digital and regulatory environment. Platforms are in this context information structures or systems, whereby the primary role of states acting as platforms is that of an information broker for its citizens or subjects. This role takes precedence even over the fundamental obligation of states to provide security; it calls upon them first to co-create (basic) personal data, and then to safely store and further transmit such data. Once the key concept of states as platforms has been elaborated in section 2, this paper then presents the concrete consequences of this approach within the cybersecurity field. In section 3, former off-line practices for safely storing personal information, undertaken by states within their role as platforms, are contrasted with the challenges posed by the digitisation of information. The focus is then turned in section
4 to the EU, and the NIS Directive’s obligation upon Member States to introduce and implement national cybersecurity strategies, which are therefore examined under the lens introduced in section 2. Finally, specific points for improvement and relevant recommendations for these cybersecurity strategies are presented in section 5.
modern administrations, whether public or private, can exist entirely outside the digital realm. Nevertheless, with great opportunities also comes great risk. Attacks against computer systems quickly evolved from marginalised incidents to matters of state concern. The exponential increase in the importance of cybersecurity over the past few years has led to a multi-level response. New policies, followed by relevant laws and regulations, have been introduced at national and international levels. While modern states have therefore been compelled to devise concrete cybersecurity strategies in response to potential threats, the most notable aspect of these strategies is their resemblance to one another. Such uniform thinking could develop into a risk per se: challenges may appear unexpectedly, given the dynamic nature of the internet and the multitude of actors and sources of risk, which could put common knowledge, or what may be called conventional wisdom, to the test at
a stage where the scope for response is limited. This paper builds upon the idea of national states being perceived as platforms within the contemporary digital and regulatory environment. Platforms are in this context information structures or systems, whereby the primary role of states acting as platforms is that of an information broker for its citizens or subjects. This role takes precedence even over the fundamental obligation of states to provide security; it calls upon them first to co-create (basic) personal data, and then to safely store and further transmit such data. Once the key concept of states as platforms has been elaborated in section 2, this paper then presents the concrete consequences of this approach within the cybersecurity field. In section 3, former off-line practices for safely storing personal information, undertaken by states within their role as platforms, are contrasted with the challenges posed by the digitisation of information. The focus is then turned in section
4 to the EU, and the NIS Directive’s obligation upon Member States to introduce and implement national cybersecurity strategies, which are therefore examined under the lens introduced in section 2. Finally, specific points for improvement and relevant recommendations for these cybersecurity strategies are presented in section 5.
Papakonstantinou, Vagelis
States as platforms under new EU (online platforms’) law Journal Article
In: European Law Blog, 2022.
@article{RN2820,
title = {States as platforms under new EU (online platforms’) law},
author = {Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/x2tqnhk926mktf69sg27gqcz9uepv0nj.pdf, Publisher's website (blog post) PDF},
doi = {https://doi.org/10.21428/9885764c.a456e2dd},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
journal = {European Law Blog},
abstract = {The recent political agreement on the Digital Services Act (the “DSA”) means that, once officially released, it will formally introduce into EU law the term “online platforms”: These (according to the Commission’s original proposal, at least) are meant to be “a provider of a hosting service which, at the request of a recipient of the service, stores and disseminates to the public information” (art. 2, point (h) of the DSA), whereby a hosting service, in turn, “consists of the storage of information provided by, and at the request of, a recipient of the service” (point f). Therefore, between the DSA and the Digital Markets Act (the “DMA”), that has also been recently finalised, a comprehensive framework for the regulation of online platforms is introduced in EU law, the first of its kind both in Europe and internationally.
What if, however, this framework was applied to states themselves? What if states fell within the definition of an online platform within this context?},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The recent political agreement on the Digital Services Act (the “DSA”) means that, once officially released, it will formally introduce into EU law the term “online platforms”: These (according to the Commission’s original proposal, at least) are meant to be “a provider of a hosting service which, at the request of a recipient of the service, stores and disseminates to the public information” (art. 2, point (h) of the DSA), whereby a hosting service, in turn, “consists of the storage of information provided by, and at the request of, a recipient of the service” (point f). Therefore, between the DSA and the Digital Markets Act (the “DMA”), that has also been recently finalised, a comprehensive framework for the regulation of online platforms is introduced in EU law, the first of its kind both in Europe and internationally.
What if, however, this framework was applied to states themselves? What if states fell within the definition of an online platform within this context?
What if, however, this framework was applied to states themselves? What if states fell within the definition of an online platform within this context?
Papakonstantinou, Vagelis; Hert, Paul De
The regulation of digital Technologies in the EU: The law-making phenomena of “act-ification”, “GDPR mimesis” and “EU law brutality” Journal Article
In: Technology and Regulation, vol. 2022, pp. 48–60, 2022.
@article{RN2582,
title = {The regulation of digital Technologies in the EU: The law-making phenomena of “act-ification”, “GDPR mimesis” and “EU law brutality”},
author = {Vagelis Papakonstantinou and Paul De Hert},
url = {https://techreg.org/article/view/11459, Publisher's website
https://vpapakonstantinou.com/wp-content/uploads/2025/10/TechReg2022.005-PapakonstantinouDeHert.pdf, Open access PDF},
doi = {https://doi.org/10.71265/2hvw3h73},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
journal = {Technology and Regulation},
volume = {2022},
pages = {48–60},
abstract = {EU regulatory initiatives on technology-related topics has spiked over the past few years. On the basis of its Priorities Programme 2019-2024, while creating “Europe fit for the Digital Age”, the EU Commission has been busy releasing new texts aimed at regulating a number of technology topics, including, among others, data uses, online platforms, cybersecurity, or artificial intelligence. This paper identifies three basic phenomena common to all, or most, EU new technology-relevant regulatory initiatives, namely (a) “act-ification”, (b) “GDPR mimesis”, and (c) “regulatory brutality”. These phenomena divulge new-found confidence on the part of the EU technology legislator, who has by now asserted for itself the right to form policy options and create new rules in the field for all of Europe. These three phenomena serve as indicators or early signs of a new European technology law-making paradigm that by now seems ready to emerge.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
EU regulatory initiatives on technology-related topics has spiked over the past few years. On the basis of its Priorities Programme 2019-2024, while creating “Europe fit for the Digital Age”, the EU Commission has been busy releasing new texts aimed at regulating a number of technology topics, including, among others, data uses, online platforms, cybersecurity, or artificial intelligence. This paper identifies three basic phenomena common to all, or most, EU new technology-relevant regulatory initiatives, namely (a) “act-ification”, (b) “GDPR mimesis”, and (c) “regulatory brutality”. These phenomena divulge new-found confidence on the part of the EU technology legislator, who has by now asserted for itself the right to form policy options and create new rules in the field for all of Europe. These three phenomena serve as indicators or early signs of a new European technology law-making paradigm that by now seems ready to emerge.
Hert, Paul De; Papakonstantinou, Vagelis
In: Computer Law & Security Review, vol. 40, pp. 1–12, 2021, ISSN: 2212-473X.
@article{RN3432,
title = {Framing Big Data in the Council of Europe and the EU data protection law systems: Adding ‘should’ to ‘must’ via soft law to address more than only individual harms},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://www.sciencedirect.com/science/article/pii/S0267364920301011
https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2021-Framing-Big-Data-in-the-Council-o.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1016/j.clsr.2020.105496},
issn = {2212-473X},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {Computer Law & Security Review},
volume = {40},
pages = {1–12},
abstract = {On 19 November 2019 the Council of Europe hosted an international conference, immediately preceding the annual plenary meeting of its Committee of Convention 108, on “Convention 108+ and the future data protection global standard”. One of the authors made a presentation on “Comparing the EU and Council of Europe approach to Big Data”, and it is its contents and findings that are further elaborated in this paper; Its aim is, in essence, to incorporate the feedback received and to adapt past research on Big Data, that was mostly relevant to the EU, also on the Council of Europe data protection system. After a few preliminary remarks on Big Data terminology and possible regulatory approaches, Big Data regulation is examined against the EU and the Council of Europe data protection systems. Particular emphasis is given to the Council of Europe regulatory approach both in terms of Convention 108+ and with regard to its Guidelines on Big Data and AI. The authors believe that, because both the EU and the Council of Europe have avoided to refer to Big Data in their basic data protection regulatory texts (a most likely intentional omission), guidance is indeed needed, and it may well come in the form of soft law. The Council of Europe has taken the lead in this through its Guidelines; Their timely, comprehensive and balanced approach showcases the Council's will for such processing to indeed take place, but within a well-regulated environment, albeit not under a rigid regulatory construction.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
On 19 November 2019 the Council of Europe hosted an international conference, immediately preceding the annual plenary meeting of its Committee of Convention 108, on “Convention 108+ and the future data protection global standard”. One of the authors made a presentation on “Comparing the EU and Council of Europe approach to Big Data”, and it is its contents and findings that are further elaborated in this paper; Its aim is, in essence, to incorporate the feedback received and to adapt past research on Big Data, that was mostly relevant to the EU, also on the Council of Europe data protection system. After a few preliminary remarks on Big Data terminology and possible regulatory approaches, Big Data regulation is examined against the EU and the Council of Europe data protection systems. Particular emphasis is given to the Council of Europe regulatory approach both in terms of Convention 108+ and with regard to its Guidelines on Big Data and AI. The authors believe that, because both the EU and the Council of Europe have avoided to refer to Big Data in their basic data protection regulatory texts (a most likely intentional omission), guidance is indeed needed, and it may well come in the form of soft law. The Council of Europe has taken the lead in this through its Guidelines; Their timely, comprehensive and balanced approach showcases the Council's will for such processing to indeed take place, but within a well-regulated environment, albeit not under a rigid regulatory construction.
Markopoulou, Dimitra; Papakonstantinou, Vagelis
Digitalisation of water services and the water sector cyber threat landscape: Is the EU regulatory framework adequate? Journal Article
In: Journal of Water Law, vol. 27, no. 4, pp. 119–133, 2021.
@article{RN3430,
title = {Digitalisation of water services and the water sector cyber threat landscape: Is the EU regulatory framework adequate?},
author = {Dimitra Markopoulou and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Markopoulou-2021-Digitalisation-of-Water-Servi.pdf, Accepted manuscript PDF},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {Journal of Water Law},
volume = {27},
number = {4},
pages = {119–133},
abstract = {Like other sectors, the water sector has increased its dependence on information and communications technology (ICT) to improve its service, sustainability and affordability, but this also makes it increasingly vulnerable to malicious cyberattacks or accidental cyber incidents. Water sector entities are also responsible for processing and protecting personal information, including employees’ records and customers’ billing data. While the current EU regulatory framework on water management has undergone considerable reform, it does not deal with the protection of water facilities against cyber risks. And although both EU cybersecurity policy, including the protection regime for critical infrastructures, and the General Data Protection Regulation are fully applicable to water entities, the new digitalised water landscape calls for a shift in approach in order to create a more cyber resilient water sector.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Like other sectors, the water sector has increased its dependence on information and communications technology (ICT) to improve its service, sustainability and affordability, but this also makes it increasingly vulnerable to malicious cyberattacks or accidental cyber incidents. Water sector entities are also responsible for processing and protecting personal information, including employees’ records and customers’ billing data. While the current EU regulatory framework on water management has undergone considerable reform, it does not deal with the protection of water facilities against cyber risks. And although both EU cybersecurity policy, including the protection regime for critical infrastructures, and the General Data Protection Regulation are fully applicable to water entities, the new digitalised water landscape calls for a shift in approach in order to create a more cyber resilient water sector.
Markopoulou, Dimitra; Papakonstantinou, Vagelis
In: Computer Law & Security Review, vol. 41, pp. 1–12, 2021, ISSN: 2212-473X.
@article{RN3431,
title = {The regulatory framework for the protection of critical infrastructures against cyberthreats: Identifying shortcomings and addressing future challenges: The case of the health sector in particular},
author = {Dimitra Markopoulou and Vagelis Papakonstantinou},
url = {https://www.sciencedirect.com/science/article/pii/S0267364920301072
https://vpapakonstantinou.com/wp-content/uploads/2025/10/1-s2.0-S0267364920301072-main-1.pdf, Open access PDF},
doi = {https://doi.org/10.1016/j.clsr.2020.105502},
issn = {2212-473X},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {Computer Law & Security Review},
volume = {41},
pages = {1–12},
abstract = {The concept of “Critical Infrastructures” is constantly evolving in order to reflect current concerns and to respond to new challenges, especially in terms of (cyber)security and resilience. Protection of critical infrastructures against numerous threats has therefore developed into a high priority at national and EU level. During the last two decades a new type of threat has prevailed in the Critical Infrastructure threat landscape, that of cyberattacks; Protection against them is the primary focus of this paper. In order to do so the analysis first aims to drop some light into the differences between Critical Infrastructures and Critical Information Infrastructures, terms that are often confused, and to indicate possible inadequacies in the applicable protection regulatory regime. Finally, the health sector has been chosen as a sector-specific case in an effort to demonstrate how protection of a Critical Infrastructure, challenged as it has been with a constantly increasing number of cyber incidents, could be sufficiently protected in the new digitalised era.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The concept of “Critical Infrastructures” is constantly evolving in order to reflect current concerns and to respond to new challenges, especially in terms of (cyber)security and resilience. Protection of critical infrastructures against numerous threats has therefore developed into a high priority at national and EU level. During the last two decades a new type of threat has prevailed in the Critical Infrastructure threat landscape, that of cyberattacks; Protection against them is the primary focus of this paper. In order to do so the analysis first aims to drop some light into the differences between Critical Infrastructures and Critical Information Infrastructures, terms that are often confused, and to indicate possible inadequacies in the applicable protection regulatory regime. Finally, the health sector has been chosen as a sector-specific case in an effort to demonstrate how protection of a Critical Infrastructure, challenged as it has been with a constantly increasing number of cyber incidents, could be sufficiently protected in the new digitalised era.
Papakonstantinou, Vagelis
The act-ification of EU law: The (long-overdue) move towards eponymous EU legislation Journal Article
In: European Law Blog, 2021.
@article{RN3403,
title = {The act-ification of EU law: The (long-overdue) move towards eponymous EU legislation},
author = {Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/8mfrv39cwll37ljnlt2ze52ak8ylwx1o.pdf, Publisher's website (blog post) PDF},
doi = {10.21428/9885764c.023eb33c},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {European Law Blog},
abstract = {The recent release by the Commission of the draft Digital Services Act and the Digital Markets Act may have attracted significant attention from stakeholders for their substance. However, this contribution is not about the content but the titles of these acts. In the author’s opinion, these two instruments are the latest addition to an emerging trend among the EU law-makers to release, “acts” or at least “eponymous” pieces of legislation. This trend shall be referred to here as “act-ification” of EU law. This trend is to be welcomed in that it signifies a new confidence and self-assuredness of EU law. After more than half a century since it came into life, EU law now seems to feel confident enough to release “acts” or, at any event, eponymous pieces of legislation, immediately recognizable by Europeans.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The recent release by the Commission of the draft Digital Services Act and the Digital Markets Act may have attracted significant attention from stakeholders for their substance. However, this contribution is not about the content but the titles of these acts. In the author’s opinion, these two instruments are the latest addition to an emerging trend among the EU law-makers to release, “acts” or at least “eponymous” pieces of legislation. This trend shall be referred to here as “act-ification” of EU law. This trend is to be welcomed in that it signifies a new confidence and self-assuredness of EU law. After more than half a century since it came into life, EU law now seems to feel confident enough to release “acts” or, at any event, eponymous pieces of legislation, immediately recognizable by Europeans.
Papakonstantinou, Vagelis; Hert, Paul De
Post GDPR EU laws and their GDPR mimesis. DGA, DSA, DMA and the EU regulation of AI Journal Article
In: European Law Blog, 2021.
@article{RN3404,
title = {Post GDPR EU laws and their GDPR mimesis. DGA, DSA, DMA and the EU regulation of AI},
author = {Vagelis Papakonstantinou and Paul De Hert},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/5ay5hl9m7dijrnms1xguni6hsna3yrb9.pdf, Publisher's website (blog post) PDF},
doi = {10.21428/9885764c.d17ee622},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {European Law Blog},
abstract = {EU regulatory work on technology-related fronts has recently spiked. The EU has been extremely busy implementing its European Digital Strategy. Over a short period it has released a draft Digital Governance Act (DGA), a Digital Services Act (DSA), a Digital Markets Act (DMA), while also working on its proposal for AI Regulation. This recent battery of EU acts to regulate technology has provoked our comment, on this blog, on EU law “act-ification”. Now, instead of focusing on the title of these initiatives, we wish to turn our attention to their content, in order to identify a second phenomenon: GDPR mimesis.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
EU regulatory work on technology-related fronts has recently spiked. The EU has been extremely busy implementing its European Digital Strategy. Over a short period it has released a draft Digital Governance Act (DGA), a Digital Services Act (DSA), a Digital Markets Act (DMA), while also working on its proposal for AI Regulation. This recent battery of EU acts to regulate technology has provoked our comment, on this blog, on EU law “act-ification”. Now, instead of focusing on the title of these initiatives, we wish to turn our attention to their content, in order to identify a second phenomenon: GDPR mimesis.
Papakonstantinou, Vagelis; Hert, Paul De
EU lawmaking in the Artificial Intelligent Age: Act-ification, GDPR mimesis, and regulatory brutality Journal Article
In: European Law Blog, 2021.
@article{RN3405,
title = {EU lawmaking in the Artificial Intelligent Age: Act-ification, GDPR mimesis, and regulatory brutality},
author = {Vagelis Papakonstantinou and Paul De Hert},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/1z2i53yr4xbtvfx94h4bn1i5fsncw41o.pdf, Publisher's website (blog post) PDF},
doi = {https://doi.org/10.21428/9885764c.97e04105},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {European Law Blog},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Dumortier, Franck; Hert, Paul De; Papakonstantinou, Vagelis
EU sanctions against cyber-attacks and defense rights: Wanna Cry? Journal Article
In: European Law Blog, 2020.
@article{RN3406,
title = {EU sanctions against cyber-attacks and defense rights: Wanna Cry?},
author = {Franck Dumortier and Paul De Hert and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/39x9uf3bc7aw8e0qebo7u23ienxki1cg-1.pdf, Publisher's website (blog post) PDF},
doi = {https://doi.org/10.21428/9885764c.e38a5afe},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
journal = {European Law Blog},
abstract = {On July 30th 2020, within the framework of the Common Foreign and Security Policy (CFSP), the Council of the European Union has imposed its first ever “targeted restrictive measures” against six Chinese and Russian individuals as well as three legal entities – two located in the aforementioned countries and one in North Korea – for their involvement in significant cyber-attacks or attempted cyber-attacks against the EU or its Member States. These include cyber-attacks known as ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’ and the attempted cyber-attack against the OPCW (Organisation for the Prohibition of Chemical Weapons).},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
On July 30th 2020, within the framework of the Common Foreign and Security Policy (CFSP), the Council of the European Union has imposed its first ever “targeted restrictive measures” against six Chinese and Russian individuals as well as three legal entities – two located in the aforementioned countries and one in North Korea – for their involvement in significant cyber-attacks or attempted cyber-attacks against the EU or its Member States. These include cyber-attacks known as ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’ and the attempted cyber-attack against the OPCW (Organisation for the Prohibition of Chemical Weapons).
Papakonstantinou, Vagelis; Hert, Paul De
In: Computer Law & Security Review, vol. 36, 2020, ISSN: 2212-473X.
@article{RN3433,
title = {Big data analytics in electronic communications: A reality in need of granular regulation (even if this includes an interim period of no regulation at all)},
author = {Vagelis Papakonstantinou and Paul De Hert},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/7f2cbfcf-a5e3-4ebd-b11d-118d30e6de1a.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1016/j.clsr.2020.105502},
issn = {2212-473X},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
journal = {Computer Law & Security Review},
volume = {36},
abstract = {Over the past few years big data analytics have forcefully entered the mainstream. Admit-
tedly,modern life would be inconceivable without the services afforded by this type of pro-
cessing in the field of electronic communications.At the same time public administrations
are increasingly discovering the benefits of big data analytics afforded to them by telecom-
munications operators. Nevertheless, despite public attention and high volumes of expert
analyses, the majority of approaches on the challenges to personal data protection by this
type of data processing remains theoretical; Tellingly,the EDPS speaks of the “black box”of
big data analytics. However, the authors were able to open, and stare into, the “black box”
of big data analytics in the electronic communications field in 2017 and 2018 in the context
of GDPR compliance assessments.Their analysis first attempts to set the legal scene today,
answering two crucial questions on scope and applicable law, before presenting a typology
for a scalable and granular approach that the authors feel is necessary but nevertheless
is missing from the text of the draft ePrivacy Regulation. The authors therefore conclude
that processing requirements and particularities,as evidenced under the big data analytics
paradigm, make necessary a much more detailed approach than the one afforded by the
draft ePrivacy Regulation today. Until these needs are met, through the introduction of a
new, fundamentally amended text, the authors suggest that the current regulatory frame-
work and the mechanisms afforded by it be extended for an interim period, so as to afford
legislators with the necessary space and time to revise their work.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Over the past few years big data analytics have forcefully entered the mainstream. Admit-
tedly,modern life would be inconceivable without the services afforded by this type of pro-
cessing in the field of electronic communications.At the same time public administrations
are increasingly discovering the benefits of big data analytics afforded to them by telecom-
munications operators. Nevertheless, despite public attention and high volumes of expert
analyses, the majority of approaches on the challenges to personal data protection by this
type of data processing remains theoretical; Tellingly,the EDPS speaks of the “black box”of
big data analytics. However, the authors were able to open, and stare into, the “black box”
of big data analytics in the electronic communications field in 2017 and 2018 in the context
of GDPR compliance assessments.Their analysis first attempts to set the legal scene today,
answering two crucial questions on scope and applicable law, before presenting a typology
for a scalable and granular approach that the authors feel is necessary but nevertheless
is missing from the text of the draft ePrivacy Regulation. The authors therefore conclude
that processing requirements and particularities,as evidenced under the big data analytics
paradigm, make necessary a much more detailed approach than the one afforded by the
draft ePrivacy Regulation today. Until these needs are met, through the introduction of a
new, fundamentally amended text, the authors suggest that the current regulatory frame-
work and the mechanisms afforded by it be extended for an interim period, so as to afford
legislators with the necessary space and time to revise their work.
tedly,modern life would be inconceivable without the services afforded by this type of pro-
cessing in the field of electronic communications.At the same time public administrations
are increasingly discovering the benefits of big data analytics afforded to them by telecom-
munications operators. Nevertheless, despite public attention and high volumes of expert
analyses, the majority of approaches on the challenges to personal data protection by this
type of data processing remains theoretical; Tellingly,the EDPS speaks of the “black box”of
big data analytics. However, the authors were able to open, and stare into, the “black box”
of big data analytics in the electronic communications field in 2017 and 2018 in the context
of GDPR compliance assessments.Their analysis first attempts to set the legal scene today,
answering two crucial questions on scope and applicable law, before presenting a typology
for a scalable and granular approach that the authors feel is necessary but nevertheless
is missing from the text of the draft ePrivacy Regulation. The authors therefore conclude
that processing requirements and particularities,as evidenced under the big data analytics
paradigm, make necessary a much more detailed approach than the one afforded by the
draft ePrivacy Regulation today. Until these needs are met, through the introduction of a
new, fundamentally amended text, the authors suggest that the current regulatory frame-
work and the mechanisms afforded by it be extended for an interim period, so as to afford
legislators with the necessary space and time to revise their work.
Hert, Paul De; Papakonstantinou, Vagelis
Data protection and the EPPO Journal Article
In: New Journal of European Criminal Law, vol. 10, no. 1, pp. 34–43, 2019, (Open Access).
@article{RN2676,
title = {Data protection and the EPPO},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2019-Data-Protection-and-the-EPPO-1.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1177/2032284419837381},
year = {2019},
date = {2019-01-01},
urldate = {2019-01-01},
journal = {New Journal of European Criminal Law},
volume = {10},
number = {1},
pages = {34–43},
abstract = {The European Public Prosecutor’s Office (the ‘EPPO’) necessarily processes personal data in order to fulfil its mission; As such, it falls squarely within the European Union (EU) data protection regulatory landscape. However, because the EU data protection regulatory landscape itself is currently found at a crossroads, an analysis of the EPPO data protection model may be twofold: First, placing it within the proper cross-organization dialogue currently taking place on the future regulatory model of personal data processing for law enforcement purposes carried out at EU level. Second, at an EPPO-specific level, whereby the actual data protection regime afforded to it may be assessed. This article purports to elaborate upon the above two data protection dimensions of EPPO personal data processing activities: It presents considerations and policy options during the lawmaking period that resulted in the establishment of the EPPO, it analyses the data protection regime ultimately awarded to it and attempts to, critically, place the EPPO data protection model within its proper operational and legislative environment.},
note = {Open Access},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The European Public Prosecutor’s Office (the ‘EPPO’) necessarily processes personal data in order to fulfil its mission; As such, it falls squarely within the European Union (EU) data protection regulatory landscape. However, because the EU data protection regulatory landscape itself is currently found at a crossroads, an analysis of the EPPO data protection model may be twofold: First, placing it within the proper cross-organization dialogue currently taking place on the future regulatory model of personal data processing for law enforcement purposes carried out at EU level. Second, at an EPPO-specific level, whereby the actual data protection regime afforded to it may be assessed. This article purports to elaborate upon the above two data protection dimensions of EPPO personal data processing activities: It presents considerations and policy options during the lawmaking period that resulted in the establishment of the EPPO, it analyses the data protection regime ultimately awarded to it and attempts to, critically, place the EPPO data protection model within its proper operational and legislative environment.
Markopoulou, Dimitra; Papakonstantinou, Vagelis; Hert, Paul
The new EU cybersecurity framework: The NIS Directive, ENISA's role and the General Data Protection Regulation Journal Article
In: Computer Law & Security Review, vol. 35, no. 6, 2019, ISSN: 2212-473X.
@article{RN3435,
title = {The new EU cybersecurity framework: The NIS Directive, ENISA's role and the General Data Protection Regulation},
author = {Dimitra Markopoulou and Vagelis Papakonstantinou and Paul Hert},
url = {https://www.sciencedirect.com/science/article/pii/S0267364919300512,
https://vpapakonstantinou.com/wp-content/uploads/2025/10/1-s2.0-S0267364919300512-main-1.pdf, Open access PDF},
doi = {https://doi.org/10.1016/j.clsr.2019.06.007},
issn = {2212-473X},
year = {2019},
date = {2019-01-01},
urldate = {2019-01-01},
journal = {Computer Law & Security Review},
volume = {35},
number = {6},
abstract = {The NIS Directive is the first horizontal legislation undertaken at EU level for the protection of network and information systems across the Union. During the last decades e-services, new technologies, information systems and networks have become embedded in our daily lives. It is by now common knowledge that deliberate incidents causing disruption of IT services and critical infrastructures constitute a serious threat to their operation and consequently to the functioning of the Internal Market and the Union. This paper first discusses the Directive's addressees particularly with regard to their compliance obligations as well as Member States’ obligations as regards their respective national strategies and cooperation at EU level. Subsequently, the critical role of ENISA in implementing the Directive, as reinforced by the proposal for a new Regulation on ENISA (the EU Cybersecurity Act), is brought forward, before elaborating upon the, inevitable, relationship of the NIS Directive with EU's General Data Protection Regulation.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The NIS Directive is the first horizontal legislation undertaken at EU level for the protection of network and information systems across the Union. During the last decades e-services, new technologies, information systems and networks have become embedded in our daily lives. It is by now common knowledge that deliberate incidents causing disruption of IT services and critical infrastructures constitute a serious threat to their operation and consequently to the functioning of the Internal Market and the Union. This paper first discusses the Directive's addressees particularly with regard to their compliance obligations as well as Member States’ obligations as regards their respective national strategies and cooperation at EU level. Subsequently, the critical role of ENISA in implementing the Directive, as reinforced by the proposal for a new Regulation on ENISA (the EU Cybersecurity Act), is brought forward, before elaborating upon the, inevitable, relationship of the NIS Directive with EU's General Data Protection Regulation.
Hert, Paul De; Papakonstantinou, Vagelis; Malgieri, Gianclaudio; Beslay, Laurent; Sanchez, Ignacio
The right to data portability in the GDPR: Towards user-centric interoperability of digital services Journal Article
In: Computer Law & Security Review, vol. 34, no. 2, pp. 193–203, 2018, (Open Access).
@article{RN3315,
title = {The right to data portability in the GDPR: Towards user-centric interoperability of digital services},
author = {Paul De Hert and Vagelis Papakonstantinou and Gianclaudio Malgieri and Laurent Beslay and Ignacio Sanchez},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/1-s2.0-S0267364917303333-main.pdf, Open access PDF},
doi = {https://doi.org/10.1016/j.clsr.2017.10.003},
year = {2018},
date = {2018-01-01},
urldate = {2018-01-01},
journal = {Computer Law & Security Review},
volume = {34},
number = {2},
pages = {193–203},
note = {Open Access},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Papakonstantinou, Vagelis; Hert, Paul De
Structuring modern life running on software. Recognizing (some) computer programs as new “digital persons” Journal Article
In: Computer Law & Security Review, vol. 34, no. 4, pp. 732–738, 2018, ISSN: 2212-473X.
@article{RN3436,
title = {Structuring modern life running on software. Recognizing (some) computer programs as new “digital persons”},
author = {Vagelis Papakonstantinou and Paul De Hert},
url = {https://www.sciencedirect.com/science/article/pii/S0267364918302309
https://vpapakonstantinou.com/wp-content/uploads/2025/10/Papakonstantino-2018-Structuring-modern-life-r.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1016/j.clsr.2018.05.032},
issn = {2212-473X},
year = {2018},
date = {2018-01-01},
urldate = {2018-01-01},
journal = {Computer Law & Security Review},
volume = {34},
number = {4},
pages = {732–738},
abstract = {Saudi Arabia grants nationality to an AI robot; the first “clash of robots” took place in Japan; and, Bill Gates suggests that robots start paying taxes. We believe that these developments justify new legal fiction interventions. Software has long now exceeded the intellectual property boundaries. It is no longer merely property; it has assumed life of its own. It does not matter that such life is imaginary today. Legal persons were brought to life through legal fiction intervention that was based on much less motivation – merely the human incentive for profit. Software is certainly connected today with profit, given that the world's most valued corporations are software companies. However, it has moved much further than that, to assume in many ways artificial life of its own. We think that it is time that the dichotomy between natural and legal persons, that has served humanity so well over the past centuries, now be trisected: A new, digital person, ought to be added to it.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Saudi Arabia grants nationality to an AI robot; the first “clash of robots” took place in Japan; and, Bill Gates suggests that robots start paying taxes. We believe that these developments justify new legal fiction interventions. Software has long now exceeded the intellectual property boundaries. It is no longer merely property; it has assumed life of its own. It does not matter that such life is imaginary today. Legal persons were brought to life through legal fiction intervention that was based on much less motivation – merely the human incentive for profit. Software is certainly connected today with profit, given that the world's most valued corporations are software companies. However, it has moved much further than that, to assume in many ways artificial life of its own. We think that it is time that the dichotomy between natural and legal persons, that has served humanity so well over the past centuries, now be trisected: A new, digital person, ought to be added to it.
Hert, Paul De; Papakonstantinou, Vagelis
The rich UK contribution to the field of EU data protection: Let's not go for “third country” status after Brexit Journal Article
In: Computer Law & Security Review, vol. 33, no. 3, pp. 354–360, 2017, ISSN: 2212-473X.
@article{RN3437,
title = {The rich UK contribution to the field of EU data protection: Let's not go for “third country” status after Brexit},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/b51db6f7-5ffd-4b34-b602-1d9fdf53f301-1.pdf, Accepted manuscript PDF},
doi = {https://dx.doi.org/10.1016/j.clsr.2017.03.008},
issn = {2212-473X},
year = {2017},
date = {2017-01-01},
urldate = {2017-01-01},
journal = {Computer Law & Security Review},
volume = {33},
number = {3},
pages = {354–360},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Hert, Paul De; Papakonstantinou, Vagelis
The new General Data Protection Regulation: Still a sound system for the protection of individuals? Journal Article
In: Computer Law & Security Review, vol. 32, no. 2, pp. 179–194, 2016, ISSN: 0267-3649.
@article{RN1934,
title = {The new General Data Protection Regulation: Still a sound system for the protection of individuals?},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {http://www.sciencedirect.com/science/article/pii/S0267364916300346
https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2016-The-new-General-Data-Protection-R.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1016/j.clsr.2016.02.006},
issn = {0267-3649},
year = {2016},
date = {2016-01-01},
urldate = {2016-01-01},
journal = {Computer Law & Security Review},
volume = {32},
number = {2},
pages = {179–194},
abstract = {The five-year wait is finally over; a few days before expiration of 2015 the “trilogue” that had started a few months earlier between the Commission, the Council and the Parliament suddenly bore fruit and the EU data protection reform package has finally been concluded. As planned since the beginning of this effort a Regulation, the General Data Protection Regulation is going to replace the 1995 Directive and a Directive, the Police and Criminal Justice Data Protection Directive, the 2008 Data Protection Framework Decision. In this way a long process that started as early as in 2009, peaked in early 2012, and required another three years to pass through the Parliament's and the Council's scrutiny is finished. Whether this reform package and its end-result is cause to celebrate or to lament depends on the perspective, the interests and the expectations of the beholder. Four years ago we published an article in this journal under the title “The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals”. This paper essentially constitutes a continuation of that article: now that the General Data Protection Regulation's final provisions are at hand it is possible to present differences with the first draft prepared by the Commission, to discuss the issues raised through its law-making passage over the past few years, and to attempt to assess the effectiveness of its final provisions in relation to their declared purposes.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The five-year wait is finally over; a few days before expiration of 2015 the “trilogue” that had started a few months earlier between the Commission, the Council and the Parliament suddenly bore fruit and the EU data protection reform package has finally been concluded. As planned since the beginning of this effort a Regulation, the General Data Protection Regulation is going to replace the 1995 Directive and a Directive, the Police and Criminal Justice Data Protection Directive, the 2008 Data Protection Framework Decision. In this way a long process that started as early as in 2009, peaked in early 2012, and required another three years to pass through the Parliament's and the Council's scrutiny is finished. Whether this reform package and its end-result is cause to celebrate or to lament depends on the perspective, the interests and the expectations of the beholder. Four years ago we published an article in this journal under the title “The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals”. This paper essentially constitutes a continuation of that article: now that the General Data Protection Regulation's final provisions are at hand it is possible to present differences with the first draft prepared by the Commission, to discuss the issues raised through its law-making passage over the past few years, and to attempt to assess the effectiveness of its final provisions in relation to their declared purposes.
Hert, Paul De; Papakonstantinou, Vagelis
The new Police and Criminal Justice Data Protection Directive: A first analysis Journal Article
In: New Journal of European Criminal Law, vol. 7, no. 1, pp. 7–19, 2016.
@article{RN2677,
title = {The new Police and Criminal Justice Data Protection Directive: A first analysis},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/de-Hert-2016-The-New-Police-and-Criminal-Justi-2.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1177/203228441600700102},
year = {2016},
date = {2016-01-01},
urldate = {2016-01-01},
journal = {New Journal of European Criminal Law},
volume = {7},
number = {1},
pages = {7–19},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Hert, Paul De; Papakonstantinou, Vagelis; Kamara, Irene
The cloud computing standard ISO/IEC 27018 through the lens of the EU legislation on data protection Journal Article
In: Computer Law & Security Review, vol. 32, no. 1, pp. 16–30, 2016, ISSN: 2212-473X.
@article{RN3439,
title = {The cloud computing standard ISO/IEC 27018 through the lens of the EU legislation on data protection},
author = {Paul De Hert and Vagelis Papakonstantinou and Irene Kamara},
url = {https://www.sciencedirect.com/science/article/pii/S0267364915001703
https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2016-The-cloud-computing-standard-ISO_.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1016/j.clsr.2015.12.005},
issn = {2212-473X},
year = {2016},
date = {2016-01-01},
urldate = {2016-01-01},
journal = {Computer Law & Security Review},
volume = {32},
number = {1},
pages = {16–30},
abstract = {In July 2014 ISO and IEC published a standard relating to public cloud computing and data protection. The standard aims to address the down-sides of cloud computing and the concerns of the cloud clients, mainly the lack of trust and transparency, by developing controls and recommendations for cloud service providers acting as PII processors. At the same time, the standard aims to assist providers to demonstrate transparency and accountability in the handling of data and information in the cloud. This paper looks briefly at the data protection and security challenges of cloud computing. It discusses the provisions and added value of the standard in the context of the European data protection legislation and also looks at the uptake of the standard one year after its publication.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
In July 2014 ISO and IEC published a standard relating to public cloud computing and data protection. The standard aims to address the down-sides of cloud computing and the concerns of the cloud clients, mainly the lack of trust and transparency, by developing controls and recommendations for cloud service providers acting as PII processors. At the same time, the standard aims to assist providers to demonstrate transparency and accountability in the handling of data and information in the cloud. This paper looks briefly at the data protection and security challenges of cloud computing. It discusses the provisions and added value of the standard in the context of the European data protection legislation and also looks at the uptake of the standard one year after its publication.
Rodrigues, Rowena; Barnard-Wills, David; Hert, Paul De; Papakonstantinou, Vagelis
The future of privacy certification in Europe: An exploration of options under article 42 of the GDPR Journal Article
In: International Review of Law, Computers & Technology, vol. 30, no. 3, pp. 248–270, 2016, ISSN: 1360-0869, (doi: 10.1080/13600869.2016.1189737).
@article{RN3438,
title = {The future of privacy certification in Europe: An exploration of options under article 42 of the GDPR},
author = {Rowena Rodrigues and David Barnard-Wills and Paul De Hert and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Rodrigues-2016-The-future-of-privacy-certifica-2.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1080/13600869.2016.1189737},
issn = {1360-0869},
year = {2016},
date = {2016-01-01},
urldate = {2016-01-01},
journal = {International Review of Law, Computers & Technology},
volume = {30},
number = {3},
pages = {248–270},
abstract = {The EU faces substantive legislative reform in data protection, specifically in the form of the General Data Protection Regulation (GDPR). One of the new elements in the GDPR is its call to establish data protection certification mechanisms, data protection seals and marks to help enhance transparency and compliance with the Regulation and allow data subjects to quickly assess the level of data protection of relevant products and services. To this effect, it is necessary to review privacy and data protection seals afresh and determine how data protection certification mechanisms, seals or marks might work given the role they will be called to play, particularly in Europe, in facilitating data protection. This article reviews the current state of play of privacy seals, the EU policy and regulatory thrusts for privacy and data protection certification, and the GDPR provisions on certification of the processing of personal data. The GDPR leaves substantial room for various options on data protection certification, which might play out in various ways, some of which are explored in this article.},
note = {doi: 10.1080/13600869.2016.1189737},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The EU faces substantive legislative reform in data protection, specifically in the form of the General Data Protection Regulation (GDPR). One of the new elements in the GDPR is its call to establish data protection certification mechanisms, data protection seals and marks to help enhance transparency and compliance with the Regulation and allow data subjects to quickly assess the level of data protection of relevant products and services. To this effect, it is necessary to review privacy and data protection seals afresh and determine how data protection certification mechanisms, seals or marks might work given the role they will be called to play, particularly in Europe, in facilitating data protection. This article reviews the current state of play of privacy seals, the EU policy and regulatory thrusts for privacy and data protection certification, and the GDPR provisions on certification of the processing of personal data. The GDPR leaves substantial room for various options on data protection certification, which might play out in various ways, some of which are explored in this article.
Hert, Paul De; Papakonstantinou, Vagelis
In: New Journal of European Criminal Law, vol. 6, no. 2, pp. 160–165, 2015, ISSN: 2032-2844.
@article{RN3440,
title = {Repeating the mistakes of the past will do little good for air passengers in the EU: The comeback of the EU PNR Directive and a lawyer's duty to regulate profiling},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2015-Repeating-the-Mistakes-of-the-Pas.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1177/203228441500600201},
issn = {2032-2844},
year = {2015},
date = {2015-01-01},
urldate = {2015-01-01},
journal = {New Journal of European Criminal Law},
volume = {6},
number = {2},
pages = {160–165},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Hert, Paul De; Papakonstantinou, Vagelis
Google Spain: Addressing critiques and misunderstandings one year later Journal Article
In: Maastricht Journal of European and Comparative Law, vol. 22, no. 4, pp. 624–638, 2015.
@article{RN3441,
title = {Google Spain: Addressing critiques and misunderstandings one year later},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://journals.sagepub.com/doi/abs/10.1177/1023263X1502200409
https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2015-Google-Spain_-Addressing-critique-1.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1177/1023263X1502200409},
year = {2015},
date = {2015-01-01},
urldate = {2015-01-01},
journal = {Maastricht Journal of European and Comparative Law},
volume = {22},
number = {4},
pages = {624–638},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Hert, Paul De; Papakonstantinou, Vagelis
The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition Journal Article
In: Computer Law & Security Review, vol. 30, no. 6, pp. 633–642, 2014, ISSN: 02673649.
@article{RN2150,
title = {The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://linkinghub.elsevier.com/retrieve/pii/S0267364914001526
https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2014-The-Council-of-Europe-Data-Protec.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1016/j.clsr.2014.09.002},
issn = {02673649},
year = {2014},
date = {2014-01-01},
urldate = {2014-01-01},
journal = {Computer Law & Security Review},
volume = {30},
number = {6},
pages = {633–642},
abstract = {The year 2010 set an important milestone in the development of data protection law in Europe: both Europe's basic regulatory texts, the EU Data Protection Directive and the Council's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), were placed at an amendment process, having served individual data protection for many years and witnessed in the meantime technological developments that threatened to make their provisions obsolete. After briefly presenting Convention 108, the analysis that follows will highlight the Council's data protection system currently in effect as well as developments relating to the Convention's amendment so far with the aim of identifying improvements and shortcomings. While doing this two separate points of view shall be adopted: at first a micro point of view will attempt to identify improvements and shortcomings through an ‘insider’ perspective, that is, judging only the merits and difficulties of the draft text at hand. Afterwards a macroscopic view will be adopted, whereby strategic issues will be discussed pertaining to the important issue of the relationship of the suggested draft with the EU data protection system, as well as, the same draft's potential to constitute the next global information privacy standard.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The year 2010 set an important milestone in the development of data protection law in Europe: both Europe's basic regulatory texts, the EU Data Protection Directive and the Council's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), were placed at an amendment process, having served individual data protection for many years and witnessed in the meantime technological developments that threatened to make their provisions obsolete. After briefly presenting Convention 108, the analysis that follows will highlight the Council's data protection system currently in effect as well as developments relating to the Convention's amendment so far with the aim of identifying improvements and shortcomings. While doing this two separate points of view shall be adopted: at first a micro point of view will attempt to identify improvements and shortcomings through an ‘insider’ perspective, that is, judging only the merits and difficulties of the draft text at hand. Afterwards a macroscopic view will be adopted, whereby strategic issues will be discussed pertaining to the important issue of the relationship of the suggested draft with the EU data protection system, as well as, the same draft's potential to constitute the next global information privacy standard.
Hert, Paul De; Papakonstantinou, Vagelis
Three scenarios for international governance of data privacy: Towards an international data privacy organization, preferably a UN agency? Journal Article
In: I/S: A Journal of Law and Policy for the Information Society, vol. 9, no. 2, pp. 271–327, 2013.
@article{RN1567,
title = {Three scenarios for international governance of data privacy: Towards an international data privacy organization, preferably a UN agency?},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://litigation-essentials.lexisnexis.com/webcd/app?action=DocumentDisplay&crawlid=1&doctype=cite&docid=9+ISJLP+271&srctype=smi&srcid=3B15&key=0206606bfb84355920e4b493d7c9b2b7
https://vpapakonstantinou.com/wp-content/uploads/2025/10/ISJLP_V9N2_271-1.pdf, Open access PDF},
year = {2013},
date = {2013-01-01},
urldate = {2013-01-01},
journal = {I/S: A Journal of Law and Policy for the Information Society},
volume = {9},
number = {2},
pages = {271–327},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Hert, Paul De; Papakonstantinou, Vagelis; Wright, David; Gutwirth, Serge
The proposed Regulation and the construction of a principles-driven system for individual data protection Journal Article
In: Innovation: The European Journal of Social Science Research, vol. 26, no. 1-2, pp. 133–144, 2013, ISSN: 1351-1610 1469-8412.
@article{RN790,
title = {The proposed Regulation and the construction of a principles-driven system for individual data protection},
author = {Paul De Hert and Vagelis Papakonstantinou and David Wright and Serge Gutwirth},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/The-proposed-Regulation-and-the-construction-o.pdf, Accepted manuscript PDF},
doi = {10.1080/13511610.2013.734047},
issn = {1351-1610 1469-8412},
year = {2013},
date = {2013-01-01},
urldate = {2013-01-01},
journal = {Innovation: The European Journal of Social Science Research},
volume = {26},
number = {1-2},
pages = {133–144},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Hert, Paul De; Papakonstantinou, Vagelis
The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals Journal Article
In: Computer Law & Security Review, vol. 28, no. 2, pp. 130–142, 2012, ISSN: 02673649.
@article{RN838,
title = {The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/4-De-Hert-Papakonstantinou-The-proposed-data.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1016/j.clsr.2012.01.011},
issn = {02673649},
year = {2012},
date = {2012-01-01},
urldate = {2012-01-01},
journal = {Computer Law & Security Review},
volume = {28},
number = {2},
pages = {130–142},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Hert, Paul De; Papakonstantinou, Vagelis
The police and criminal justice data protection directive: Comment and analysis Journal Article
In: Computers and Law - UK Society for Computers & Law, vol. 22, no. 6, pp. 21, 2012, ISSN: 0140-3249.
@article{RN3443,
title = {The police and criminal justice data protection directive: Comment and analysis},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2012-The-police-and-criminal-justice-d.pdf, Open access PDF},
issn = {0140-3249},
year = {2012},
date = {2012-01-01},
urldate = {2012-01-01},
journal = {Computers and Law - UK Society for Computers & Law},
volume = {22},
number = {6},
pages = {21},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Papakonstantinou, Vagelis; Hert, Paul De
Legal challenges posed by online aggregation of museum content: The cases of Europeana and the Google Art Project Journal Article
In: SCRIPTed, vol. 9, no. 3, pp. 314–339, 2012.
@article{RN3442,
title = {Legal challenges posed by online aggregation of museum content: The cases of Europeana and the Google Art Project},
author = {Vagelis Papakonstantinou and Paul De Hert},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/edadmindehert.pdf, Open access PDF},
doi = {https://doi.org/10.2966/scrip.090312.314},
year = {2012},
date = {2012-01-01},
urldate = {2012-01-01},
journal = {SCRIPTed},
volume = {9},
number = {3},
pages = {314–339},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Papakonstantinou, Vagelis; Hert, Paul De
In: UIC John Marshall Journal of Information Technology & Privacy Law, vol. 29, no. 1, pp. 29–74, 2011, ISSN: 1078-4128.
@article{RN3444,
title = {The amended EU law on ePrivacy and electronic communications after its 2011 implentation; New rules on data protection, spam, data breaches and protection of intellectual property rights},
author = {Vagelis Papakonstantinou and Paul De Hert},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Papakonstantino-2011-The-amended-EU-law-on-ePr.pdf, Open access PDF},
issn = {1078-4128},
year = {2011},
date = {2011-01-01},
urldate = {2011-01-01},
journal = {UIC John Marshall Journal of Information Technology & Privacy Law},
volume = {29},
number = {1},
pages = {29–74},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Hert, Paul De; Papakonstantinou, Vagelis
The EU PNR framework decision proposal: Towards completion of the PNR processing scene in Europe Journal Article
In: Computer Law & Security Review, vol. 26, no. 4, pp. 368–376, 2010, ISSN: 02673649.
@article{RN1072,
title = {The EU PNR framework decision proposal: Towards completion of the PNR processing scene in Europe},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/1-s2.0-S0267364910000853-main-1.pdf, Open access PDF},
doi = {https://doi.org/10.1016/j.clsr.2010.05.008},
issn = {02673649},
year = {2010},
date = {2010-01-01},
urldate = {2010-01-01},
journal = {Computer Law & Security Review},
volume = {26},
number = {4},
pages = {368–376},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Hert, Paul De; Papakonstantinou, Vagelis
In: Computer Law & Security Review, vol. 25, no. 5, pp. 403–414, 2009, ISSN: 02673649.
@article{RN1488,
title = {The data protection framework decision of 27 November 2008 regarding police and judicial cooperation in criminal matters – A modest achievement however not the improvement some have hoped for},
author = {Paul De Hert and Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/pdh09vpCLSRThe-data-protection-framework-deci.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1016/j.clsr.2009.07.008},
issn = {02673649},
year = {2009},
date = {2009-01-01},
urldate = {2009-01-01},
journal = {Computer Law & Security Review},
volume = {25},
number = {5},
pages = {403–414},
abstract = {After more than three years in the making, that have witnessed much controversy, several
working texts and at least two altogether different versions, the Data Protection Frame-
work Decision ‘‘on the protection of personal data processed in the framework of police and judicial
cooperation in criminal matters’’ (hereafter, the DPFD) was finally adopted on 27 November
2008. The DPFD was supposed to be celebrated as the Data Protection Directive equivalent
in European law enforcement (Third Pillar) processing. However, since its formal adoption,
and even before that, data protection proponents (the European Data Protection Super-
visor, the Article 29 Working Party, national Data Protection Commissioners, NGOs)
lamented its adoption as the result of changes that ultimately compromised data protec-
tion. Is the DPFD a disappointment to the great expectations that accompanied its first
draft, back in 2006? An attempt to address this question shall be undertaken in this paper.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
After more than three years in the making, that have witnessed much controversy, several
working texts and at least two altogether different versions, the Data Protection Frame-
work Decision ‘‘on the protection of personal data processed in the framework of police and judicial
cooperation in criminal matters’’ (hereafter, the DPFD) was finally adopted on 27 November
2008. The DPFD was supposed to be celebrated as the Data Protection Directive equivalent
in European law enforcement (Third Pillar) processing. However, since its formal adoption,
and even before that, data protection proponents (the European Data Protection Super-
visor, the Article 29 Working Party, national Data Protection Commissioners, NGOs)
lamented its adoption as the result of changes that ultimately compromised data protec-
tion. Is the DPFD a disappointment to the great expectations that accompanied its first
draft, back in 2006? An attempt to address this question shall be undertaken in this paper.
working texts and at least two altogether different versions, the Data Protection Frame-
work Decision ‘‘on the protection of personal data processed in the framework of police and judicial
cooperation in criminal matters’’ (hereafter, the DPFD) was finally adopted on 27 November
2008. The DPFD was supposed to be celebrated as the Data Protection Directive equivalent
in European law enforcement (Third Pillar) processing. However, since its formal adoption,
and even before that, data protection proponents (the European Data Protection Super-
visor, the Article 29 Working Party, national Data Protection Commissioners, NGOs)
lamented its adoption as the result of changes that ultimately compromised data protec-
tion. Is the DPFD a disappointment to the great expectations that accompanied its first
draft, back in 2006? An attempt to address this question shall be undertaken in this paper.
Papakonstantinou, Vagelis; Hert, Paul De
The PNR Agreement and transatlantic anti-terrorism cooperation: No firm human rights framework on either side of the Atlantic Journal Article
In: Common Market Law Review, vol. 46, no. 3, pp. 885–919, 2009, ISSN: 0165-0750.
@article{RN3445,
title = {The PNR Agreement and transatlantic anti-terrorism cooperation: No firm human rights framework on either side of the Atlantic},
author = {Vagelis Papakonstantinou and Paul De Hert},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Papakonstantino-2009-The-PNR-Agreement-and-tra.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.54648/cola2009036},
issn = {0165-0750},
year = {2009},
date = {2009-01-01},
urldate = {2009-01-01},
journal = {Common Market Law Review},
volume = {46},
number = {3},
pages = {885–919},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Hailbronner, Kay; Papakonstantinou, Vagelis; Kau, Marcel
The agreement on Passenger-Data Transfer (PNR) and the EU-US cooperation in data communication Journal Article
In: International Migration, vol. 46, no. 2, pp. 187–197, 2008, ISSN: 0020-7985.
@article{RN3446,
title = {The agreement on Passenger-Data Transfer (PNR) and the EU-US cooperation in data communication},
author = {Kay Hailbronner and Vagelis Papakonstantinou and Marcel Kau},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Hailbronner-2008-The-agreement-on-Passenger-Da.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1111/j.1468-2435.2008.00449.x},
issn = {0020-7985},
year = {2008},
date = {2008-01-01},
urldate = {2008-01-01},
journal = {International Migration},
volume = {46},
number = {2},
pages = {187–197},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Papakonstantinou, Vagelis
A data protection approach to data matching operations among public bodies Journal Article
In: International Journal of Law and Information Technology, vol. 9, no. 1, pp. 39–64, 2001, ISSN: 1464-3693.
@article{RN3447,
title = {A data protection approach to data matching operations among public bodies},
author = {Vagelis Papakonstantinou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Papakonstantino-2001-A-data-protection-approac.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1093/ijlit/9.1.39},
issn = {1464-3693},
year = {2001},
date = {2001-01-01},
urldate = {2001-01-01},
journal = {International Journal of Law and Information Technology},
volume = {9},
number = {1},
pages = {39–64},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Book chapters
Book Chapters
Papakonstantinou, Vagelis
In: gen. Döhmann, Indra Spiecker; Mendes, Laura Schertel; Campos, Ricardo (Ed.): Digital constitutionalism, pp. 365–382, Nomos, Baden Baden, 2025.
@inbook{RN3408,
title = {Digital constitutionalism in the States-as-Information-Platforms context: A new programme, the acknowledgement of ‘Platform Rights’},
author = {Vagelis Papakonstantinou},
editor = {Indra Spiecker gen. Döhmann and Laura Schertel Mendes and Ricardo Campos},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Digital-constitutionalism-and-Platform-Rights.pdf, Book chapter PDF (open access)},
doi = {10.5771/9783748938644-365},
year = {2025},
date = {2025-03-12},
urldate = {2025-01-01},
booktitle = {Digital constitutionalism},
pages = {365–382},
publisher = {Nomos},
address = {Baden Baden},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Papakonstantinou, Vagelis
States as information platforms: A political theory of information Book Chapter
In: Matsumi, Hideyuki; Hallinan, Dara; Dimitrova, Diana; Kosta, Eleni; Hert, Paul De (Ed.): Data protection and privacy, Volume 16: Ideas that drive our digital world, pp. 187–209, Bloomsbury Publishing, London, 2024, ISBN: 9781509976003.
@inbook{RN3042,
title = {States as information platforms: A political theory of information},
author = {Vagelis Papakonstantinou},
editor = {Hideyuki Matsumi and Dara Hallinan and Diana Dimitrova and Eleni Kosta and Paul De Hert},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Papakonstantino-2024-States-as-Information-Pla.pdf, Accepted manuscript PDF},
isbn = {9781509976003},
year = {2024},
date = {2024-05-02},
urldate = {2024-01-01},
booktitle = {Data protection and privacy, Volume 16: Ideas that drive our digital world},
pages = {187–209},
publisher = {Bloomsbury Publishing},
address = {London},
abstract = {Th e advent of the Information Age and the digital world have challenged old
assumptions and have made new understandings possible. A new political theory
that places information at its centre is necessary to account for the exponential
growth in humanity ’ s information processing. Th e importance of procedures,
tools and rules pertaining to information and its processing has been acknowl-
edged by governments, states and individuals worldwide. It is this challenge that
a new theory on States-as-Information-Platforms addresses. It is based on two
premises: fi rst, that states are information platforms for their citizens. Th ey exist
in nature, as a direct result of human communication. Th eir role is to act as infor-
mation intermediaries, making communication among individuals possible. It
is only through their tacit intermediation and personal information processing
that individuals can engage in any interaction and live any meaningful life. Th e
second premise of this theory turns the focus to humans. Humans ’ basic need is
to maximise their information processing. Accordingly, the sum of human life
may be viewed as information processing. Once these two premises are brought
together concrete fi ndings and replies to age-old questions such as why states exist,
when they are legitimate, or what is the nature of human rights may be reached.},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Th e advent of the Information Age and the digital world have challenged old
assumptions and have made new understandings possible. A new political theory
that places information at its centre is necessary to account for the exponential
growth in humanity ’ s information processing. Th e importance of procedures,
tools and rules pertaining to information and its processing has been acknowl-
edged by governments, states and individuals worldwide. It is this challenge that
a new theory on States-as-Information-Platforms addresses. It is based on two
premises: fi rst, that states are information platforms for their citizens. Th ey exist
in nature, as a direct result of human communication. Th eir role is to act as infor-
mation intermediaries, making communication among individuals possible. It
is only through their tacit intermediation and personal information processing
that individuals can engage in any interaction and live any meaningful life. Th e
second premise of this theory turns the focus to humans. Humans ’ basic need is
to maximise their information processing. Accordingly, the sum of human life
may be viewed as information processing. Once these two premises are brought
together concrete fi ndings and replies to age-old questions such as why states exist,
when they are legitimate, or what is the nature of human rights may be reached.
assumptions and have made new understandings possible. A new political theory
that places information at its centre is necessary to account for the exponential
growth in humanity ’ s information processing. Th e importance of procedures,
tools and rules pertaining to information and its processing has been acknowl-
edged by governments, states and individuals worldwide. It is this challenge that
a new theory on States-as-Information-Platforms addresses. It is based on two
premises: fi rst, that states are information platforms for their citizens. Th ey exist
in nature, as a direct result of human communication. Th eir role is to act as infor-
mation intermediaries, making communication among individuals possible. It
is only through their tacit intermediation and personal information processing
that individuals can engage in any interaction and live any meaningful life. Th e
second premise of this theory turns the focus to humans. Humans ’ basic need is
to maximise their information processing. Accordingly, the sum of human life
may be viewed as information processing. Once these two premises are brought
together concrete fi ndings and replies to age-old questions such as why states exist,
when they are legitimate, or what is the nature of human rights may be reached.
Papakonstantinou, Vagelis
Spiros Simitis – his legacy: Europeanisation and internationalisation Book Chapter
In: gen. Döhmann, Indra Spiecker; Weiss, Manfred (Ed.): Spiros Simitis – sein Vermächtnis, pp. 91–106, Nomos, Baden Baden, 2024.
@inbook{RN3407,
title = {Spiros Simitis – his legacy: Europeanisation and internationalisation},
author = {Vagelis Papakonstantinou},
editor = {Indra Spiecker gen. Döhmann and Manfred Weiss},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/ssrn-5146189.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.5771/9783748944799},
year = {2024},
date = {2024-01-01},
urldate = {2024-01-01},
booktitle = {Spiros Simitis – sein Vermächtnis},
pages = {91–106},
publisher = {Nomos},
address = {Baden Baden},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Hert, Paul De; Papakonstantinou, Vagelis
The Right to be Forgotten Book Chapter
In: Comandé, Giovanni (Ed.): Elgar Encyclopedia of Law and Data Science, pp. 175–181, Elgar, London, 2022.
@inbook{RN3410,
title = {The Right to be Forgotten},
author = {Paul De Hert and Vagelis Papakonstantinou},
editor = {Giovanni Comandé},
doi = {https://doi.org/10.4337/9781839104596},
year = {2022},
date = {2022-01-01},
booktitle = {Elgar Encyclopedia of Law and Data Science},
pages = {175–181},
publisher = {Elgar},
address = {London},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Papakonstantinou, Vagelis
The need to introduce a new individual right to cybersecurity Book Chapter
In: Martino, Luigi; Gamal, Nadia (Ed.): European cybersecurity in context: A policy-oriented comparative analysis, pp. 77–83, ELF, Brussels, 2022.
@inbook{RN3409,
title = {The need to introduce a new individual right to cybersecurity},
author = {Vagelis Papakonstantinou},
editor = {Luigi Martino and Nadia Gamal},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/papakonstantino-2022-The-need-to-introduce-a-n.pdf, Open access PDF},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
booktitle = {European cybersecurity in context: A policy-oriented comparative analysis},
pages = {77–83},
publisher = {ELF},
address = {Brussels},
abstract = {Currently cybersecurity concerns are often perceived as exclusively pertaining to states and organisations. All current regulatory instruments either in effect or in the legislative process are addressed to Member States and (large or important) organisations in the EU. For individuals, on the other hand, cybersecurity is seen as a service to be indirectly provided by third parties. This is a fundamentally flawed understanding. Individuals should not be seen as passive recipients of cybersecurity,
dependent on the goodwill and effectiveness of third parties. On the contrary, they need legal tools to protect themselves in the digital environment. The introduction of a new right to cybersecurity will enable individuals to protect their digital selves, while legally requiring third parties to respect their rights.},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Currently cybersecurity concerns are often perceived as exclusively pertaining to states and organisations. All current regulatory instruments either in effect or in the legislative process are addressed to Member States and (large or important) organisations in the EU. For individuals, on the other hand, cybersecurity is seen as a service to be indirectly provided by third parties. This is a fundamentally flawed understanding. Individuals should not be seen as passive recipients of cybersecurity,
dependent on the goodwill and effectiveness of third parties. On the contrary, they need legal tools to protect themselves in the digital environment. The introduction of a new right to cybersecurity will enable individuals to protect their digital selves, while legally requiring third parties to respect their rights.
dependent on the goodwill and effectiveness of third parties. On the contrary, they need legal tools to protect themselves in the digital environment. The introduction of a new right to cybersecurity will enable individuals to protect their digital selves, while legally requiring third parties to respect their rights.
Gonzalez, Elena Gil; Hert, Paul De; Papakonstantinou, Vagelis
The proposed ePrivacy regulation: The Commission‘s and the Parliament‘s draft s at a crossroads? Book Chapter
In: Hallinan, Dara; Leenes, Ronald; Gutwirth, Serge; Hert, Paul De (Ed.): Data Protection and Privacy - Data Protection and Democracy, pp. 267–298, Hart, London, 2020, ISBN: 9781509932757.
@inbook{RN3412,
title = {The proposed ePrivacy regulation: The Commission‘s and the Parliament‘s draft s at a crossroads?},
author = {Elena Gil Gonzalez and Paul De Hert and Vagelis Papakonstantinou},
editor = {Dara Hallinan and Ronald Leenes and Serge Gutwirth and Paul De Hert},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Gonzalez-2020-The-proposed-ePrivacy-regulation.pdf, Accepted manuscript PDF},
isbn = {9781509932757},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
booktitle = {Data Protection and Privacy - Data Protection and Democracy},
pages = {267–298},
publisher = {Hart},
address = {London},
abstract = {Th e EU ’ s Digital Single Market Strategy aims to increase trust and security in
digital services. A reform of the EU personal data protection regulatory framework
through the introduction of the General Data Protection Regulation (GDPR)
was a key step to increasing trust in the security of digital services. Following
the reform of the GDPR, the strategy also includes the review of the ePrivacy
Directive (Directive 2002/58/EC). Indeed, on 10 January 2017, the European
Commission presented a proposal for an ePrivacy Regulation to be in force on
25 May 2018, simultaneously with the GDPR. However, this ambitious timeline
has suff ered delays and the proposal is currently going through the European
Union legislative process. On 26 October 2017, the European Parliament voted in
favour of the amendments proposed by the Committee on Civil Liberties, Justice
and Home Aff airs (LIBE) in plenary session. Th is chapter aims to highlight specifi c
aspects of the ePrivacy Regulation draft , in its Summer 2019 state, to shed light
upon certain of its most important elements. While the new Commission aft er
the elections of June 2019 awaits appointment, we consider it important, during
this stage of the law-making process, to take a photograph of developments so far,
which include the Commission ’ s original draft and the Parliament ’ s response (the
Council is yet to provide its fi nal position). In this way, future comparisons with
the fi nal wording and the reasoning behind them, will be facilitated.},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Th e EU ’ s Digital Single Market Strategy aims to increase trust and security in
digital services. A reform of the EU personal data protection regulatory framework
through the introduction of the General Data Protection Regulation (GDPR)
was a key step to increasing trust in the security of digital services. Following
the reform of the GDPR, the strategy also includes the review of the ePrivacy
Directive (Directive 2002/58/EC). Indeed, on 10 January 2017, the European
Commission presented a proposal for an ePrivacy Regulation to be in force on
25 May 2018, simultaneously with the GDPR. However, this ambitious timeline
has suff ered delays and the proposal is currently going through the European
Union legislative process. On 26 October 2017, the European Parliament voted in
favour of the amendments proposed by the Committee on Civil Liberties, Justice
and Home Aff airs (LIBE) in plenary session. Th is chapter aims to highlight specifi c
aspects of the ePrivacy Regulation draft , in its Summer 2019 state, to shed light
upon certain of its most important elements. While the new Commission aft er
the elections of June 2019 awaits appointment, we consider it important, during
this stage of the law-making process, to take a photograph of developments so far,
which include the Commission ’ s original draft and the Parliament ’ s response (the
Council is yet to provide its fi nal position). In this way, future comparisons with
the fi nal wording and the reasoning behind them, will be facilitated.
digital services. A reform of the EU personal data protection regulatory framework
through the introduction of the General Data Protection Regulation (GDPR)
was a key step to increasing trust in the security of digital services. Following
the reform of the GDPR, the strategy also includes the review of the ePrivacy
Directive (Directive 2002/58/EC). Indeed, on 10 January 2017, the European
Commission presented a proposal for an ePrivacy Regulation to be in force on
25 May 2018, simultaneously with the GDPR. However, this ambitious timeline
has suff ered delays and the proposal is currently going through the European
Union legislative process. On 26 October 2017, the European Parliament voted in
favour of the amendments proposed by the Committee on Civil Liberties, Justice
and Home Aff airs (LIBE) in plenary session. Th is chapter aims to highlight specifi c
aspects of the ePrivacy Regulation draft , in its Summer 2019 state, to shed light
upon certain of its most important elements. While the new Commission aft er
the elections of June 2019 awaits appointment, we consider it important, during
this stage of the law-making process, to take a photograph of developments so far,
which include the Commission ’ s original draft and the Parliament ’ s response (the
Council is yet to provide its fi nal position). In this way, future comparisons with
the fi nal wording and the reasoning behind them, will be facilitated.
Papakonstantinou, Vagelis
Should we be afraid of fake news? Book Chapter
In: Terzis, Georgios; Kloza, Dariusz; Kuzelewska, Elzbieta; Trottier, Daniel (Ed.): Disinformation and digital media as a challenge for democracy, Cambridge, Amsterdam, 2020.
@inbook{RN3411,
title = {Should we be afraid of fake news?},
author = {Vagelis Papakonstantinou},
editor = {Georgios Terzis and Dariusz Kloza and Elzbieta Kuzelewska and Daniel Trottier},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Papakonstantino-2020-Should-we-be-afraid-of-fa.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1017/9781839700422.003},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
booktitle = {Disinformation and digital media as a challenge for democracy},
publisher = {Cambridge},
address = {Amsterdam},
abstract = {Over the past few years, ‘fake news’ has dominated public discourse, being blamed for anything from affecting electoral results to manipulating consumers, ultimately giving online social media and Internet platforms a bad name. However, I believe that there is no such thing as ‘fake news’. For the reasons explained below, I think that ‘fake news’ , a contradiction in terms, is merely a neologism, a clever catchphrase used today by politicians in order to swiftly discredit opponents and at the same time wink at their voters. The only thing different from similar phenomena in the past is the Internet and its champions, online social media platforms, that provided a suitable environment for the deployment of such ‘fake news’. However, this to me being merely an early-adoption problem that will be addressed once these new technological phenomena have been properly assimilated by society and social sciences, I believe that legislators, no matter how concerned they are in the short term, should sit this one out.},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Over the past few years, ‘fake news’ has dominated public discourse, being blamed for anything from affecting electoral results to manipulating consumers, ultimately giving online social media and Internet platforms a bad name. However, I believe that there is no such thing as ‘fake news’. For the reasons explained below, I think that ‘fake news’ , a contradiction in terms, is merely a neologism, a clever catchphrase used today by politicians in order to swiftly discredit opponents and at the same time wink at their voters. The only thing different from similar phenomena in the past is the Internet and its champions, online social media platforms, that provided a suitable environment for the deployment of such ‘fake news’. However, this to me being merely an early-adoption problem that will be addressed once these new technological phenomena have been properly assimilated by society and social sciences, I believe that legislators, no matter how concerned they are in the short term, should sit this one out.
Hert, Paul De; Papakonstantinou, Vagelis
In: Servent, Ariadne Ripoll; Trauner, Florian (Ed.): The Routledge Handbook of Justice and Home Affairs Research, pp. 169–179, Routledge, 2017.
@inbook{RN3413,
title = {Data protection policies in EU justice and home affairs: A multi-layered and yet unexplored territory for legal research},
author = {Paul De Hert and Vagelis Papakonstantinou},
editor = {Ariadne Ripoll Servent and Florian Trauner},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/pdh18vpDataprotectionpoliciesinEUJusticeandHomeAffairs.Amulti-layeredandyetunexploredterritoryforlegalresearchinRipollTraunerPROOFS.pdf, Accepted manuscript PDF},
year = {2017},
date = {2017-01-01},
urldate = {2017-01-01},
booktitle = {The Routledge Handbook of Justice and Home Affairs Research},
pages = {169–179},
publisher = {Routledge},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Hert, Paul De; Papakonstantinou, Vagelis
In: Svantesson, Dan; Kloza, Dariusz (Ed.): Trans-atlantic data privacy relations as a challenge for democracy, pp. 521–533, Intersentia, Cambridge, 2017.
@inbook{RN3414,
title = {Moving beyond the special rapporteur on privacy with the establishment of a new, specialised United Nations agency: Addressing the deficit in global cooperation for the protection of data privacy},
author = {Paul De Hert and Vagelis Papakonstantinou},
editor = {Dan Svantesson and Dariusz Kloza},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2017-Moving-beyond-the-special-rapport.pdf, Accepted manuscript PDF},
doi = {https://doi.org/10.1017/9781780685786.027},
year = {2017},
date = {2017-01-01},
urldate = {2017-01-01},
booktitle = {Trans-atlantic data privacy relations as a challenge for democracy},
pages = {521–533},
publisher = {Intersentia},
address = {Cambridge},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Hert, Paul De; Papakonstantinou, Vagelis
Data protection: The EU institutions’ battle over data processing vs individual rights Book Chapter
In: Trauner, Florian; Servent, Ariadne Ripoll (Ed.): The EU institutions’ battle over data processing vs individual rights, pp. 178–197, Routledge, London, 2015.
@inbook{RN3415,
title = {Data protection: The EU institutions’ battle over data processing vs individual rights},
author = {Paul De Hert and Vagelis Papakonstantinou},
editor = {Florian Trauner and Ariadne Ripoll Servent},
url = {https://www.taylorfrancis.com/chapters/edit/10.4324/9781315766447-14/data-protection-paul-de-hert-vagelis-papakonstantinou
https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2015-The-EU-institutions-Battle-Over-1.pdf, Accepted manuscript PDF},
year = {2015},
date = {2015-01-01},
urldate = {2015-01-01},
booktitle = {The EU institutions’ battle over data processing vs individual rights},
pages = {178–197},
publisher = {Routledge},
address = {London},
abstract = {Data protection is a comparatively recent field of legislative activity, regulating a relatively
recent human activity. The automated processing of personal data took place only after
information technology allowed it to develop in the late 1960s, first in public and
subsequently in private organisations. Consequently, when the first EU data protection law
was enacted only a handful of countries had a data protection regulatory history of more than
a decade. Another aspect important to bear in mind is the inherent cross-border character of
personal data processing. Consequently, by definition supranational organisations matter
when it comes to data protection. Given these two basic characteristics of data protection,
‘policy change’ in this field can be considered differently than in other sub-policies of the
Area of Freedom, Security and Justice (AFSJ). This chapter investigates the role of EU
institutions in the process of developing and changing EU data protection rules.},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Data protection is a comparatively recent field of legislative activity, regulating a relatively
recent human activity. The automated processing of personal data took place only after
information technology allowed it to develop in the late 1960s, first in public and
subsequently in private organisations. Consequently, when the first EU data protection law
was enacted only a handful of countries had a data protection regulatory history of more than
a decade. Another aspect important to bear in mind is the inherent cross-border character of
personal data processing. Consequently, by definition supranational organisations matter
when it comes to data protection. Given these two basic characteristics of data protection,
‘policy change’ in this field can be considered differently than in other sub-policies of the
Area of Freedom, Security and Justice (AFSJ). This chapter investigates the role of EU
institutions in the process of developing and changing EU data protection rules.
recent human activity. The automated processing of personal data took place only after
information technology allowed it to develop in the late 1960s, first in public and
subsequently in private organisations. Consequently, when the first EU data protection law
was enacted only a handful of countries had a data protection regulatory history of more than
a decade. Another aspect important to bear in mind is the inherent cross-border character of
personal data processing. Consequently, by definition supranational organisations matter
when it comes to data protection. Given these two basic characteristics of data protection,
‘policy change’ in this field can be considered differently than in other sub-policies of the
Area of Freedom, Security and Justice (AFSJ). This chapter investigates the role of EU
institutions in the process of developing and changing EU data protection rules.
Hert, Paul De; Papakonstantinou, Vagelis
In: Hijmans, Hielke; Kranenborg, Herke (Ed.): Data protection anno 2014: How to restore trust? Contributions in honour of Peter Hustinx, European Data Protection Supervisor (2004-2014), pp. 237–252, Intersentia, Brussels, 2014, ISBN: 978-1-78068-213-6.
@inbook{RN1767,
title = {The EDPS as a unique stakeholder in the European data protection landscape, fulfilling the explicit and non-explicit expectations},
author = {Paul De Hert and Vagelis Papakonstantinou},
editor = {Hielke Hijmans and Herke Kranenborg},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2014-The-EDPS-as-a-unique-stakeholder-1.pdf, Accepted manuscript PDF},
isbn = {978-1-78068-213-6},
year = {2014},
date = {2014-01-01},
urldate = {2014-01-01},
booktitle = {Data protection anno 2014: How to restore trust? Contributions in honour of Peter Hustinx, European Data Protection Supervisor (2004-2014)},
pages = {237–252},
publisher = {Intersentia},
address = {Brussels},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Papakonstantinou, Vagelis
Intellectual property rights: The security perspective Book Chapter
In: Jahankhani, Hamid (Ed.): Handbook of electronic security and digital forensics, pp. 477–495, World Scientific, London, 2010, ISBN: 9812837035.
@inbook{RN3417,
title = {Intellectual property rights: The security perspective},
author = {Vagelis Papakonstantinou},
editor = {Hamid Jahankhani},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Papakonstantino-2010-Intellectual-property-rig.pdf, Accepted manuscript PDF},
isbn = {9812837035},
year = {2010},
date = {2010-01-01},
urldate = {2010-01-01},
booktitle = {Handbook of electronic security and digital forensics},
pages = {477–495},
publisher = {World Scientific},
address = {London},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Papakonstantinou, Vagelis
Cyberspace and cybercrime Book Chapter
In: Jahankhani, Hamid (Ed.): Handbook of electronic security and digital forensics, pp. 455–475, World Scientific, London, 2010, ISBN: 9812837035.
@inbook{RN3418,
title = {Cyberspace and cybercrime},
author = {Vagelis Papakonstantinou},
editor = {Hamid Jahankhani},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Papakonstantino-2010-Cyberspace-and-cybercrime.pdf, Accepted manuscript PDF},
isbn = {9812837035},
year = {2010},
date = {2010-01-01},
urldate = {2010-01-01},
booktitle = {Handbook of electronic security and digital forensics},
pages = {455–475},
publisher = {World Scientific},
address = {London},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Hert, Paul De; Papakonstantinou, Vagelis; Riehle, Cornelia
Data protection in the third pillar: Cautious pessimism Book Chapter
In: Maik, Martin (Ed.): Crime, rights and the EU: The future of police and judicial cooperation, pp. 121–194, Justice, London, 2008, ISBN: 978-0-907247-44-9.
@inbook{RN3420,
title = {Data protection in the third pillar: Cautious pessimism},
author = {Paul De Hert and Vagelis Papakonstantinou and Cornelia Riehle},
editor = {Martin Maik},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/De-Hert-2008-Data-protection-in-the-third-pill.pdf, Open access PDF},
isbn = {978-0-907247-44-9},
year = {2008},
date = {2008-01-01},
urldate = {2008-01-01},
booktitle = {Crime, rights and the EU: The future of police and judicial cooperation},
pages = {121–194},
publisher = {Justice},
address = {London},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
Papakonstantinou, Vagelis
Legal issues for Digital Rights Management: The future Book Chapter
In: Drossos, Lambros; Tsolis, Dimitrios; Sioutas, Spyros; Papatheodorou, Theodore (Ed.): Digital Rights Management for E-Commerce Systems, IGI Global, London, 2008, ISBN: 1605661198.
@inbook{RN3419,
title = {Legal issues for Digital Rights Management: The future},
author = {Vagelis Papakonstantinou},
editor = {Lambros Drossos and Dimitrios Tsolis and Spyros Sioutas and Theodore Papatheodorou},
url = {https://vpapakonstantinou.com/wp-content/uploads/2025/10/Papakonstantino-2008-Legal-Issues-for-Digital.pdf, Accepted manuscript PDF},
isbn = {1605661198},
year = {2008},
date = {2008-01-01},
urldate = {2008-01-01},
booktitle = {Digital Rights Management for E-Commerce Systems},
publisher = {IGI Global},
address = {London},
abstract = {DRM systems have been implemented in the past few years by the Content Industry as the panacea
against all copyright (and Intellectual Property Rights in general) infringements over the Internet. The
validity of this statement shall be assessed in this analysis, identifying its strengths and record to-date
and highlighting its shortcomings in an increasingly complex e-commerce (Web 2.0) environment. While
doing this, particular attention shall be given to (mostly EU) Intellectual Property Law, Consumer Law,
Data Protection Law, and Competition Law.},
keywords = {},
pubstate = {published},
tppubtype = {inbook}
}
DRM systems have been implemented in the past few years by the Content Industry as the panacea
against all copyright (and Intellectual Property Rights in general) infringements over the Internet. The
validity of this statement shall be assessed in this analysis, identifying its strengths and record to-date
and highlighting its shortcomings in an increasingly complex e-commerce (Web 2.0) environment. While
doing this, particular attention shall be given to (mostly EU) Intellectual Property Law, Consumer Law,
Data Protection Law, and Competition Law.
against all copyright (and Intellectual Property Rights in general) infringements over the Internet. The
validity of this statement shall be assessed in this analysis, identifying its strengths and record to-date
and highlighting its shortcomings in an increasingly complex e-commerce (Web 2.0) environment. While
doing this, particular attention shall be given to (mostly EU) Intellectual Property Law, Consumer Law,
Data Protection Law, and Competition Law.
Official reports
- [Report] The data protection regime in China — Paul De Hert, Vagelis Papakonstantinou · European Parliament (LIBE Committee), 2015. [PDF]
- [Report] The data protection regime applying to the inter-agency cooperation and future architecture of the EU criminal justice and law enforcement area — Paul De Hert, Vagelis Papakonstantinou · European Parliament (LIBE Committee), 2014.
- [Report] Towards a New EU Legal Framework for Data Protection and Privacy: Challenges, Principles and the Role of the European Parliament — Didier Bigo, Sergio Carrera, Gloria González Fuster, Elspeth Guild, Paul De Hert, Julien Jeandesboz, Vagelis Papakonstantinou · European Parliament (LIBE Committee), 2011.
Working papers
- [WP] Data privacy law as a new field of law — SSRN, 2024.