Granular or holistic approach? Enforcing privacy rights in complex ICT ecosystems


  • Antonio Kung


  • Naomi Lefkovitz
  • Alejandra Ruiz
  • Massimo Attoresi

Organisation: PDP4E

Room: Online 1

Timing: 18:45 - 20:00 on 27 January 2021

ICT ecosystems are complex systems of devices, networks, backends operated and managed by multiple stakeholders. They are the backbone of infrastructures such as healthcare, smart manufacturing, transport, defense, energy, and others, which processes massive amounts of personal data. There is no convergence on how ensure the enforcement of privacy rights in such complex ecosystems. Most approaches are granular in that they focus on implementing privacy controls in every piece of the system, while others advocate for a more holistic approach to privacy (inter-organizational privacy) where all components share one common set of rules or principles or are based on interoperable frameworks or architectures. This panel aims at finding a solution to this debate, while covering aspects such as risk identification, governance, transparency, the engineering of control and protection capabilities, and the role of assurance to ensure trustworthiness.

• Is privacy preserved when composing privacy friendly systems? Should we move away from a one shot, static, monodisciplinary and single perspective privacy impact assessment towards a multi-stakeholder perspective?
• How can a framework (e.g. the NIST privacy framework) help address the data protection issues raised by the multiplication of actors? Can we use is as a common framework to create an ecosystem practice for privacy rights enforcement, for instance in a data space?
• Are there specific collaboration needs between stakeholders in the ecosystem, concerning risk management, architecture and engineering practice, and contractual agreements?
• Do we need to define a roadmap on ecosystem practice, including the definition of further regulations and standards (on systems of systems, interoperability and assurance)?


Antonio Kung


Antonio Kung initially worked in the development of real-time operating systems. He co-founded Trialog in 1987 where he acts as CTO. He is currently involved in domains such as ICT for ageing, smart cities as well as transversal activities related to security and privacy. He has coordinated many collaborative projects in these area (for instance PRIPARE or PARIS). He is currently the editor of ISO/IEC 27550 Privacy engineering. He holds a Master’s degree from Harvard University, USA and an engineering degree from Ecole Centrale Paris, France.


Naomi Lefkovitz


Naomi Lefkovitz is the Senior Privacy Policy Advisor in the Information Technology Lab at the National Institute of Standards and Technology, U.S. Department of Commerce. She leads the privacy engineering program, which focuses on developing privacy risk management processes and integrating solutions for protecting individuals’ privacy into information technologies, including digital identity services, IoT, smart cities, big data, mobile, and artificial intelligence. She also leads the development team for the NIST Privacy Framework.

Alejandra Ruiz

Tecnalia (ES)

Dr. Alejandra Ruiz (female) holds a Ph.D. degree in Telecommunications and Computer Engineering, (2015, U. of Deusto), an MSc in Advanced Artificial Intelligence (2012, UNED) and the degree in Telecommunication Engineering (2005, University of Deusto). She joined the European Software Institute in 2007, which later on was merged in in Tecnalia where she is a Research Engineer in the TRUSTTECH (Trust technologies) area. She currently leads the area of Modular Assurance and Certification of Safety-critical Systems, with particular focus on automotive, aerospace, railway and medical device industries. She is the main contributor in these areas for European projects such as RECOMP (Reduced Certification Costs for Trusted Multicore Platforms), OPENCOSS (Open Platform for EvolutioNary Certification of Safety-critical Systems) SafeAdapt (Safe Adaptive Software for Fully Electric Vehicles), EMC2 (Embedded Multi-Core systems for Mixed Criticality applications in dynamic and changeable real-time environments) and PDP$E (Privacy and Data Protection for Engineering) . Dr. Ruiz has extensive experience on EU projects as project leader and has coordinated the work of large international teams, such as e.g. the AMASS ECSEL project.

Massimo Attoresi


Massimo is the Deputy Head of the Technology & Privacy unit of the EDPS, which he joined in 2012. From October 2014 to September 2020 he was also the DPO of the EDPS. He provides advice on technology developments having an impact on privacy and other fundamental rights due to the processing of their personal data. Among the topics he focuses on: cloud computing, online tracking and profiling, internet of things, privacy and data protection by design and by default, DPIAs. He graduated as an Electronic Engineer. After some years in the private he sector he joined the European Anti-fraud Office. From 2007 to 2012 he worked as Data Protection Coordinator and Local Informatics Security Officer in a Directorate General of the European Commission.