Registration
In order to participate you have to register here by the 30th of october.
After the lecture we invite you to join us for a reception with light refreshments and mingling.
The EU General Data Protection Regulation (GDPR) has been a primary instrument of legal protection against a diverse range of digital harms. This broad application is partly possible due to the broad meaning of “personal data” which co-determines the GDPR’s material scope. Yet, the scope of the GDPR presents problems. On the one hand, the proliferation of digitisation and advanced data analytics led to the GDPR applying to an exponentially growing range of situations. The broad interpretation of personal data in theory makes the GDPR “the law of everything”: well-meant but impossible to comply with or enforce in a meaningful way, making data protection a business of tick-the-box compliance and selective enforcement. On the other hand, in practice, many information practices fall through the GDPR cracks: controllers construe “personal data” narrowly and do not apply the GDPR where they should; PETs obfuscate the boundary between identifiable and anonymous; discussions on whether personal data is processed often obfuscate what is really at stake after the digital transformation; the GDPR is not designed to tackle group information harms.
Many proposals have been put forward to address these tensions. Most of these proposals are firmly anchored in the idea that regulation should target data and suggest solutions based on differentiating between various types of data. They rarely – if at all – rely on any theoretical understanding of data and information and how those interact with reality in line with an established tradition of undertheorized use of information concepts in law (Bygrave). In this lecture, drawing on the insights of the multi-year collaboration within the ERC INFO-LEG project, I will propose directions for reform of data protection law and legal protection against information-induced harms generally, based on the insights from information sciences, a broad family of disciplines that explicitly focus their attention on information itself.
Nadya Purtova is Professor of Law, Innovation, and Technology at Utrecht University’s School of Law, following previous positions at Tilburg Institute of Technology and Society (TILT), the Netherlands. Her research focuses on how to understand and tackle socio-technical change related to information technologies in areas including data protection law, data ownership, data law and (collective) governance. Nadya was awarded a 2016 ERC Starting Grant and recently completed an ERC project that proposed how legal protection against information-related problems, including data protection law, should be reformed based on understanding of information and data in information studies and economics. She is the author of Property rights in personal data: a European perspective (Kluwer Law International 2011) and “The law of everything. Broad concept of personal data and future of EU data protection law” (2018). Her recent academic publications include “Code as personal data: implications for data protection law and regulation of algorithms” (2023, with Ronald Leenes), “From knowing by name to targeting: the meaning of identification under the GDPR” (2022) and “Data as an economic good, data as a commons, and data governance” (2024, with Gijs van Maanen). She is on the editorial boards of Technology and Regulation, Computer Law & Security Review, Global Privacy Law Review, and Utrecht Law Review. Nadya holds a PhD (cum laude) from Tilburg University, MSc from Leiden University and LLM from Central European University.