INNOVATION AND LAW

Innovation and Law provides you with the consultancy needed to understand law as an enabler and supporter of innovation. We focus on building privacy and security by design solutions that incorporate appropriate standards – in particular, certificates, codes of conduct and/or binding corporate rules.

Focus Areas

Privacy & Security by Design

Privacy and Security by design is a regulatory approach established by the EU General Data Protection Regulation (GDPR). It requires data controllers and/or controllers to implement technical and organisational measures in order to mitigate privacy and security risks. One of the main instruments for demonstrating compliance with the requirements of privacy and security by design, just as with legal requirements in general, are certificates and codes of conduct. These mechanisms enable data controllers and processors to create trust amongst its customers in their data-driven products and services, and to use this is a core value and competitive advantage on the market.



Technological and Data-Driven Innovation

Technological and data-driven innovation is the core driver of public welfare in our digitized society. Data-driven innovations can solve many problems of society, through both the private and public sector: Transport, logistics, product and service development, administration, communication, finance, health, and science in general.

Data-driven innovation can also create risks for individuals and even the society as a whole. For example, data-driven innovation can be misused by people who illegitimately intrude into an individuals’ privacy, engage in unjustified discrimination against people, or who monitor society at large.



Controlling Risks of Data-Driven Innovation



Enhancing Trust in Data-Driven Products/Services

Therefore, in order to fully exploit the positive effects of data-driven innovation, it is necessary to control its risks. Customers can only trust in data-driven products and services if the risks are controlled, and data controllers and processors can only then fully exploit the commercial benefits of data-driven innovation.

The new General Data Protection Regulation builds upon this approach by establishing broad legal terms and general principles, which leave data controllers and processors a large room of manoeuvre for applying these requirements during their innovation processes. In order to make sure that their specific application meets the regulator’s expectations, controllers and processors can additionally build and/or use certificates or codes of conduct demonstrating the legal compliance.



Exploiting Competitive Advantages

GDPR Standardisation Instruments

Data controllers and processors can develop new certificates or use existing ones in order to demonstrate the compliance of certain processing activities. This might imply certain product or service categories. A certificate is the ideal instrument to signal compliance as a core value of the product or service and to compete with it against other providers of products or services of the same category, which may have a lower data protection level.

Certificates

Data controllers and processors can build new certificates or use existing ones in order to demonstrate compliance for certain processing activities. This might imply certain product or service categories. A certificate is the ideal instrument in order to signal compliance as a core value of the product or service and to compete with it against other providers of products or services of the same category, which possibly have a lower data protection level.

Codes of Conduct

Data controllers and processors can also set up or use codes of conduct for a certain processing sector. In contrast to certificates, a code of conduct not only demonstrates compliance for a certain processing activity (or product or service), but for a whole bundle of activities typical in that sector. However, since the scope of application of a code of conduct is wider than a certificate, it is more complex to set it up.

Binding Corporate Rules

Similar to a code of conduct, binding corporate rules do not only refer to a certain processing activity but to a bundle of activities. However, while a code of conduct focuses on a processing sector, binding corporate rules apply to one company. Binding corporate rules are particularly useful for globally operating companies because they can legitimize the transfer of personal data within the company, irrespective of whether this occurs inside or outside the EU.

Advantages

Privacy and Security by Design

Certificates can demonstrate compliance with the privacy by design and security by design requirements under Article 25 GDPR and Article 32 GDPR.

Principle of Responsibility

Certificates and codes of conduct can demonstrate compliance with the principle of responsibilty under Article 24 GDPR

Data Protection Infringement

In the case of data protection infringement, the adherence to certificates or codes of conduct can decide on whether an administrative fine is imposed or on its amount.

Legitimisation of Personal Data Transfer

Certifications, codes of conduct and binding corporate rules can provide for appropriate safeguards legitimizing the transfer of personal data to a third country outside the EU (important for the US and soon for the UK)

Service Packages

Privacy Impact Assessments

Including multi-stakeholder processes

Analysis of Data Protection Laws

Focus on the GDPR and the ePrivacy Regulation

Privacy and Security by Design Solutions

Conceptualisation, Development and Support

State of the Art Research

Monitoring privacy and security by design solutions

Competitive Advantages

Consultancy on innovation strategies

Standardisation Strategies

Consultancy regarding data protection and security

Certificates, Codes of Conduct, BCR

Consultancy, concpetualisation, support

Innovative Data Protection Events

E.g. legal Hackathons and educational Game Jams

Network

Max von Grafenstein

Lawyer

Partner at iRights.Law

Head of Research „Governance of Data-Driven Innovation“ at Alexander von Humboldt Institute for Internet and Society

Jan Schallaböck

Lawyer

Founding Partner at iRights.Law

Vice-Convener to the ISO/IEC Working Group on privacy and identity management

Marcel Hebing

Data Scientist

Founder of mStats DS

Researcher at German Institute for Economic Research and Alexander von Humboldt Institute for Internet and Society

Lies van Roessel

Game Studies Expert

Researcher at Hans-Bredow-Institut for Media Research

Associated Researcher at Alexander von Humboldt Institute for Internet and Society

Ame Elliott

Design Innovation Expert

Design Director Simply Secure

Former design research lead for innovation consultancy IDEO and Silicon Valley research scientist at Xerox PARC and Ricoh Innovations

Eva Schneider

Ethics and Information Expert

Doctoral Candidate at Technische University Berlin

Scholarship Holder at Else Neumann Stiftung

Katharina Beitz

Communication Expert

Founder

Researcher at Alexander von Humboldt Institute for Internet and Society

Jessica Schmeiss

Business Model Expert

Researcher “Customer Centric Business Model Innovation” at Alexander von Humboldt Institute for Internet and Society

Scholarship Holder at Stiftung der Deutschen Wirtschaft

Advisory Board

Prof. Dr. Dr. Thomas Schildhauer

Computer Scientist and Marketing Expert

Professor at University of the Arts

Director at Alexander von Humboldt Institute for Internet and Society

Prof. Dr. Wolfgang Schulz

Co-regulation expert

Professor at University of Hamburg