You are here: Home / Staff members / Staff Members / Pierre Dewitte

Pierre Dewitte

Pierre Dewitte
Doctoral researcher
Centre for IT & IP Law
Sint-Michielsstraat 6 - box 3443
3000 Leuven
Belgium
room: 03.25

tel: +32 16 37 44 15
contact

 

Pierre Dewitte (1993, Brussels) obtained his Bachelor and Master degree of Laws with a specialization in Corporate and Intellectual Property law from the Université Catholique de Louvain in 2016 (magna cum laude). As part of his Master program, he spent six month in the University of Helsinki where he strengthened his knowledge in European law. In 2017, he completed the advanced Master of Intellectual Property and ICT law at the KU Leuven with a special focus on privacy, data protection and electronic communications law (magna cum laude).

Pierre joined the KU Leuven Centre for IT & IP in October 2017 where he conducts interdisciplinary research on privacy engineering, smart cities and algorithmic transparency. Among other initiatives, his main research track seeks to bridge the gap between software engineering practices and data protection regulations by creating a common conceptual framework for both disciplines and providing decision and trade-off support for technical and organizational mitigation strategies in the software development life-cycle.

Publications

query=user:U0117807 year:[1999 TO 2019] &institution=lirias&from=1&step=20&sort=scdate
showing 1 to 13 of 13
Sort newest first |author |title |popularity

  • Monteiro Krebs, Luciana; Alvarado Rodriguez, Oscar Luis; Dewitte, Pierre; Ausloos, Jef; Geerts, David; Naudts, Laurens; Verbert, Katrien; 2019. Tell Me What You Know: GDPR Implications on Designing Transparency and Accountability for News Recommender Systems. Proceeding CHI EA '19 Extended Abstracts of the 2019 CHI Conference on Human Factors in Computing Systems; 2019 Publisher: ACM Digital Library; New York, NY, USA
    LIRIAS2379654
    description
    The GDPR has a significant impact on the way users interact with technologies, especially the everyday platforms used to personalize news and related forms of information. This paper presents the initial results from a study whose primary objective is to empirically test those platforms' level of compliance with the so-called 'right to explanation'. Four research topics considered as gaps in existing legal and HCI scholarship originated from the project's initial phase, namely (1) GDPR compliance through user-centered design; (2) the inclusion of values in the system; (3) design considerations regarding interaction strategies, algorithmic experience, transparency, and explanations; and (4) technical challenges. The second phase is currently ongoing and allows us to make some observations regarding the registration process and the privacy policies of three categories of news actors: first-party content providers, news aggregators and social media platforms.

    Published online
  • presentation
    Ausloos, Jef; Dewitte, pierre; 2019. Shattering One-Way Mirrors. Data Subject Access Rights in Practice.
    LIRIAS2783299
    description


    Published
  • Dewitte, pierre; Wuyts, Kim; Sion, Laurens; Van Landuyt, Dimitri; Emanuilov, Ivo; Valcke, Peggy; Joosen, Wouter; 2019. A Comparison of System Description Models for Data Protection by Design. Proceedings of the ACM Symposium on Applied Computing; 2019; Vol. 34; pp. - Publisher: Special Interest Group on Applied Computing
    LIRIAS2355996
    description
    Since the General Data Protection Regulation (GDPR) entered into force, every actor involved in the processing of personal data must comply with Data Protection by Design (DPbD). Doing so requires assessing the risks to data subjects’ rights and freedoms and implementing appropriate countermeasures. While legal experts traditionally apply Data Protection Impact Assessments (DPIA), software engineers rely on threat modeling for their assessment. Despite significant differences, both approaches nonetheless revolve around (i) a description of the system and (ii) the identification, assessment and mitigation of specific risks. In practice, however, DPIAs and threat modeling are usually performed in complete isolation, following their own, unharmonized lexicon and abstractions. Such as disconnect lowers the quality of the assessment and of the conceptual and architectural trade-offs. In this paper, we present (i) an overview of the legal and architectural modeling requirements and (ii) incentives and recommendations for aligning both modeling paradigms in order to support data protection by design from both a legal and a technical perspective.

    Accepted
  • Sion, Laurens; Dewitte, Pierre; Van Landuyt, Dimitri; Wuyts, Kim; Emanuilov, Ivo; Valcke, Peggy; Joosen, Wouter; 2019. An Architectural View for Data Protection by Design. 2019 IEEE International Conference on Software Architecture (ICSA); 2019; pp. 11 - 20 Publisher: IEEE
    LIRIAS2378836
    description
    © 2019 IEEE. Data Protection by Design (DPbD) is a truly interdisciplinary effort that involves many stakeholders such as legal experts, requirements engineers, software architects, developers, and system operators. Building software-intensive systems that respect the fundamental rights to privacy and data protection is the result of intensive dialogue and careful trade-off decisions. In practice however, there is a dichotomy between the legal reasoning which is conducted in Data Protection Impact Assessments (DPIA) and software engineering approaches, such as threat modeling, aimed at identifying privacy requirements and privacy risks. These activities are commonly performed in total isolation, which negatively impacts (i) the compliance exercise, (ii) the ability to evolve the system over time, and (iii) the architectural trade-offs made during system design. In this article, we present an architectural viewpoint for describing software architectures from a legal, data protection perspective whose core modeling abstractions are based on an in-depth legal analysis of the EU General Data Protection Regulation. This viewpoint is tied to Data Flow Diagrams-commonly used in threat modeling-through correspondence rules. The proposed viewpoint supports the automation of a number of data protection impact assessment steps through (i) meta-model constraints, (ii) model analysis, and (iii) interaction with the involved stakeholders. This enables a streamlined compliance exercise, reconciling legal privacy and data protection notions with architecture-driven software engineering practices. We validate our approach in the context of a realistic e-health application for a number of complementary development scenarios.

    Accepted
  • presentation
    Dewitte, Pierre; 2018. Beyond Privacy Policies: Challenges, trends and solutions to foster transparency in the digital era. Publisher: https://my.iapp.org/nc__event?id=a0l1a00000CqeD7AAJ
    LIRIAS2342834
    description
    Please join us at the upcoming Brussels KnowledgeNet Chapter meeting and discuss how to address the transparency requirements of the General Data Protection Regulation (GDPR). Attendees will learn about latest initiatives from the academic world and hear the views of a well-known consumer organisation (Test-Achats) on the matter.

    Published
  • other
    Dewitte, Pierre; 2018. Email me not: direct marketing, GDPR and ePrivacy Regulation. Publisher: CiTiP Blog
    LIRIAS2336293
    description
    The sending of direct marketing communications is regulated by both the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD), which will be replaced by the ePrivacy Regulation (ePR). While the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have called for the timely adoption of the latter instrument, final negotiations are likely to be delayed to May 2019 at the earliest. However, the rules governing direct marketing communications have remained fairly consistent across the different versions of the text. Given the recent avalanche of compliance emails, this blogpost aims at deciphering the interactions between these two coexisting – yet largely intertwined – regulatory frameworks. This is also illustrated by the diagram below.

    Published online
  • other
    Dewitte, Pierre; 2018. GDPR and HCI, a perfect match? A data protection lawyer’s perspective on CHI 2018. Publisher: CiTiP Blog
    LIRIAS1988487
    description
    The entry into force of the General Data Protection Regulation (GDPR) on the 25th of May 2018 has marked the beginning of a new era for businesses processing personal data, granting data subjects increased control over their data and placing heavier burdens on controllers. While compliance with the GDPR has mainly been apprehended from a legal perspective so far, ongoing research in the field of Human-Computer Interaction (HCI) offers refreshing and innovative answers to many data protection challenges. In that context, I took the plunge and infiltrated the ACM CHI Conference on Human Factors in Computing Systems in an attempt to identify key-areas where both disciplines could benefit each other.

    Published online
  • presentation
    Kuczerawy, Aleksandra; Ausloos, Jef; Dewitte, Pierre; 2018. Shattering One-Way Mirrors The Right of Access in Practice.
    LIRIAS2334426
    description


    Published
  • media
    Verhenneman, Griet; Dewitte, Pierre; 2018. A financial gap in your hospital? Let’s sell some patient data (Part II). Publisher: https://www.law.kuleuven.be/citip/blog/
    LIRIAS1712011
    description
    A debated plan of certain Belgian hospitals to sell patient data to an American multinational which would, based on those data, also provide pharmaceutical companies with strategic commercial information, caused us to investigate if such practice could be legal under the GDPR. In the first blog post we argued that hospitals are – just like any other controller or processor – bound by the purpose limitation principle. Circumventing this principle by relying on the anonymization of patient data, was not convincing given the GDPR’s definition of personal data. Can the initial limitations be circumvented by considering the transfer as a new processing activity based on the informed consent of the patient? In this blog post we investigate the conditions to valid informed consent to assess the legality of such practice.

    Published
  • Ausloos, Jef; Dewitte, Pierre; 2018. Shattering one-way mirrors – data subject access rights in practice. International Data Privacy Law; 2018; Vol. 8; iss. 1; pp. 1 - 25
    LIRIAS1711864
    description
    The right of access occupies a central role in EU data protection law’s arsenal of data subject empowerment measures. It can be seen as a nec- essary enabler for most other data subject rights as well as an important role in monitoring opera- tions and (en)forcing compliance. Despite some high-profile revelations regarding unsavoury data processing practices over the past few years, access rights still appear to be under- used and not properly accommodated. It is espe- cially this last hypothesis we tried to investigate and substantiate through a legal empirical study. During the first half of 2017, around 60 informa- tion society service providers were contacted with data subject access requests. Eventually, the study confirmed the general suspicion that access rights are by and large not adequately accommo- dated. The systematic approach did allow for a more granular identification of key issues and broader problematic trends. Notably, it uncov- ered an often-flagrant lack of awareness; organi- zation; motivation; and harmonization. Despite the poor results of the empirical study, we still believe there to be an important role for data subject empowerment tools in a hyper-complex, automated, and ubiquitous data-processing ecosys- tem. Even if only used marginally, they provide a checks and balances infrastructure overseeing controllers’ processing operations, both on an indi- vidual basis as well as collectively. The empirical findings also allow identifying concrete suggestions aimed at controllers, such as relatively easy fixes in privacy policies and access rights templates.
    Publisher: Oxford University Press
    Published
  • other
    Ausloos, Jef; Dewitte, Pierre; 2018. Shattering One-Way Mirrors. Data Subject Access Rights in Practice. Publisher: CiTiP Working Paper Series: Issue 31/2018
    LIRIAS1712006
    description
    The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures. It can be seen as a necessary enabler for most other data subject rights as well as an important role in monitoring operations and (en)forcing compliance. Despite some high-profile revelations regarding unsavoury data processing practices over the past few years, access rights still appear to be underused and not properly accommodated. It is especially this last hypothesis we tried to investigate and substantiate through a legal empirical study. During the first half of 2017, around sixty information society service providers were contacted with data subject access requests. Eventually, the study confirmed the general suspicion that access rights are by and large not adequately accommodated. The systematic approach did allow for a more granular identification of key issues and broader problematic trends. Notably, it uncovered an often-flagrant lack of awareness; organisation; motivation; and harmonisation. Despite the poor results of the empirical study, we still believe there to be an important role for data subject empowerment tools in a hyper-complex, automated and ubiquitous data-processing ecosystem. Even if only used marginally, they provide a checks and balances infrastructure overseeing controllers' processing operations, both on an individual basis as well as collectively. The empirical findings also allow identifying concrete suggestions aimed at controllers, such as relatively easy fixes in privacy policies and access rights templates.

    Published
  • Ausloos, Jef; Dewitte, Pierre; Geerts, David; Valcke, Peggy; Zaman, Bieke; 2018. Algorithmic Transparency and Accountability in Practice.
    LIRIAS1712014
    description
    This position paper aims to contribute to the debate on algorithmic transparency and accountability, relating it to compliance with the so-called right to an explanation in EU data protection law. We propose a research agenda based on legal-empirical data, that will constitute the basis for pinpointing key issues, evidence-based policy guidance and conducting further interdisciplinary research. Based on this research agenda, we are preparing the co-creation of a concrete prototype for making recommendation algorithms for news curation understandable to the average individual. This position paper is the result of a collaboration between two research centres, with expertise in law (CiTiP) and Human-Computer Interaction (Mintlab), enabling a more holistic perspective on a critical societal issue.

    Published
  • media
    Verhenneman, Griet; Dewitte, Pierre; 2017. A financial gap in your hospital? Let’s sell some patient data (Part I). Publisher: https://www.law.kuleuven.be/citip/blog/
    LIRIAS1711934
    description
    Would you mind if your medical data were sold by hospitals to commercial partners for marketing purposes? Should you ask patients their opinion on that issue? Chances are high you will get only negative answers. Several Belgian hospitals nevertheless considered selling patient data to an American multinational which in turn provides pharmaceutical companies strategic commercial information. This post questions the reasoning of Belgian hospitals which is built on anonymization and shows that hospitals are restricted by the purpose limitation principle in the use of patient data. A second blog post will further investigate if under GDPR provisions such practice could be legal after all.

    Published