Stefano Fantin
Doctoral researcher
Centre for IT & IP Law
Sint-Michielsstraat 6 - box 3443
3000 Leuven
Belgium
room: 04.25
tel: +32 16 37 27 91
contact
Centre for IT & IP Law
Sint-Michielsstraat 6 - box 3443
3000 Leuven
Belgium
room: 04.25
tel: +32 16 37 27 91
contact
Stefano's expertise is centered on legal and public policy aspects of national and international security, including data protection and cyber governance in the law enforcement, defense and intelligence sectors. Graduated from University of Trieste Law School (Italy) and TILT - Tilburg Institute for Law, Technology and Society (Netherlands), he gained first-hands experience as a trainee at Europol and at the European Data Protection Supervisor.
He then served at the Cabinet Office of the British Government (GDS), with the functions of Data Protection Analyst. In Whitehall, he also worked on GDPR implementation, national cyber security strategy and on the UK withdrawal from the European Union.
Stefano joined CiTiP in 2017, where he has led legal tasks in projects on online terrorism, EU - Japan cybersecurity policies, critical infrastructures protection, electronic evidence exchange. Since 2019, he was admitted as a doctoral candidate researching on governance and accountability of national security agencies. A Member of the Strategic Program Cybersecurity Initative Flanders (CIF), he sits on the Ethics Advisory Board of the AIDA project (fighting cybercrime and terrorism).
He is also an Affiliated Researcher at the Brussels think-tank CEPS (Center for European Policy Studies) for its Cybersecurity Initiative, where he worked on policy items like zero-days vulnerabilities and EU cyber defense. At CEPS, he is the current Rapporteur for the AI and Cybersecurity Task Force.
query=user:U0118311 year:[2000 TO 2020] &institution=lirias&from=1&step=20&sort=scdate
showing 1 to 20 of 40
Type
all | articles | presentations | conferences | chapters | other | reports | phd theses | book reviews | books | outreach | edited books
-
Fantin, Stefano;
2020.
Are They Ready for Machines? The Right of Access in the Security and Police Domains - Europol EDEN Conference.
LIRIAS3351401
description
Accepted -
Fantin, Stefano; Felkner, Anna; Kadobayashi, Youki; Janiszewski, Marek; Ruiz, Jose Francisco; Kozakiewicz, Adam; Blanc, Gregory;
2020.
Cybersecurity Research Analysis Report for Europe and Japan: Cybersecurity and Privacy Dialogue Between Europe and Japan.
Publisher: Springer International Publishing
keyboard_arrow_down
LIRIAS3274652
description
This book contains the key findings related to cybersecurity research analysis for Europe and Japan collected during the EUNITY project. A wide-scope analysis of the synergies and differences between the two regions, the current trends and challenges is provided. The survey is multifaceted, including the relevant legislation, policies and cybersecurity agendas, roadmaps and timelines at the EU and National levels in Europe and in Japan, including the industry and standardization point of view, identifying and prioritizing the joint areas of interests. Readers from both industry and academia in the EU or Japan interested in entering international cybersecurity cooperation with each other or adding an R&D aspect to an existing one will find it useful in understanding the legal and organizational context and identifying most promising areas of research. Readers from outside EU and Japan may compare the findings with their own cyber-R&D landscape or gain context when entering those markets.
Published -
reportBiasin, Elisabetta; Kindt, Els; Chelioudakis, Eleftherios; Herveg, Jean; Louis, Linda Beatrice; Gijrath, Serge; van der Linden, Tina; 2020. International Academic Report on Data Localisation and the GDPR (subject to confidentiality agreement). Study coordinated by Milieu, KU Leuven, University of Namur, Leiden University and Vrije Universiteit Amsterdam.LIRIAS3278864
description
Accepted -
Fantin, Stefano;
2020.
Hybrid Threats Against Critical Infrastructures: Alerting the Citizens in the Aftermath of an Attack.
InfraStress project newsletter #2; 2020
keyboard_arrow_down
LIRIAS3190169
description
Recent accidents involving chemical substances around the world sparked new and upcoming interest in the procedures that economic operators have to undertake to make the handling of hazardous substances secure. The blast occurred in the Port of Beirut (Lebanon) which provoked the destruction of the whole proximity to the area was seen as an occasion to reflect on the efforts made by the European Union to ensure security and safety of procedures for the handling of chemical materials and the performance of critical infrastructures. Let us therefore go through the main notification obligations in case an incident occurs on European soil.
Accepted -
Fantin, Stefano; Emanuilov, Ivo; Vogiatzoglou, Plixavra; Marquenie, Thomas;
2020.
Purpose Limitation By Design As A Counter To Function Creep And System Insecurity In Police Artificial Intelligence (UNICRI Special Collection on AI in Criminal Justice).
keyboard_arrow_down
LIRIAS3148579
description
AI’s dual nature makes it both a threat and a means to protect human rights and information technology systems. Amongst others, issues pertaining to the opacity and inclusion of potential biases in algorithmic processes as well as the inherent security vulnerabilities of such applications, unveil a tension between such technological pitfalls and the aptness of current regulatory frameworks. As a consequence, normative concepts might need to be reconsidered as to support the development of fair AI. This paper reflects on the importance of the purpose limitation principle and its role in the design phase, to mitigate the adverse impact of AI on human rights and the security of information systems. To define, elaborate, and ‘manufacture’ the purpose for which AI is deployed is critical for mitigating the intrusive impact on human rights. However, the inevitable uncertainty in the formulation of these objectives may lead to scenarios where machines do what we ask them to do, but not necessarily what we intend. Moreover, the continuous development of a system’s capabilities may allow for uses far beyond the scope of its originally envisaged deployment and purpose. In an AI context, the deployment of AI beyond its originally specified, explicit and legitimate purposes can lead to function creep as well as exacerbate security incidents. For example, AI systems intended for specific crime prevention goals might gradually be repurposed for unwarranted surveillance activities not originally considered. Furthermore, the lack of a defined purpose in combination with the inherent security vulnerabilities of AI technology draw into question the suitability of using machine learning tools in complex information technology systems. In data protection law, the principle of purpose limitation requires the purposes for which data is processed to be specified, and subsequent use limited thereto (OECD, 1981). This paper seeks to determine whether this principle can address the consequences of function creep by exploring the use cases of predictive policing and information systems security. It is argued that, although this core principle can improve the security of AI systems and their better alignment with human rights, it currently often fails to do so. We propose that a more incisive assessment of the envisioned purposes should take place during the design phase to improve the security of AI systems and their better alignment with human rights.
Published -
Fantin, Stefano;
2020.
Schrems 2, Privacy Shield And Transatlantic Data Flows. Part Two: The impact of Schrems 2, a list of homework (comment).
Publisher: CiTiP
keyboard_arrow_down
LIRIAS3083387
description
In the wake of the Schrems 2 decision – and as a second part of the analysis of the 16/7 ruling (see first part here), below is a comment on the broader meaning of the judgement and its impact on the parties involved. If you are a controller exporting data to the US, the European Commission, a national DPA or the US Government, here’s a list of homework that are expected from you in the weeks and months ahead of us.
Published online -
Fantin, Stefano;
2020.
Schrems 2, Privacy Shield And Transatlantic Data Flows. Part One: The (Un)Expected Groundhog Day (Summary Of CJEU Decision).
Publisher: CiTiP
keyboard_arrow_down
LIRIAS3083386
description
The Schrems 2 decision by the European Court of Justice (CJEU) is finally here. Five years after the first EU-US Agreement (Safe Harbor) was invalidated, the CJEU annuls the second version of the transatlantic deal (Privacy Shield), at the same time posing strict limits on the viability of Standard Contractual Clauses for EU-US data transfers. Let us take a look at the judgment, so to understand whether the Court followed the AG’s recommendations and what consequences could be envisioned for the future of EU-US data transfers. This is the first of two blogposts. While the past episodes of the Schrems lawsuits and the findings of the Court are discussed here, in a second blogpost I will elaborate on several key takeaways and the broad significance of the Decision.
Published online -
journal-articleFantin, Stefano; 2020. Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems: AG Discusses the Validity of Standard Contractual Clauses and Raises Concerns Over Privacy Shield (C-311/18 Schrems II, Opinion of AG Saugmandsgaard Øe). European Data Protection Law Review; 2020; Vol. 6; iss. 2; pp. 325 - 331 keyboard_arrow_downLIRIAS3063579
description
The fact that personal data transferred for commercial purposes to the US under standard contractual clauses may later be accessed by US security services does not render the whole legal framework invalid per se. Under such schemes, a case-by-case approach is to be adopted, whereby appropriate data protection safeguards are expected to be monitored ex-ante by data controllers and ex-post by national data protection authorities. Conversely, transfers carried out under the Privacy Shield unveil questions on the effectiveness of the scheme to offset deficiencies of the US framework regulating foreign intelligence activities, with respect to the protection of European citizens’ fundamental rights.
Publisher: Lexxion
Published -
presentationFantin, Stefano; 2020. EU Digital Policy: On The Right to Privacy (lecture at LUISS University School of Government, Rome - Master in European Studies: EU Institutions and Public Policy). keyboard_arrow_downLIRIAS3040187
description
In this lecture I provide an overview on the main historical (legal) events for the consolidation of the right to privacy across the world, for then focusing on the GDPR, its main principles, its broad policy significance and the right to data protection
Accepted -
Fierens, Michiel; Fantin, Stefano;
2020.
CIF Seminar: NIS-Directive and Cybersecurity Act.
keyboard_arrow_down
LIRIAS2965134
description
The aim of this presentation is to provide some basic inputs about the most recent legislation on cybersecurity issued by the EU. More specifically, the first part of the presentation will give a broad overview of the policy landscape that led the law-maker to legislate back in 2015-2016. Having set up the basis (inter alia, touching upon some fundamentals of EU law), we will go through the main parts of the NIS Directive, what obligations the law entails on Member States and economic actors (including on incident reporting), and what lessons we can learn from it. The second part of the presentation will brief on the newly introduced Cybersecurity Act, which regulates on the role of ENISA and a pan-European cybersecurity certification scheme.
Published -
presentationFantin, Stefano; 2020. Backdoors and vulnerabilities: cybersecurity and national security perspectives (CPDP 2020). keyboard_arrow_downLIRIAS2942226
description
national security perspectives within the following panel (panel abstract): Communicating in a private way: why should you care? Communicating with our family, friends, and other relevant people of our lives in a private manner is the foundation of our democratic societies. https://www.cpdpconferences.org/events/communicating-in-a-private-way-why-should-you-care Yet, how can communication be private, if service providers can read our messages and share our data with other companies for profiling and marketing reasons? How can communication be secure, if companies are obliged to build a backdoor so that law enforcement agencies can access our information at their will? There is no easy answer! This is why we will discuss the importance of private messaging systems and solutions like end-to-end encryption. We will also analyze reasons against private communication, like security, crime fighting, and legitimate commercial interests.
Accepted -
Fantin, Stefano; Pupillo, Lorenzo; Ferreira, Afonso;
2020.
Artificial Intelligence and Cybersecurity: Technology, Governance and Policy Challenges - Task Force Evaluation of the HLEG Trustworthy AI Assessment List (Pilot Version).
Artificial Intelligence and Cybersecurity: Technology, Governance and Policy Challenges - Task Force Evaluation of the HLEG Trustworthy AI Assessment List (Pilot Version); 2020
Publisher: CEPS - Center for European Policy Studies
keyboard_arrow_down
LIRIAS2942227
description
The Centre for European Policy Studies launched a Task Force on Artificial Intelligence (AI) and Cybersecurity in September 2019. The goal of this Task Force is to bring attention to the market, technical, ethical and governance challenges posed by the intersection of AI and cybersecurity, focusing both on AI for cybersecurity but also cybersecurity for AI. The Task Force is multi-stakeholder by design and composed of academics, industry players from various sectors, policymakers and civil society. The Task Force is currently discussing issues such as the state and evolution of the application of AI in cybersecurity and cybersecurity for AI; the debate on the role that AI could play in the dynamics between cyber attackers and defenders; the increasing need for sharing information on threats and how to deal with the vulnerabilities of AI-enabled systems; options for policy experimentation; and possible EU policy measures to ease the adoption of AI in cybersecurity in Europe. As part of such activities, this report aims at assessing the High-Level Expert Group (HLEG) on AI Ethics Guidelines for Trustworthy AI, presented on April 8, 2019. In particular, this report analyses and makes suggestions on the Trustworthy AI Assessment List (Pilot version), a non-exhaustive list aimed at helping the public and the private sector in operationalising Trustworthy AI. This report would like to contribute to this revision by addressing in particular the interplay between AI and cybersecurity. This evaluation has been made according to specific criteria: whether and how the items of the Assessment List refer to existing legislation (e.g. GDPR, EU Charter of Fundamental Rights); whether they refer to moral principles (but not laws); whether they consider that AI attacks are fundamentally different from traditional cyberattacks; whether they are compatible with different risk levels; whether they are flexible enough in terms of clear/easy measurement, implementation by AI developers and SMEs; and overall, whether they are likely to create obstacles for the industry.
Published -
presentationFantin, Stefano; 2020. Use of Data in Security and Law Enforcement Research. keyboard_arrow_downLIRIAS2934645
description
Presentation about the legal challenges of data sharing in security and law enforcement research project addressing terrorism and cybercrime challenges
Accepted -
Fantin, Stefano; Valcke, Peggy; Specchio, Giuseppe;
2019.
Modern Issues in Cyber Forensics and Digital Intelligence: A Critical, Case-Studies-Based Overview in Light of the Announced Legislative Reforms.
Rivista italiana di informatica e diritto; 2019; iss. 2; pp. 1 - 19
keyboard_arrow_down
LIRIAS2872565
description
While both international and European law-makers are currently in the process of introducing new laws re-gulating the fight against cybercrime and the exchange of digital evidence amongst competent authorities,this paper elaborates on a series of investigative challenges deriving from the application of current cyber-crime norms in a number of jurisdictions, unveiling a tension between the current legal system and its in-terpretation by the law enforcement and judicial community. This study analyzes the research undertakenon the legal and regulatory uncertainties observed in the Italian framework, as well as in other Europeanand non-European jurisdictions, by ways of comparative analysis. The main international legal instrumenton cybercrime is the Council of Europe’s Convention on Cybercrime (‘Cybercrime Convention’), signed in2001 and then ratified by almost 60 countries worldwide over the last 17 years. Aimed at raising awarenessto national and international policy and law makers, this paper intends to critically demonstrate how theimplementation of such a treaty into domestic laws has not always been smooth. It often presents interpre-tative issues, which add up to the growing difficulties for both law enforcement and judicial bodies to copewith the challenges arising by countering new and innovative forms of criminal activities in the cyberspace
Publisher: IGSG-CNR
Published online -
Fantin, Stefano; Bruni, Alessandro;
2019.
Research on the Cooperation Processes Between Industry and Law Enforcement in the Digital and Telecommunications Sectors.
Research on the Cooperation Processes Between Industry and Law Enforcement in the Digital and Telecommunications Sectors; 2019; pp. 1 - 47
Publisher: SSRN
keyboard_arrow_down
LIRIAS2866239
description
The present document intends to provide an overview on certain elements that should be taken into account in the legislative development of the EC’s framework on cross-border access to electronic data by law enforcement (so-called eEvidence proposal). To do so, the qualitative and quantitative analysis carried out by the KU Leuven Centre for IT and IP Law considers the current legal framework at European and Member State levels together with key judgments of the European Court of Justice. The quantitative analysis provides the outcomes of the survey that has been carried out with representatives from law enforcement agencies and competent authorities of selected countries within the EU.
Published online -
presentationFantin, Stefano; 2019. Artificial Intelligence (A.I.) for Security. keyboard_arrow_downLIRIAS2860571
description
What are the security and cybersecurity aspects of A.I.? This presentation sheds lights on the impact of A.I. for the security threat landscape and the principle of control in various security doctrines and applications
Published -
presentationFantin, Stefano; Miadzvetskaya, Yuliya; 2019. Poster Showcase "InfraStress Project: Law and Policy Aspects of Protecting Chemical Plants and Critical Infrastructures Against Hybrid Threats".. keyboard_arrow_downLIRIAS2860582
description
poster presentation on the legal tasks within the InfraStress project
Published -
Vogiatzoglou, Plixavra; Fantin, Stefano;
2019.
National and Public Security within and beyond the Police Directive.
Security and Law. Legal and Ethical Aspects of Public Security, Cyber Security and Critical Infrastructure Security; 2019; Vol. 7; pp. 27 - 62
Publisher: Intersentia; Cambridge, Antwerp, Chicago
LIRIAS2860651
description
Published -
2019.
Security and Law. Legal and Ethical Aspects of Public Security, Cyber Security and Critical Infrastructure Security.
Publisher: Intersentia; Cambridge, Antwerp, Chicago
keyboard_arrow_down
LIRIAS2858828
description
This book combines theoretical discussions of the concepts at stake and case studies following the relevant developments of ICT and data-driven technologies. Part I sets the scene by considering definitions of security. Part II questions whether and, if so, to what extent the law has been able to regulate the use of ICT and datadriven technologies as a means to maintain, protect or raise security, in search of a balance between security and other public values, such as privacy and equality. Part III investigates the regulatory means that can be leveraged by the law-maker in attempts to secure products, organizations or entities in a technological and multiactor environment. Lastly, Part IV, discusses typical international and national aspects of ICT, security and the law.
Published -
Fantin, Stefano;
2019.
When security and freedom of speech stand together: why banning Facebook during a terrorist attack is not entirely a good idea..
Publisher: CITIP
keyboard_arrow_down
LIRIAS2835896
description
In the aftermath of the terrorist attacks in Sri Lanka, a large group of columnists have started debating on the decision by the local government to shut down Facebook due to the number of fake news that were spreading on social media. Many of them, including the famous NYT editorialist Kara Swisher, praised the initiative. Here is why I think a more balanced approach should be considered, instead, one that protects freedom of expression while ensuring safety and security
Published online