Selected Recordings

The panel debated the proposed Digital Omnibus regulation that aims to simplify the ePrivacy Directive. Panelists questioned whether the proposal modernizes online tracking rules or erodes fundamental rights by broadening consent exemptions. Itxaso Dominguez de Olazabal argued the proposal shifts focus from protecting confidentiality of communications under Article 5(3) ePrivacy to removing obstacles for business data access. Rosa Barcelo highlighted tensions between standardized browser consent signals under Article 88b and GDPR's requirement for granular consent. Cristiana Teixeira Santos showed that tracking evolved from cookies to server-side tracking and Unified ID 2.0, and that Consent Management Platforms often fail to propagate user refusal to third-party vendors. The panel concluded the proposal risks becoming a cosmetic fix.

Rob van Eijk shared his perspective on Agentic AI and Neuro-symbolic AI and their impact on privacy over the next decade. He spoke at the 10th anniversary celebration of the Brussels Privacy Hub at the Vrije Universiteit Brussel.

Rob van Eijk moderated this panel on bridging the adoption gap for Privacy Enhancing Technologies (PETs). Sarah Holland from Google argued that secure multiparty computation and Trusted Execution Environments can drive business value. She proposed that PETs should strengthen the GDPR legitimate interest balancing test. Christian Reimsbach-Kounatze from the OECD identified cost and skill gaps as major barriers for SMEs. He called for a global repository of PET use cases and standards. Valda Beizitere from the European Commission highlighted the eIDAS digital wallet and age verification as public sector drivers. She grounded PET adoption in GDPR Article 25 on data protection by design. The panel also discussed regulatory sandboxes, open-source libraries, and government procurement as catalysts for market maturity.

This panel explored the friction between the EU Data Strategy, AI regulation, and GDPR. Rob van Eijk outlined the legislative interplay and highlighted the Digital Markets Act (DMA) Article 6(11) on data sharing and the AI Act's implementation timeline. Patricia Vidal defended subscription models from an antitrust perspective and cited the Bundeskartellamt ruling to argue that dominance is not abusive per se. Luca Bolognini critiqued the EDPB's strict interpretation of legitimate interest and necessity. He urged a practical rationality approach under Charter Article 52. Peter Craddock argued that regulators ignore business realities in AdTech. He contrasted abstract privacy definitions with contract law standards. The debate centered on pay-or-consent models and the clash between economic growth and fundamental rights.

Rob van Eijk joined MEPs Brando Benifei and Francisca Hortal Foronda for a panel on digital regulation at the EU level. The discussion followed the Belgian premiere of The Click Trap, a documentary examining how digital advertising and micro-targeting fuel disinformation and threaten democracies. Kait Bolongaro moderated the panel.

This virtual panel launched the Prime[d] To Buy report on flash sales and deceptive design. Rob van Eijk joined Divij Jhamb, Akriti Rai, Caroline Sinders, Karthik Rajmohan, and Pierre Janin to examine how e-commerce platforms use dark patterns to manipulate consumer choices. Siddharth Vasudevan moderated the discussion. The report was published by the Advanced Study Institute of Asia (ASIA).

Rob van Eijk, Managing Director for Europe at the Future of Privacy Forum, urged regulators to deepen their technical understanding of the advertising ecosystem. He argued that regulators must grasp the mechanics, limitations, and opportunities of specific technologies, particularly APIs, to accurately assess impacts on personal rights and freedoms. Van Eijk warned against a disconnect between established privacy principles and the rapidly evolving digital value chain. He emphasized the necessity of tracing data flows generated by web services to ensure effective enforcement.

In this EDAA Summit 2023 highlight reel, Rob van Eijk appears at 1m51s arguing that a self-regulation framework in today's day and age needs to have teeth. He called demonstrating this capability the most critical challenge to ensure the continued relevance of self-regulatory frameworks in digital advertising.

Jules Polonetsky, Rob van Eijk, and Tobias Judin from the Norwegian DPA discussed the EDPB's permanent ban on Meta's behavioral advertising. Judin detailed Norway's use of the GDPR Article 66 urgency procedure, effectively bypassing the One-Stop-Shop mechanism because Meta failed to utilize valid legal bases like Article 6(1)(f) on legitimate interest. The panel debated the viability of legitimate interest for first-party profiling versus third-party data tracking. They referenced the German Bundeskartellamt ruling and CJEU Case C-621/22. Van Eijk analyzed technical impacts on Real-Time Bidding (RTB) and the IAB Transparency and Consent Framework. The panel also critiqued the legality of Pay or Okay subscription models.

Rob van Eijk joined hosts Jon Lebkowsky, Scoop Sweeney, and Wendy M. Grossman to analyze the evolution of ad-tech. Van Eijk detailed the mechanics of Real-Time Bidding (RTB) and the transition from third-party cookies to browser-based privacy standards like Google's Topics API and Protected Audience API. The discussion contrasted US consumer law with European frameworks like the GDPR, ePrivacy Directive, and the Digital Services Act (DSA), particularly regarding age verification. Van Eijk introduced the concept of hyper-nudging, arguing that Generative AI will hyper-optimize A/B testing to manipulate user behavior in real time. He predicted a shift from an anonymous open web to a platform economy reliant on strong identity verification.

Jules Polonetsky moderates a discussion with Christina Michelakaki and Rob van Eijk on five years of enforcing GDPR Article 25 (Data Protection by Design and Default). Michelakaki highlights divergent regulatory interpretations. An Austrian ruling required actual harm while a Belgian decision penalized a controller for adopting Microsoft services without prior assessment. She details a Hungarian case involving AI voice emotion recognition. Van Eijk discusses a Dutch hospital fine for insufficient access logging and lack of Multi-Factor Authentication, citing ISO 27000 standards as a security baseline. The panel explores the EuroPrivacy certification mechanism under Article 42, Privacy Enhancing Technologies, and connections to the EU AI Act.

This panel explored the tension between digital advertising revenue and user privacy through Privacy Enhancing Technologies (PETs). Anthony Chavez detailed Google's Privacy Sandbox and Protected Computing initiatives. He argued that differential privacy and the Topics API can replace third-party cookies while maintaining utility. Rob van Eijk warned against AI-driven hyper-nudging and emphasized GDPR Article 25 on Privacy by Design. Marie-Paule Benassi introduced the European Commission's Cookie Pledge to mitigate consent fatigue under consumer protection laws. Stefan Hanloser contested that contextual advertising is less profitable than targeted models and feared new tech intermediaries will dominate the market. Christian Reimsbach-Kounatze discussed an OECD report highlighting cost barriers to PET adoption.

Rob van Eijk moderates a masterclass with Lindsay Carignan, Nigel Kingsman, Victor Ruehle, and Reza Shokri on technical auditing for AI and machine learning systems. Carignan and Kingsman from Holistic AI examine bias auditing under NYC Local Law 144 and the EU AI Act, contrasting equality of outcome with equality of opportunity using the Disparate Impact metric. Ruehle and Shokri then address privacy risk in ML systems. They present Membership Inference Attacks as a standardized metric to quantify re-identification risk and introduce the open-source ML Privacy Meter. The panel evaluates Differential Privacy, PII scrubbing, and Federated Learning, emphasizing the trade-offs between model utility and privacy guarantees. Essential viewing for practitioners implementing technical audits for regulatory compliance.

Nieuwsuur investigates the scale of fraud in online advertising and its impact on the industry. Rob van Eijk of the Future of Privacy Forum is interviewed as an expert on programmatic advertising and adtech ecosystems. The segment examines how automated buying systems create opportunities for fraudulent actors to generate fake impressions, bot traffic, and click fraud, costing advertisers billions annually. Van Eijk explains how the layered complexity of the real-time bidding supply chain makes it difficult for brands to detect where their advertising spend actually ends up.

Press conference for the 15th anniversary edition of CPDP 2022, returning to Brussels in person under the theme Data Protection and Privacy in Transitional Times. Bianca-Ioana Marcu presents 90 panels across topics including the EU AI Act and international data flows. Leonardo Cervera-Navas of the EDPS argues that technological progress requires robust ethical governance. Gloria González Fuster announces the Data Protection Law Scholars Network. Rob van Eijk introduces a masterclass on Privacy Enhancing Technologies and a panel on mobility data sharing. Thierry Vandenbussche previews the Privacytopia arts festival. Jelle Hoedemaekers describes AI for Belgium's work connecting 450 organisations to trustworthy AI policy. Paul De Hert reflects on Brussels as a global centre for technology regulation.

Rob van Eijk of the Future of Privacy Forum presents alongside Jonas Breuer and Ine van Zeeland of SMIT at VUB the results of their Data Walks project in Belgium. Breuer and Van Zeeland took groups of citizens on physical tours of smart city infrastructure in three Belgian cities, stopping at cameras, sensors, and smart bins to gauge public reactions. Over 14 walks with more than 100 participants revealed that transparency notices are largely ineffective and that citizens care more about the purpose of data collection than technical compliance details. The project found that citizen feedback can enrich DPIAs by replacing office-based expert assessment with grounded democratic input. Van Eijk highlights privacy-friendly alternatives such as infrared sensors that count cyclists without capturing images.

Gabriela Zanfir-Fortuna moderates a Future of Privacy Forum roundtable on automated decision-making under the GDPR. Sebastião Barros Vale presents findings from the FPF report analysing over 70 court judgments and DPA decisions on Article 22. Mireille Hildebrandt, Gianclaudio Malgieri, Brendan Van Alsenoy, and Rob van Eijk examine what constitutes solely automated processing and whether token human review counts as a meaningful check. The panel analyses the legal or similarly significant effects threshold through cases involving Uber, Ola, Deliveroo, and Clearview AI. Speakers address transparency obligations, trade secret limits on explanation rights, and the burden of proof on data subjects. The discussion concludes with the forthcoming Schufa case at the CJEU as a pivotal moment for credit scoring under the GDPR.

Laura De Boel moderates a Mozilla Festival 2022 panel examining the next structural shift in the data economy. Joanna Bryson of the Hertie School, Rob van Eijk of the Future of Privacy Forum Europe, Jonathan Greenglass of Coil, Piotr Korzeniowski of Piwik PRO, and Jan Wittek of eyeo each bring distinct perspectives from AI ethics, privacy policy, web monetization, privacy-friendly analytics, and responsible advertising. The discussion maps how tightening data protection rules, browser privacy changes, and shifting public expectations are reshaping how companies collect, process, and monetise data. Speakers explore what the next generation of data practices looks like and how stakeholders can build approaches that are both commercially viable and respectful of individual rights.

Rob van Eijk moderates a CPDP 2022 panel on whether the EU Mobility Data Space and the Data Act can serve the common good while protecting citizens' rights. Speakers examine the European Commission's data strategy, including the Data Governance Act and the Data Act, which introduce B2G data-sharing obligations and user access rights for IoT-generated data. Arjan Kapteijn of the Dutch Data Protection Authority reports on smart city enforcement findings, showing municipalities misclassify mobility data as non-personal to avoid GDPR obligations. David Wagner of the German Research Institute for Public Administration argues that movement data is nearly impossible to truly anonymise because mobility patterns are highly individualising. The panel concludes that clear standards, meaningful DPIAs, and transparent deployment are prerequisites for public-benefit use of mobility data.

Rob van Eijk moderates a CPDP 2022 masterclass surveying the state of de-identification techniques under GDPR. Van Eijk opens by revisiting the 2016 FPF de-identification infographic and situating it against GDPR's updated anonymization standard. Sophie Stalla-Bourdillon and Alfred Rossi of Immuta present homomorphic encryption as a technique allowing computation on encrypted data without decryption. Naoise Holohan of IBM Research introduces differential privacy as a mathematical framework for quantifying privacy loss through calibrated noise injection, explaining epsilon values and the privacy-utility trade-off. Lucy Mosquera of Replica Analytics demonstrates synthetic data generation techniques including sequential synthesis, variational autoencoders, and generative adversarial networks. The masterclass emphasizes combining multiple privacy-enhancing technologies for comprehensive protection and equips practitioners with understanding of which techniques meet GDPR anonymization thresholds and under which conditions.

Tanvi Vyas of Mozilla and Rob van Eijk of the Future of Privacy Forum Europe deliver the fifth session of the CPRA Law and Tech Series, co-hosted with the California Lawyers Association. Van Eijk provides a technical breakdown of how online tracking operates through ad anatomy, browser rendering, third-party cookies, and cross-site data flows. Vyas traces the history of privacy controls from opt-out cookies and Do Not Track to the Global Privacy Control specification. GPC sends an HTTP header that binding US state laws now require companies to honour, unlike its predecessor DNT which lacked legal enforcement. Van Eijk introduces the Advanced Data Protection Control as a European equivalent handling both opt-outs and GDPR consent signals.

Rob van Eijk is interviewed on Max Meldpunt, Omroep Max's consumer affairs programme, about personal health apps. The segment examines the privacy risks of smartphone apps that collect sensitive health data, from fitness trackers and step counters to symptom checkers and medication reminders. Van Eijk provides expert commentary on how data collected by consumer health apps can flow to advertising networks and data brokers without users realising it. The interview covers what checks consumers can apply and what regulatory obligations apply to app developers under Dutch and European law.

Rob van Eijk is interviewed on Nieuwsuur about the proposed EU Digital Green Certificate, the pan-European credential designed to certify COVID-19 vaccination, testing, or recovery status. Journalists Mirjam de Galan and Nathalie Lemoine ask Van Eijk to assess the privacy implications of the proposed regulation. The interview covers what personal data the certificate would contain, how verification would work at borders and venues, and whether the European Commission's approach offers sufficient data protection safeguards.

Jules Polonetsky moderates an FPF Book Club discussion of Privacy is Hard and Seven Other Myths by Jaap-Henk Hoepman of Radboud University. Hoepman presents his distinction between soft privacy (compliance and policy promises) and hard privacy (technically guaranteed data minimisation and encryption), and argues the business model of data exploitation is the real barrier to adoption. Rob van Eijk highlights the IRMA identity app as an example of attribute-based credentials that let users prove a specific claim without revealing full identity. Gloria González Fuster, Gwendal Le Grand, Katharina Koerner, and Naomi Lefkovitz discuss how the book bridges the language gap between lawyers and engineers, and why regulation is essential to incentivise privacy-by-design in practice.

Jules Polonetsky and Rob van Eijk explore the complexity of cross-border data flows through two scenarios: online retail and remote learning. Van Eijk walks through how a retailer's operations depend on dozens of interconnected cloud services for hosting, analytics, CDN delivery, fraud detection, and authentication, each potentially operated by a different global vendor. The online learning scenario adds edge-cached video conferencing and integrated learning management systems. The discussion addresses the Schrems II decision and the practical difficulty of strict data localisation, concluding that modern digital services are built on globally intertwined technology stacks that cannot easily be separated by geography.

Paul Breitbarth and K. Royal host a live Serious Privacy podcast episode at the IAPP Europe Data Protection Congress in Brussels. The episode gathers short interviews with privacy professionals, capturing their predictions, worries, and words of wisdom for the field. Rob van Eijk of the Future of Privacy Forum shares his outlook alongside Bojana Bellamy, Gabriela Zanfir-Fortuna, Estelle Massé, Trevor Hughes, and others. Themes across the interviews include the role of AI in privacy, data governance, children's data protection, post-Brexit UK adequacy, joint DPA enforcement, and the growing importance of privacy professionals in shaping digital policy.

Vitor Jesus moderates a COnSeNT 2021 workshop asking whether consent works and what alternatives exist. Armand Heslot of CNIL argues that cookie banners with only an accept button are invalid as genuine consent requires refusal to be as simple as acceptance. Townsend Feehan of IAB Europe defends the Transparency and Consent Framework as the best available compliance standard. Robin Berjon of the New York Times argues TCF is a configuration string rather than genuine transparency and proposes eliminating third-party data controllers entirely. Irene Kamara of Tilburg University highlights hardware directives as a path to embed privacy by design. Mark Lizar advocates for portable consent receipts. Rob van Eijk discusses browser-based signals including the Global Privacy Control as a path beyond consent fatigue.

Rob van Eijk moderates a CPDP 2021 panel on bridging the gap between privacy law and technical standards in telecommunications and digital regulation. Clara Neppel of IEEE identifies three persistent obstacles to embedding privacy in technology: definitional ambiguity, perceived privacy-functionality trade-offs, and governance complexity. Paul Nemitz of the European Commission argues that law must remain technology-neutral while engineers must engage democratically rather than allowing standards to undermine legal obligations. Mikuláš Peksa MEP advocates for decentralised internet architectures to prevent platform monopolies. Amelia Andersdotter of dataskydd.net highlights the missing middle between high-level legislation and actual product assessment, and proposes public procurement as a lever for privacy-compliant engineering.

Rob van Eijk moderates the inaugural FPF Dublin Privacy Symposium examining transparency and user manipulation in digital interfaces. Graham Carroll demonstrates that 92% of users accept cookies regardless of design variations. Lorrie Cranor presents California privacy icon research showing icons require accompanying text for comprehension. Hanna Schraffenberger explains users consent even when nudged toward disagreement. The panel explores implementation challenges. Dylan Corcoran discusses transparency obligations and the psychology of user cognition. Denis Kelleher emphasizes trust through transparency and evolving regulatory requirements. Diarmaid Mac Aonghusa argues current consent systems fail users who click through out of frustration. Daragh O'Brien highlights accessibility barriers particularly for color-blind users. Stacey Gray examines US consumer protection law boundaries and the spectrum between legitimate persuasion and coercive dark patterns.

Rob van Eijk moderates a Forum Europe panel at the 11th Annual European Data Protection and Privacy Conference on artificial intelligence and data spaces for the public good. Speakers Damian Clune, Cornelia Kutterer of Microsoft, Daniel Leufer of Access Now, Cristina Álvarez Rigaudias, and Christian D'Cunha examine the privacy implications of a data-sharing economy. The panel addresses how data spaces enabling AI development must be designed with strong data protection safeguards, how consent and purpose limitation apply when data is pooled across sectors, and how regulators can ensure that public-benefit data spaces do not become vehicles for commercial surveillance.

Rob van Eijk participates as an invited privacy expert in the Dutch Ministry of Health's Appathon, a public assessment event for proposed coronavirus contact tracing apps held in April 2020. The Ministry received over 750 app proposals, shortlisted seven, and convened approximately 67 independent experts in privacy, security, epidemiology, and ICT to evaluate them. Van Eijk provides expert commentary on the privacy and data protection aspects of the shortlisted apps.

Jules Polonetsky moderates an FPF LinkedIn Live discussion on the US privacy legislation landscape in 2020. Jacqueline Barron, Gabriela Zanfir-Fortuna, and Rob van Eijk of the Future of Privacy Forum survey the state of play at federal and state level, examining proposed bills and the prospects for comprehensive federal privacy legislation. The panel compares the emerging US approach with GDPR principles and considers the implications for transatlantic data flows and global privacy governance.

Jules Polonetsky moderates an FPF LinkedIn Live on the EDPB's post-Schrems II guidance. Paul Breitbarth, Rob van Eijk, Katherine Fenessy, and Gabriela Zanfir-Fortuna of the Future of Privacy Forum analyse the European Data Protection Board's recommendations on supplementary measures for international data transfers. The discussion covers the six categories of supplementary measures, the transfer impact assessment process, and the practical steps organisations must take to lawfully move personal data from the EU to third countries following the Court of Justice ruling.

Jules Polonetsky moderates an FPF Book Club discussion of The Ethical Algorithm by Michael Kearns and Aaron Roth of the University of Pennsylvania. The authors argue for algorithmic solutions to algorithmic problems: embedding social norms such as privacy and fairness directly into models rather than treating them as policy afterthoughts. Kearns highlights Differential Privacy as a rigorous definition that quantifies privacy loss, while Roth explains that fairness lacks a single equivalent definition because competing criteria are often mathematically incompatible. Rob van Eijk and other panellists discuss the trade-off between accuracy and social values, the limits of human oversight at scale, and the tension between GDPR data minimisation and the data needed for bias auditing.

Rob van Eijk is interviewed by student journalists at Fons Vitae Lyceum in Amsterdam about online privacy. The interview covers how personal data is collected by websites and apps, why online tracking is used by advertisers, and what individuals can do to protect their privacy. Van Eijk explains technical and regulatory concepts in accessible terms for a secondary school audience.

Rob van Eijk moderates a joint FPF and dataskydd.net webinar on privacy in high-density crowd contexts. Jerome Henry of Cisco presents the IEEE P802E standard, which gives engineers a framework to minimise data leakage from Wi-Fi and mobile protocols without breaking connectivity. Marit Hansen of the Schleswig-Holstein DPA advocates for MAC address randomisation as a default privacy-by-design measure. Udo Oolen of Dutch Railways explains how NS applies immediate hashing and daily deletion to Wi-Fi tracking data for crowd management at stations. Amelia Andersdotter argues for earlier engagement between policymakers and standards bodies to embed privacy before technology reaches the market. Jelena Burnik examines how DPAs can verify that technical standards are actually followed in practice.

Rob van Eijk moderates a CPDP 2020 panel on the algorithmic governance of transportation data. Karen Vancluysen of the POLIS Network argues governments must regulate mobility innovation to align it with public goals such as safety and air quality. Ger Baron, CTO of Amsterdam, proposes a suspicion-based model where cities query mobility data only when specific rules are broken rather than tracking all users continuously. Kara Selke of StreetLight Data highlights the re-identification risks of location data and argues that aggregated historical data is sufficient for urban planning. Simon Hania, DPO at Uber, challenges the legal basis for granular route data requirements under MDS permit conditions and warns of chilling effects on the fundamental right to freedom of movement.

Jules Polonetsky, Edoardo Celeste, and Rob van Eijk co-host an FPF and Dublin City University webinar on the legal and policy dimensions of the independent DPO role under GDPR. Regulators from Ireland, Belgium, France, and the Czech Republic explain what constitutes a conflict of interest, citing the Belgian DPA's ruling that a DPO cannot hold roles that determine the means and purposes of data processing. Practitioners from Dropbox, Twitter, and Dutch Railways describe how they maintain independence while remaining embedded in the business. The discussion covers the CPO versus DPO distinction, the importance of early involvement in privacy-by-design, and the trade-offs between internal and outsourced DPO arrangements.

Rob van Eijk and Brenda Leong of the Future of Privacy Forum host the final session of the Digital Data Flows Masterclass series on blockchain technology. Jake van der Laan of the New Brunswick FCNB explains the technical foundations: blockchain as an append-only transaction log secured by cryptographic hash functions, proof-of-work consensus, and smart contracts. Matthias Artzt of Deutsche Bank then addresses the direct tension with GDPR, examining who qualifies as a Data Controller on a permissionless chain and why the right to erasure is technically incompatible with immutability. Artzt presents the primary compliance solution: storing only a cryptographic hash on-chain while keeping personal data in a deletable off-chain database.

Rob van Eijk of the Future of Privacy Forum hosts a Digital Data Flows Masterclass on machine learning and speech processing. Marine Carpuat of the University of Maryland explains neural machine translation, tracing the shift from phrase-based statistical models to deep learning. She highlights the challenge of low-resource languages, the back-translation technique for generating synthetic training data, and warns that fluently inadequate translations can have serious real-world consequences. Prem Natarajan of Amazon Alexa AI describes the architecture of conversational AI systems and outlines how active learning, transfer learning, and self-learning reduce dependence on labelled training data. The session closes with a discussion of the tension between GDPR data minimisation and the scale of datasets needed for speech AI.

Rob van Eijk presents the first part of an IAB Nederland webinar on understanding online advertising technology, co-hosted with Tim Geenen of LiveRamp. Van Eijk explains how browsers process web content through rendering engines, JavaScript interpreters, and data storage, using live examples to show how a single banner ad triggers dozens of calls to external ad-tech vendors. He maps the real-time bidding ecosystem from publisher to advertiser via supply-side and demand-side platforms, and demonstrates browser fingerprinting as an emerging alternative to cookies. The session compares how major browsers differ in their tracking protections and covers GDPR consent requirements following the Planet49 ruling, including why pre-ticked boxes and cookie walls are unlawful.

Rob van Eijk and Tim Geenen of IAB Nederland present the second part of their adtech series, shifting from technical mechanics to legal compliance. Van Eijk revisits the real-time bidding ecosystem to show how data leakage occurs when publishers lose control over third-party calls. He audits live websites using developer tools, demonstrating consent banners that fire tracking scripts before user interaction, rendering them legally useless. The Planet49 ruling is explained in detail: pre-ticked boxes are invalid and consent withdrawal must be as easy as acceptance. Van Eijk critiques CMP dark patterns where accepting is one click but rejecting requires multiple steps, and closes by advocating for Privacy Enhancing Technologies and contextual advertising as sustainable alternatives.

Rob van Eijk and Christy Harris of the Future of Privacy Forum present a session on the online advertising technology ecosystem as part of the Understanding Digital Data Flows series. The session explains how advertisers reach consumers through programmatic advertising, covering the roles of publishers, supply-side platforms, demand-side platforms, data management platforms, and ad servers. The discussion helps policymakers and regulators understand the technical mechanisms behind adtech to better evaluate privacy compliance and enforcement.

Angelique Carson of IAPP interviews Rob van Eijk, Managing Director for Europe at the Future of Privacy Forum, about the future of online advertising. Van Eijk draws on his experience at the Dutch Data Protection Authority and in W3C negotiations to explain why the Do Not Track initiative failed to achieve voluntary industry compliance. The conversation examines what structural changes are necessary for online advertising to operate sustainably alongside privacy protections, and what a technically grounded regulatory approach looks like from an insider perspective.

Cecile Schut of the Dutch Data Protection Authority and Rob van Eijk, a dual PhD candidate at Leiden University, share their experiences of the Dual PhD Centre programme. Van Eijk explains his motivation for pursuing in-depth research on measuring privacy in digital contexts and the technology behind online advertising. Schut describes the employer perspective, noting that deep in-house expertise benefits the Authority and contributes knowledge to society. The interview covers the programme's support structure, including research methodology training in the first year, a peer network, close supervision, and biannual evaluations.

Jules Polonetsky moderates an FPF Book Club discussion of Of Privacy and Power: The Transatlantic Struggle over Freedom and Security by Henry Farrell and Abraham Newman. Farrell argues that the conflict is driven not by cultural differences but by cross-national coalitions: security hawks on both sides pushing for expanded data sharing versus civil liberties advocates and DPAs working for stronger protections. Rob van Eijk and Gabriela Zanfir-Fortuna discuss how the CJEU uses privacy rulings to assert institutional authority and how the Snowden revelations enabled Max Schrems to dismantle Safe Harbor. The panel concludes that the current landscape is defined by deep uncertainty and politically entrenched positions that make compromise exceptionally difficult.

Rob van Eijk is interviewed on NOS Radio 1 Journaal by journalist Joost Schellevis about online tracking. The segment examines how a growing number of companies monitor users as they browse the web, using cookies and tracking scripts embedded in third-party advertising and analytics services. Van Eijk explains the scale and mechanisms of cross-site tracking based on his research into real-time bidding and what users can do to limit exposure.

Rob van Eijk is interviewed on BNR Nieuwsradio's morning programme De Ochtendspits by journalist Bauke van Werven. Broadcast during CPDP conference week in Brussels in January 2019, the interview covers online privacy and data protection developments from a practitioner and regulatory perspective.

Stacey Gray of the Future of Privacy Forum moderates a Digital Data Flows Masterclass on online advertising technologies. Adam Towvim of Brandeis International Business School traces the evolution from direct media buying to programmatic advertising, explaining how advertisers, publishers, and intermediaries interact through cookies, pixels, and cross-device tracking. Rob van Eijk of Leiden University provides a technical deep-dive into the nine-step real-time bidding process, covering cookie syncing, bid request metadata, header bidding, and private deals. Van Eijk introduces his graph-based research visualising data flows between ad-tech companies. The panel closes with a discussion of ad fraud, identity resolution across devices, and the privacy implications of broadcasting user metadata to hundreds of partners in each auction.

Kai Rannenberg of Goethe University moderates a CPDP 2018 panel on technical protection against online tracking and profiling. Rob van Eijk of Leiden University explains the real-time bidding ecosystem and how cross-device tracking links user behaviour across phones, tablets, and desktops. Mike O'Neill of Baycloud Systems proposes evolving the Do Not Track header into a machine-readable universal consent signal. Diego Naranjo of EDRi argues that the default state of technology must be privacy-preserving, comparing commercial tracking to physical stalking. Fenneke Buskermolen of the European Commission outlines the ePrivacy Regulation proposal to move consent from cookie banners into browser settings.

Rob van Eijk of the Dutch Data Protection Authority and Frederik Zuiderveen Borgesius of IViR-UvA co-moderate a CPDP 2016 panel on the commercial data economy. Bjørn Erik Thon of the Norwegian DPA describes how companies track users through cookies and logins to build detailed profiles, arguing consumers face no genuine choice beyond accepting surveillance. Townsend Feehan of IAB Europe defends targeted advertising as essential funding for diverse digital media. Marie Charlotte Roques-Bonnet of Microsoft outlines transparency measures and security commitments. Monique Goyens of BEUC criticises the power asymmetry between companies and users who cannot navigate complex privacy policies, and calls for privacy by design and stronger DPA enforcement.

Rob van Eijk of the Dutch Data Protection Authority and Achim Klabunde of the EDPS co-moderate a CPDP 2015 panel on engineering privacy into internet infrastructure. Hannes Tschofenig of ARM and Simon Rice of the UK ICO describe how flawed development cycles and weak security practices undermine online privacy. Florian Stahl presents the OWASP Top 10 Privacy Risks for web applications. Marit Hansen of ULD advocates for privacy protection goals such as unlinkability and intervenability. Jaap-Henk Hoepman of Radboud University promotes privacy design patterns as practical engineering tools. The panel calls for closing the gap between legal privacy requirements and software engineering reality to make privacy by design achievable.

MEP Amelia Andersdotter chairs a European Parliament panel on Do Not Track and self-regulation. Robert Madelin of DG CONNECT argues that tracking feels intrusive and distorts information access, proposing accountable self-regulation as a complement to slow legislation. Rob van Eijk of the Dutch Data Protection Authority states that a DNT signal implies do not collect without consent, and urges industry to innovate in user-centric design. Nicolas Dubois of DG Justice highlights existing EU legal restrictions on tracking and supports co-regulation codes. Stuart Hamilton of IFLA raises concern about e-reader platforms monitoring reading habits. Critics from EDRi question whether voluntary W3C standards can substitute for strict enforcement of existing EU privacy law.

Achim Klabunde of the EDPS moderates an IPEN Workshop 2014 panel reviewing privacy tools and identifying technical gaps. Florian Stahl and Stefan Burgmair present the OWASP Top 10 Privacy Risks for web applications. Hannes Tschofenig of ARM explains how privacy considerations are incorporated into IETF and W3C standards. Jens Kubieziel outlines Tor's evolution to resist censorship. Joss Wright of the Oxford Internet Institute highlights the divide between academic cryptography and practical software implementation. Stéphane Pétitcolas of CNIL details research on unexpected data leaks in mobile apps and IoT devices. Rob van Eijk of the Dutch DPA frames privacy as a fundamental right requiring both legal and engineering attention.

NOS journalist Bart Kamphuis interviews Rob van Eijk for the NOS Zomercolumn on the speed of real-time online advertising. Van Eijk explains how an advertising slot is auctioned in milliseconds the moment a user loads a webpage. Advertisers submit bids based on data profiles, and the winning ad is served before the page finishes loading. The interview illustrates how an entire commercial transaction involving multiple companies completes in a fraction of a second without the user's awareness.

NOS journalist Bart Kamphuis interviews Rob van Eijk for the NOS Zomercolumn on the growth of real-time bidding in online advertising. Van Eijk traces how RTB evolved from a small segment of digital advertising into the dominant method for buying and selling display ads. He explains how the technology expanded as publishers sought higher yields and advertisers gained more precise audience targeting. The interview covers the ecosystem of ad exchanges, demand-side platforms, and data brokers that grew alongside RTB.

Christine Runnegar of ISOC and Sophie Kwasny of the Council of Europe co-moderate an IGF 2012 panel on tracking the trackers. Rob van Eijk of Leiden University details technical tracking methods including browser fingerprinting. Wendy Seltzer of W3C explains the standardisation of Do Not Track headers. Cornelia Kutterer of Microsoft defends enabling DNT by default in Internet Explorer 10 as a consumer protection measure. Kimon Zorbas of IAB Europe argues tracking supports free ad-funded content and warns that strict opt-in models threaten the digital economy. Malavika Jayaram of CIS India highlights the absence of effective privacy enforcement in India. The panel debates balancing user consent with the economics of the open web.

David Hoffman of Intel moderates a Future of Privacy Forum workshop on legal frameworks for data anonymization. Daniel Solove of George Washington University Law School critiques current PII definitions and proposes a risk-based continuum from identified to non-identifiable data. Jane Yakowitz of Brooklyn Law School argues that the societal benefits of public research data outweigh low re-identification risks, and proposes safe harbors for data producers with penalties for malicious re-identification. Harley Geiger of CDT warns against banning re-identification attempts because security researchers must probe system vulnerabilities. Rob van Eijk of the Dutch DPA offers an EU perspective treating re-identification as a data processing step requiring legal justification, and recommends applying security risk management principles to privacy.