Welcome to my personal page!
I'm Rob van Eijk, the Founder and Principal of Blaeu Privacy Response Team B.V. (Team Blaeu), a consultancy specialized in legal aspects of data architectures and complex data flows. I am also the Managing Director for Europe at the Future of Privacy Forum (FPF). In this role, I lead FPF's operations in Europe , have established a dedicated team in Brussels, and continuously engage with key stakeholders. This page is updated regularly and contains an overview of my work.
Eijk R. van, Gray S. & Smith M. (2024)
On 27 November 2024, the Future of Privacy Forum (FPF) hosted a Technologist Roundtable with the goal of convening an open dialogue on complex technical questions that impact law and policy, and assisting global data protection and privacy policymakers in understanding the relevant technical basics of large language models (LLMs). We invited a wide range of academic technical experts to convene with each other and data protection regulators and policymakers from around the world. As a result of the emergence of LLMs, data protection authorities and lawmakers are exploring a range of novel data protection issues, including how to ensure lawful processing of personal data in LLMs, and obligations to comply with obligations such as data deletion and correction requests. While LLMs can process personal data at different stages, including in training and in the input and output of models, there is an emerging question of the extent to which personal data exists 'within' a model itself. Navigating these complex emerging issues increasingly requires understanding the technical building blocks of LLMs.
reportAdams S., Gray S., Massey A. & Eijk R. van (2024)
On 15 Juli 2024, the Future of Privacy Forum (FPF) published a report on confidential computing, a privacy-enhancing technology (PET) that marks a significant shift in the trustworthiness of data processing. Confidential computing leverages two key technologies: Trusted Execution Environments (TTE) and Attestation Services, allowing organizations to restrict access to sensitive data through secure hardware-based enclaves. Economic sectors that have led the way in adopting confidential computing include financial services, healthcare, and advertising. The report expands upon the following categories: 1) What is Confidential Computing?, 2) Emerging Sector Applications, and 3) Policy Considerations, including implications for transparency, data de-identification, cross-border transfers, and data localization. Ultimately, the usefulness, scale of impact, and regulatory compliance benefits of confidential computing depend on the specific configuration and management of the TEE and attestation service.
reportEijk R. van & Bygrave L. (2024)
At Alpine Privacy Days 2024, Lee A Bygrave and I explored the interpretation of legitimate interest under the GDPR Art. 6(1)(f). The workshop delved into various cases and guidelines, examining the term's interpretation across different languages and legal systems. Notably, the Dutch DPA’s guidelines and the Royal Dutch Lawn Tennis Association (KNLTB) case. The guidelines stipulate that interests must be legally recognized to be considered legitimate, as in having a legal basis in law. This interpretation was based on a concept in the Dutch Handbook for General Administrative Law by Van Wijk/Konijnenbelt & Van Male (2014, ISBN 9789013119404). The handbook does not specifically address the privacy context. The Dutch DPA did not refer to the many authoritative sources on legitimate interest in EU data protection law, which tends to suggest a different direction. In contrast, the KNLTB was fined for sharing personal data with sponsors without a lawful basis, illustrating the legal risks of misinterpreting what constitutes a legitimate interest. Discussions also referenced CJEU case C-621/22, highlighting the ongoing debate over commercial interests versus privacy rights under GDPR. (image created by DALL-E, OpenAI's image generation model)
slidesThe keynote speech focuses on critical issues in digital advertising and data protection, addressing concerns like microtargeting in political campaigns, unlawful data collection, and cookie compliance, particularly in the context of the 2023 Dutch elections. It also delves into broader topics such as the roles of various stakeholders, regulatory responses, privacy concerns with tools like Google Analytics, ethical considerations in personalized advertising, and the role of social media in ensuring fair and unbiased ad distribution. (image created by DALL-E, OpenAI's image generation model)
blogpostSeveral Dutch political parties, including BoerBurgerBeweging (BBB), Forum for Democracy (FvD), SGP, and Volt, have been found to violate privacy laws by improperly placing tracking cookies on their websites without user consent. This finding, according to NOS research and confirmed by cookie expert Rob van Eijk, reveals that these cookies, intended for personalized advertising, are placed before users give permission, which breaches laws established in 2012. BBB, FvD, and Volt acknowledged the errors and are working on rectifications, while the SGP has not yet responded. The Dutch Data Protection Authority, alarmed by these violations, is seeking explanations from the involved political parties. Additionally, D66 and CDA also encountered issues for using third-party cookies and have promised to resolve them. This situation underscores the broader challenge of ensuring digital privacy in online campaigning.
quote in magazine/newspaperHyper-Nudging: fantasy or realistic fiction? I took part in the Plutopia News Network Podcast alongside Contributing Editor Wendy M Grossman, Jon Lebkowsky, and Scoop Sweeney. We touched upon digital advertising, AI's role in ads, and the intriguing concept of 'hyper-nudging' when A/B testing meets state of the art machine learning. In essence, 'hyper-nudging' is about using real-time data analysis, e.g., A/B-testing, and fine-tuned foundation models to 'nudge' users towards certain actions or decisions in the digital world. This nudge is based on a deep understanding of the user's behavior and preferences, making it hyper-personalized. The concept is particularly significant in the realm of online advertising, where brands are constantly trying to capture the attention of users and influence their buying behaviors. (image created with Bing Image Creator)
podcastOn 25 May 2023, the Future of Privacy Forum organized a workshop on the state-of-play of Privacy Preserving Machine Learning (PPML). Lindsay Carignan, Head of Customer Success at Holistic AI, and Nigel Kingsman, AI Audit and Assurance Office at Holistic AI, took the floor with a presentation on the question: how to perform a bias assessment? To better understand potential bias, five key questions were proposed: What is the data's provenance? How representative is the data? Is the data balanced? Has intersectionality been considered? Are sensitive attributes present in the data? The presenters were tasked to explain a complex technical topic to a non-technical audience. This blog post summarizes what I learned and elaborates on some of the key concepts presented. (image license: Andrey Popov/Shutterstock.com)
blog postBouwma R., Nieuwsuur (NOS-NTR) (2022)
Nieuwsuur (News Hour) is the leading Dutch current affairs television program broadcasting daily at 9.30 pm with an average of 570,000 viewers. I contributed (in Dutch) on behalf of Future of Privacy Forum to a news item on the state of play of ad fraud in the Dutch advertising market. I argue that when I look at the state of the art of ad-fraud technology, it is fair to say that the cat and mouse game is not linear. Much remains undetected. The criminals are winning as long as they can develop more intelligent algorithms that stay under the radar. Online ad fraud has existed for years but used to be committed mostly with click farms. Nowadays, criminals are using computer programs and algorithms that increasingly imitate human click behavior.
television interview [23m37s - 30m42s]Galan M. de & Lemoine N., Nieuwsuur (NOS-NTR) (2021)
Nieuwsuur (News Hour) is the leading Dutch current affairs television program broadcasting daily at 9.30 pm. I contributed (in Dutch) on behalf of Future of Privacy Forum to a news item on the European Digital Green Certificate. New European legislation is being prepared for (1) the issuance, (2) the verification, and (3) the acceptance of interoperable certificates on (a) vaccination, (b) testing, and (c) recovery to facilitate free movement during the COVID-19 pandemic (EU Digital Green Certificate). The interview provides (a beginning of) an answer to the question: to what extent can the Digital Green Certificate help us open up borders while mitigating the risk of the spread of the COVID-19 virus?
television interview [00m00s-13m35s]Max Meldpunt, Omroep Max (2021)
Max Meldpunt (News Hour) is a Dutch current affairs television program broadcasting weekly at 7.20 pm. I contributed (in Dutch) on behalf of Future of Privacy Forum to a news item on Personal Health Apps connecting to a Health platform (Persoonlijke Gezondheids Omgeving). The medical technology (Medtech) infrastructure allows data subjects to view patient records (from their family doctor) and medication history (from their pharmacy) under their right of access and right of data portability. I zoom in on privacy aspects of the network of Medtech providers connecting the family doctor's information systems to portal backends and app provider frontends.
television interview [11m28s-25m06s]NOS OP3 created a mobile/web application visualizing online advertising. I provided detailed background information on the intricacies of online advertising (real-time bidding). We explain (in Dutch) digital advertising to young digital natives with this web application. Behavioral advertising is possible because you have given your consent through a cookie banner. How does the ad sale work? In the interactive story, we'll show you the world that comes into effect when you click the 'Agree on cookies' button.
mobile/web applicationWorkshop on Technology and Consumer Protection (ConPro '19) (2019)
We crawled 1,500 European, American, and Canadian websites from 18 countries. We detected cookie notices on 40% of websites in our sample. We treat the presence or absence of cookie notices and visual differences as proxies for differences in privacy rules. Using a series of regression models, we find that the website's Top Level Domain explains a substantial portion of the variance in cookie notice metrics. Still, the users' vantage point does not. It suggests that websites follow one set of privacy rules for all their users. This finding has one exception: cookie notices differ when accessing .com domains from inside versus outside of the EU.
conference paper: refereedTracking cookies and similar tracking techniques are nowadays omnipresent on the internet. Many popular online services are made possible due to online advertisements. When you are about to book a last-minute holiday online, you may experience that your purchase intention follows you on other websites. To understand online advertising (or Real-Time Bidding), we provide a literature review of online-tracking technologies and propose a new paradigm for Web Privacy Measurement (WPM).
article in journalRecht en technologie. Vraagstukken van de digitale revolutie (2019)
In this contribution (in Dutch) to the lustrum bundle, we present insights from the thesis that are important for answering the following main legal question: Is the online user provided with clear and complete information in accordance with the Telecommunications Act (Tw) and the General Data Protection Regulation (AVG)? The emphasis is on (1) the purposes for which this information is used and (2) the degree of consent given by the user (compare article 11.7a paragraph 1).
book chapterLeiden University, Leiden Law School (2019)
In the doctoral thesis, I investigate the advertisements online that seem to follow you. The thesis shows that the data cause the interconnection between partners in an RTB network flows of the ad tech companies due to their specializations in ad technology. By applying network science algorithms, I arrive at measuring the privacy component of RTB. Furthermore, I show that a Graph-Based Methodological Approach (GBMA) controls the situation of differences in consent implementations in European countries.
bookKamphuis B., Zomercolumn (NOS) (2013)
NOS Journaal is the news program of the Dutch public broadcast services (NOS). The eight o'clock news is the most important and also the longest daily bulletin broadcasted at 8 pm with an average of 1,810,000 viewers in 2013. I contributed (in Dutch) to a news item on Real-Time Bidding. I was still at the early stages of my Ph.D. research: collecting data by crawling national and regional news websites in Europe. The main argument of my contribution that made the headlines was that the number of third parties tracking online user behavior increased at an alarming rate. The recording was when Real-Time Bidding was catching on in the European market and the call for stricter European rules became louder.
television interview [0m0s - 1m12s]Singer S., New York Times (2012)
I was interviewed for an article on Real-Time Bidding against the background of technological breakthroughs in online advertising. The interview took place after one year of negotiating improvements for privacy online in the Tracking Protection Working Group of the World Wide Web Consortium. The article also led to an item by the Dutch public broadcast services (NOS) on Dutch television: 'Trading advertisements in a split second.' The fact that specialized companies traded ads in a fraction of a second was still unknown to the general public.
quote in magazine/newspaper