CPDP2017 will stage more than 70 panels and workshops with a stimulating mix of academics, practitioners, regulators and advocates, as well as multiple side events such as open debates, PechaKucha performances and artistic interventions. Some last-minute changes are always possible.

Download the full version of the programme here (PDF, 32 MB). Registered particpants will receive a hard copy in their registration pack on-site.

07.30 - Registration in La Cave

08.15 - Welcome coffee in Le Village

wednesday 25 january 2017 • grande halle



academic •• policy •• business ••

organised by INRIA

Chair Daniel Le Métayer, INRIA (FR)

Moderator Antoinette Rouvroy, Université de Namur (BE)

Panel Krishna Gummadi, Max Planck Institute (DE), Marc Rotenberg, EPIC (US), Marie-Charlotte Roques-Bonnet, Microsoft EMEA (FR), Joris van Hoboken, University of Amsterdam (NL)

Algorithms play an increasing role in all aspects of our lives: they are used to rank, to predict, to help in decision making (if not to take automated decisions) in many contexts such as hiring, business, justice, police, politics, etc. New terms such as “algorithmic governmentality” or “algocracy” have been coined (by Antoinette Rouvroy and John Danaher respectively) to evoke the risks posed by the over-reliance on algorithms in many critical areas. One of the main sources of worry is the lack of transparency of these algorithms, especially when they rely on machine learning, which could lead to what has been called the “black box society” by Frank Pasquale. The goal of this panel is to discuss in a multidisciplinary way, the issues raised by this notion of transparency versus obscurity of algorithms, including the following questions:

  • Should algorithms be regulated and if so in what way?
  • When should transparency be required, what should it mean and how could it be implemented in practice?
  • How to reconcile the need for business to protect its intellectual property and the need for citizens to understand the logic behind the algorithms that they use or that produce effects on their lives?
  • How to design algorithmic systems to enhance transparency or intelligibility without compromising utility (accuracy and relevance)?

10.00 - Coffee break

10.30 - CNIL-Inria Privacy Award Ceremony

organised by CNIL-Inria


academic •• policy •• business ••

organised by Intel

Chair Isabelle Falque-Pierrotin, Article 29 Working Party (EU)

Moderator David Hoffman, Intel Corporation (US)

Panel Peter Fleischer, Google (US), Jens-Henrik Jeppesen, Center for Democracy & Technology (BE), Artemi Rallo Lombarte, Spanish MP (ES), Julia Powles, Cambridge University (UK)

On May 13, 2014, the Court of Justice of the European Union (“CJEU”) announced its judgment in the Google Spain case, in which Google was required to delist certain Internet search results when a search query was made using an individual’s name. While controversial, the determination stands, and Internet search companies must comply with the decision. This session brings together experts from a variety of jurisdictions to discuss the decision and how it is implemented.

  • Does the CJEU establish a “right to be forgotten” as the decision is often characterized? Or do individuals now enjoy a “right to obscurity”?
  • How are companies carrying out the court’s requirements?
  • How can the court’s requirements be met in a way that is predictable and consistent with clear, actionable criteria?
  • How can we best serve individuals and minimize the burden on companies tasked with arriving at decisions about delisting?


policy ••••••

organised by CPDP

Chair Karolina Mojezsowicz, DG Just (EU)

Moderator Glyn Moody, Ars Technica (UK)

Panel Jan Albrecht, MEP (DE), Michal Boni, MEP (PL), Marju Lauristin, MEP (EE), Axel Voss, MEP (DE)

On the 24 May of this year, the General Data Protection Regulation entered into force. Less than one and a half years from now, on 25 May 2018, the Regulation will apply. The adoption of the Regulation marked the end of a difficult and lengthy legislative process. Yet in many ways, this adoption was only the start. The Regulation provides a general framework, many of the principles of which remain vague and require further specification before being practically functional. Now begins the delicate process of specifying and refining these principles to make the Regulation work in practise. This panel brings together four MEPs, each of which played a significant role in the legislative process, to discuss their views on the key issues surrounding implementation, and to debate how they feel the Regulation might best move forward.

  • What are the most pressing issues in implementation?
  • Which actors will shape the implementation process?
  • What are the possible outcomes of implementation?
  • What is the ideal path for the Regulation moving forward?

13.00 - Lunch break


academic •• policy •• business ••

organised by Microsoft

Chair Marie-Charlotte Roques-Bonnet, Microsoft (FR)

Moderator Sophie Louveaux, EDPS (EU)

Panel Julie Brill, Hogan Lovells (US), Joe Cannataci, UN Special Rapporteur on Privacy (INT), Demosthenes Ikonomou, ENISA (EU), Stephen Kai-yi Wong, Privacy Commissioner for Personal Data (HK), Steve Wood, ICO (UK)

Artificial Intelligence (AI) concretely targets a machine’s capacity to implement human “cognitive” functions in order to map information, rank it and ease decision-making, based on algorithmic capacity to learn and improve. Privacy risks stem from the fact that such mapping and, evolving automated decision-making will impact the fundamental rights of natural persons in many different ways.

Such impacts have to be framed by controllers through a careful and accountable mitigation of privacy and security risks, notably to meet the requirements of articles 6, 32 and 35 of the GDPR. The objective of this panel is to help controllers but also processors to get some pragmatic and concrete recommendations on how to envisage such data processing and comply with the GDPR. What you will get from this panel is an overview of what complying with the GDPR concretely entails. That is to say:

  • From a Data Protection Regulator: how to fulfill the obligations set in the GDPR (Which ones are key? How to proceed to meet them?)
  • From a Computer Scientist perspective: how to determine the appropriate technical and organizational measures to mitigate privacy risks? (How to implement and document article 35 of the GDPR?)
  • From a Consumer Rights Association point of view: how to identify the reasonable expectations of consumers and data subjects? (What are those expectations? How could they be specified?)
  • From a Business perspective: which are the concrete steps that could be taken within ones’ organization to get ready on time for 25 May 2018? (What are the main caveats & recommendations?).

15.30 - Coffee break


Keynote by Véra Jourova, European Commissioner for Justice (EU)

academic • policy •••• business •

organised by CPDP

Chair tbd

Moderator Eduardo Ustaran, Hogan Lovells (UK)

Panel Marit Hansen, ULD (DE), William Malcolm, Google (UK), Katarzyna Szymielewicz, Panoptykon (PL), Gerrit Jan Zwenne, Leiden University (NL)

The implementation process will define the final shape of the General Data Protection Regulation. It will thus play a role in defining which interests the Regulation takes into account, and in how these interests are balanced against other interests. Eventually, the implementation process will have an impact on all stakeholders in the data protection universe - some will emerge from this process as winners and some, unfortunately, as losers. In this final session on the implementation of the Regulation, we bring together a range of key stakeholders and ask them to discuss their impressions, hopes and fears for the future of the Regulation.

  • How do the different stakeholders understand the key issues involved in implementation?
  • How do these stakeholders imagine implementation will look?
  • What are their hopes and fears for the process?
  • Where do their views converge, and where do they diverge?


academic •• policy •• business ••

organised by IAPP

Moderator Omer Tene, International Association of Privacy Professionals (US)

Panel Terrell McSweeney, Federal Trade Commission (US), Paul Nemitz, European Commission (EU)

The approval of the new Privacy Shield framework by the European Union and the United States has come at a time of great uncertainty for transatlantic data flows. With additional judicial challenges underway, finding the right balance between strong interests of privacy and civil liberties, national security and law enforcement, and industrial and economic concerns remains difficult. While the General Data Protection Regulation will only become fully applicable in May 2018, companies and industry sectors have already started to prepare for compliance with its detailed provisions, on both sides of the Atlantic. At the same time, the Privacy Shield has become operational and the focus is now on its effective implementation and compliance by participating companies. Given the need to flesh out certain aspects of the GDPR, and the annual review of Privacy Shield, the privacy debate will continue, with each side pursuing its specific policy and enforcement agenda. While many of the substantive challenges (like consumer choice in the age of Big Data, or data security) will be faced by both US and EU regulators and enforcers, the latter will also focus their attention on the effective implementation of the GDPR, for instance through codes of conducts (e.g., pseudonymisation, protection of children), certification mechanisms or regulatory acts on certain specific points (e.g., determining the information to be provided by icons). In this session, Federal Trade Commissioner Terrell McSweeny and European Commission Director for Fundamental Rights Paul Nemitz meet with the IAPP’s Omer Tene to discuss privacy, data flows and the year ahead for data protection.

18.30 - Cocktail with Champion of Freedom award ceremony sponsored by EPIC

SPonsors AND PARTNERS 2017