ATHENE project: Systematic Privacy for Large, Real-life Data Processing

A research project under the German National Research Centre for Applied Cybersecurity (ATHENE).

A plethora of digital services have become part of our daily lives, and their driving input is personal data. Data at times knowingly provided by an individual, but at others collected implicitly or even without the individual's knowledge or consent in large, real-life data processing systems. Data protection and IT security laws - such as the General Data Protection Regulation (GDPR) - are increasingly becoming the focus of attention for many stakeholders. European and national legislators and data protection authorities must respond to the need for appropriate implementation of data protection and IT security law while not overly constraining industry opportunities created by new technologies. Facing this challenge is crucial to enable technological progress and to create value, while safeguarding natural persons from intrusions into their fundamental rights through excessive processing of their personal data. 

This project aims for an impact at various levels:

Industry: Achieving compliance with data protection and IT security laws is a challenge for many organizations and companies. By developing methods and proposing practical recommendations for operators of "large" data processing systems, this project assists organizations in complying with an otherwise complex and cryptic legal framework. This project also aims to enable companies to lawfully use big data processing systems, and ultimately seeks to reduce legal uncertainty for industry actors and to lower economic restraints for investment and innovation. 

Society: By increasing the level of data protection and thus decreasing potential informational power asymmetry to the detriment of individuals, this project works towards the protection of a free and democratic society. Added values with high societal relevance (e.g. detection and analysis of the increased incidence of certain disease patterns in a region) can be reached by supporting the use of anonymous data, countermeasures, and additional protection, both legal and technical.

Science: The project will identify answers and solutions to unresolved legal issues in the specific context of large-scale data processing systems. These are increasingly employed, e.g. in AI. Questions will be addressed such as at what points in time does data protection law apply to anonymized, re-identifiable, and re-identified data, what are the standards for particularly risky data processing activities, how data can be protected by ownership and what the IT security standards to observe within these systems' data processing activities are.

Government and State Authorities: This project identifies the need for further legislative development and, if deemed necessary, prepares regulatory proposals for the shaping of law at national and European levels. It also lays the groundwork for interventions and better assessment for data protection authorities, seeking to reduce legal uncertainty on the operational level.

The present multi-university research project supports a core objective of ATHENE, that of accompanying and fostering the digital transformation of society, the economy and the public sector to improve cybersecurity and data protection. This project also enables and strengthens an alliance in IT law within the state of Hesse through close cooperation of the four participating institutions: Goethe-Universität Frankfurt am Main, Universität Kassel, the Fraunhofer SIT and Hochschule Darmstadt (h_da). Prof. Dr. Thomas Wilmer is the project manager in respect of h_da.