Skip to content

Transatlantic Conference: Building Common Approaches for Cybersecurity and Privacy in a Globalized World

The Alexander von Humboldt Institute for Internet and Society (HIIG) organises – in cooperation with the New York University (NYU) – the second of a series of two conferences on »Building Common Approaches for Cybersecurity and Privacy in a Globalized World« from 1–3 October 2018 in New York.


Transatlantic Conference:
Building Common Approaches for Cybersecurity and Privacy in a Globalized World
1–3 October 2018 | NYU School of Law
Lester Pollack Colloquium Room | 245 Sullivan Street, 9th Floor


Read further: edited volume


conference's edited volume (pdf)


The conferences address a pressing challenge in the transatlantic relationship: the tension between cyber security and data protection.

We will bring together cyber security, data protection and governance experts, lawyers and representatives from security agencies, businesses and politics in order to analyse the problems in this field, to deepen the understanding of different concepts, to develop approaches and strategies for solutions, while ensuring a more productive integration of the relatively independent discourses in the USA and Europe on this issue.

| Have a look at the conference’s edited volume (pdf)
Please note that this is an invitation-only event.


Monday, 1 October 2018

06:00 p.m.Welcoming Remarks
Randy Milch (NYU Center for Cybersecurity; NYU Law School)
Ingolf Pernice (Humboldt University Berlin; HIIG)


Tuesday, 2 October 2018

Session 1: International Incentives toward Good Behavior?

09:30 a.m.The Value of Data. ​Data has value to holders and processors, yet compensating data subjects after data is lost has proven is a scattershot exercise. Are there ways of attributing value to data as it sits with holders and processors such that both data subjects and those profiting from data would be on notice of the monetary effects of a data breach? Would this positively incent behaviors to lower cyber risk?

Sasha Romanosky​  (RAND Corporation)
Kai von Lewinski​ (University of Passau)
Terrell McSweeny​ (Federal Trade Commission)

11:00 a.m.Coffee Break
11:15 a.m.A Return to Safe Harbors? ​Article 83 of the GDPR requires due regard be given to a list of 11 aggravating and mitigating factors when deciding whether to impose an administrative fine and deciding on the amount of such a fine. Among the mitigating factors is whether a data holder or processor adhered “to approved codes of conduct . . . or approved certification mechanisms.” Is ‘due regard’ a sufficient incentive for better cybersecurity and privacy practices? Would an American-style “safe harbor” be more useful?

Scott Shackelford​ (Kelley School of Business; Ostrom Workshop Program on Cybersecurity and Internet Governance)
Paul Rosenzweig​ (Senior Advisor to The Chertoff Group)
Gail Kent​ (Facebook)
Reinhard Priebe​ (European Commission)

12:45 p.m.Lunch


Session 2: Enabling International Cooperation: Evidence and Equities


02:30 p.m.The CLOUD Act and International Norms? ​The Microsoft Warrant case effectively ended with the sudden passage of The CLOUD Act, which both affirms the ability of the US Government to obtain US person information held overseas by US service providers and acknowledges international concerns by favoring bi-lateral agreements and requiring in certain circumstances a comity analysis. Will the CLOUD Act work to ease EU concerns? Is this a way toward international norms on trans-border evidence collection?

Théodore Christakis​ (Université Grenoble)
Serrin Turner​ (Latham & Watkins)
Todd Schulman​ (Verizon Communications Inc.)

04:00 p.m.Coffee Break
04:15 p.m.Vulnerabilities Equities Processes: Comparative Processes and Best Practices​: Law enforcement and intelligence services on both sides of the Atlantic face the same problem: publishing security vulnerabilities they know about would enable software manufacturers to provide fixes and thereby enhance the security of sometimes millions of devices and their users, while keeping those vulnerabilities secret would provide the services necessary, and at times the only tools for performing their duties in fighting serious crime and terrorism. Governments have begun to institutionalize decision processes regarding the dealing with the services’ knowledge of security vulnerabilities, by which the benefits and risks, and the competing rights and interests shall be assessed and balanced. What are the main lessons learned from experience so far? What are best practices that should be shared among the institutions responsible for VEP?

Michael Daniel​ (Cyber Threat Alliance)
Jason Healey​ (Columbia University’s School for International and Public Affairs)
Sven Herpig​ (stiftung neue verantwortung)


Wednesday, 3 October 2018

Session 3: Building Security: Design and Certification

09:00 a.m.Security by Design/Privacy and Data Protection by Design​: Article 25 of the GDPR requires data protection measures be implemented in IT systems, while Article 32 of the GDPR analogously mandates the implementation of security measures. Both provisions fail to clarify to which concepts or models of security, privacy and data protection by design they refer. The demand side being not clear, what has Computer Science to offer regarding privacy by design and security engineering approaches? What are best practices to be used for fleshing out the provisions of the GDPR?

Kyle Erickson​ (Palantir Technologies)
Nathaniel Good​ (Good Research)
Jörg Pohle​ (HIIG)

10:30 a.m.Coffee Break
10:45 a.m.Cyber Security Certification Regimes​: Recent legislation in the EU like the NIS Directive and current legislative initiatives, e.g. “EU Cybersecurity Act” as proposed by the European Commission, are establishing certification regimes for cyber security processes and technologies based on EU and international standards. Similar initiatives, e.g. “Internet of Things (IoT) Cybersecurity Improvement Act” proposed in 2017, can be observed in the U.S., though containing quite technologically specific requirements. Are there parallel developments on the global level, e.g. ISO standards, or in the private sector, e.g. Underwriters Laboratories? Is there a perspective of a common approach?

Christian Djeffal (HIIG)
Sarah Zatko (Cyber Independent Testing Lab)
Eric Wenger (CISCO)

12:15 p.m.Conclusions & Outlook
Randy Milch (NYU Center for Cybersecurity; NYU Law School)
Ingolf Pernice (Humboldt University Berlin; HIIG)


Event date

01.10.2018 - 03.10.2018 ical | gcal


NYU School of Law | Lester Pollack Colloquium Room,  245 Sullivan Street, 9th Floor,   New York


Jörg Pohle, Dr.

Head of Research Program: Actors, Data and Infrastructures


This high-profile lecture series thrives to develop a European perspective on the processes of transformation that our societies are currently undergoing.


Once a month we publicly discuss the impact of digitalisation on the society. Therefore we invite special guests and engage in a dialogue with the audience.


Be the first to learn about our new events and exciting research results.