Don’t count your codes before they hatch

Research project ‘Don’t count your codes before they hatch: A theoretical and empirical analysis of codes of conduct under the General Data Protection Regulation’

Promotor: Prof. Dr. Eva Lievens
Researcher: Carl Vander Maelen

Short description

The research project “Don’t count your codes before they hatch: A theoretical and empirical analysis of codes of conduct under the General Data Protection Regulation” runs from 2018 to 2024. The research investigates the territorial impact of alternative regulatory instruments and the repercussions thereof on corporate behaviour and data protection standards on the global stage.

The impetus for the research is the reality that traditional legislation and classic top-down command-and-control are increasingly unable to grapple with the complex legal regulatory questions posed by the rapid and constant advances of information and communication technology. In that regard, the EU’s new personal data protection framework as installed by the General Data Protection Regulation (GDPR) foresees in its articles 40 and 41 the possibility to adopt codes of conduct. These are alternative regulatory instruments (ARIs) that can with the implementation of the GDPR’s main principles and furthermore offer accountability tools to corporate actors.

Since tech corporations offer essentially borderless services (a process that has been called ‘deterritorialisation’) on a global scale, it is interesting to consider the ‘external effects’ of codes of conduct, i.e. the impact such non-hard-law instruments can have outside the jurisdiction in which they operate. These theoretical findings will then be bolstered by a case study of corporate behaviour outside the EU based on adherence of such corporate actors to GDPR-based codes of conduct. Having regard to the failure of the 1995 Data Protection Directive – the previous EU data protection instrument – to successfully incorporate codes into data protection practices, it is useful to draw comparisons between codes under the 1995 Directive and the GDPR.


Selection of publications:

Poster WP1.jpg

  • Carl Vander Maelen, ‘From opt-in to obligation : regulating globally operating tech companies through alternative regulatory instruments’ (presentation at BILETA 2019 Conference) (2019)
  • Carl Vander Maelen, ‘High Stakes, Many Stakeholders: Building Blocks for the Successful Regulation of Artificial Intelligence’ (presentation at IFIP 2019 Summer School) (2019)
  • Carl Vander Maelen, ‘Sidestepping Sovereignty: Corporations as the New Global Rule Makers’ (presentation at ACES 2019 Summer School on European and Transnational Rulemaking) (2019)
  • Carl Vander Maelen, ‘Online age verification mechanisms in the personal data protection framework’ (presentation at 2018 Amsterdam Privacy Conference)
  • Eva Lievens and Carl Vander Maelen, ‘A child’s right to be forgotten : letting go of the past and embracing the future?’ 2 Latin American Law Review 61-79 (2019)

Forthcoming publications:

  • Carl Vander Maelen, ‘The Coming-of-Age of Technology: Using Emerging Tech for Online Age Verifications’ 3 Delphi Interdisciplinary Review of Emerging Technologies (2019).