Research Apparatus
Grounded in 10+ years of interdisciplinary research experience, we provide prototyping and empirical validation for effective and efficient regulation
Get in touch with our research team
Discover our research results
Prototyping to explore the effects of regulation
over 15 developed prototypes containing privacy icons, consent banners, consent agents, and privacy dashboards
Empirical testing through qualitative studies
over 7 major qualitative studies to explore laypeople’s privacy expectations and user friendly privacy-by-design solutions
Representative validation through quantitative studies
quantitative studies with over 2500 participants across Europe to validate our solutions setting the State of the Art
Developed by:
Network and partner institutions:

Our Approach

How to evidence the effectiveness of laws?

Legislators and enforcement authorities are increasingly faced with the challenge of ensuring the effectiveness of laws. This is particularly true in the area of technology law, which is characterised by a complex interplay of legal, technical, economic and social factors and an extremely dynamic pace of development. The consent banner is a notorious example: Instead of enabling consumers to make a real decision as to how much privacy they want in exchange for certain product functionalities, most consumers click away these banners without having understood its meaning. The underlying reason for this is of a methodological nature: which methods can be used to empirically prove and ensure more effective laws?

Developing and improving prototypes

With our interdisciplinary methods, we are making an important contribution to closing this knowledge gap. We do this in particular by developing working prototypes for legal-technical solutions, such as consent banners and consent agents, and validating their effectiveness empirically with qualitative studies (for hypothesis creation) and quantitative studies (for verifying them). By comparing different solutions in quantitative A/B tests, we are able to determine which solution is more effective than others and, thus, which solution represents the so-called State of the Art, as required under Art. 25 sect. 1 GDPR.

HOW DO WE MEASURE THE EFFECTIVENESS OF CONSENT

Informedness
Which design informs consumers how well about their risks and benefits so that they are able to make a real decision?
Trust
Which design has what effect on consumer trust in the service used and the processing of their data?
Appropriateness
How appropriate do consumers find which design to control the risks of processing their data?
Consent Rate
Which design affects the consent rate in which way if it enables real privacy decisions?

Evidence-based regulation to enable data-driven innovation through European values

Through our human-centred multi-stakeholder processes, we ensure that we take into account the interests of all affected stakeholders, in particular, consumers, businesses, and regulators. With the evidence we provide, we endeavour to stimulate a positive development dynamic on the market towards ever more effective legislation. In this way, we aim to help realise the full potential of data-driven innovation for the benefit of real-live European values.

Research Results

Consent Agents and Risks 3
Online Advertising
Consent Notices and Risks 2
Consent Notices and Risks 1
Perceived risks
Consent to Control
Privacy Icons
Data Protection as competetive advantage

Quantitative Study

2024–2025

Which Impact Do Consent Agents Have on the Consent Rate?

In this four-week field study with over 1.000 laypersons across Europe, we tested how different consent processes affect the consent rate in an A/B/n test. 

This study focussed on consent agents, which the internet industry fears will cause consent rates to plummet. 

The result of this study was that the consent rate for certain consent agent designs not only remained stable in comparison to current best practice cookie banners, but was even significantly higher for certain processing purposes.

Publication in progress.

Legal Study

2024

Regulation of Online Advertising (commissioned by vzbv)

In this legal study, together with my colleague, Dr Nina Herbort, we analysed various regulatory options for online advertising, in particular personalised advertising. 

Among other aspects, we analysed the current legal framework, from the GDPR, the ePrivacy Directive, the Digital Markets Act and the AI Act to the Political Targeting Regulation. 

The result of this study was that the development of a much clearer and consolidated legal framework may create a market dynamic towards ever more privacy-friendly technologies. However, if this market-oriented approach should prove unenforceable in practice, the report recommends banning the personalisation of advertising as a fallback solution.

Read the VZBV study

Quantitative Study

2024

Which Consent Designs Inform Users Better About Their Risks to Their Fundamental Rights?

In this quantitative study, we tested in an A/B/n test how well consent banner designs inform laypersons about the risks of processing their data when they are designed using legal design methods. 

Among other things, privacy icons and various consent agent designs were used to enable laypeople to manage information overload and consent fatigue. 

The expected result was that these legal design techniques had a positive impact on the laypeople’s awareness of the processing risks. The results also suggest that website operators with a particularly high level of privacy may even increase the consent rate compared to websites causing more privacy risks.

Publication in progress.

Quantitative Study

2023–2024

How Effectively Do Consent Notices Inform Users About the Risks to Their Fundamental Rights?

In this quantitative study, we tested how well consent banners designed according to current best practice rules informed laypeople about the risks of data processing. 

The expected result was that even such consent banners provided laypersons with very inadequate information, so that even these banner designs can hardly be considered ‘effective’ in the sense of Art. 25 para. 1 GDPR.

Read the EDPL paper
Read the extended paper

Qualitative Study

2018–2020

Which Risks Do Laypeople See in Processing Their Data? And How to Exclude them?

This qualitative study yielded three results surrounding the principle of purpose limitation in data protection law:
Laypeople have a nuanced understanding of the potential risks posed by the processing of their data.

The way in which purposes are specified in current privacy policies does not exclude these risks from their perspective, but rather confirms that all of them are present.

However, by using these risk categories, purposes could be specified in such a way that they better explicate existing risks and more clearly exclude non-existent risks.

Read the CLSR paper

Qualitative Study

Prototyping

2018–2020

From Consent to Control by Closing the Feedback Loop

Against the background of existing quantitative studies, in which most respondents rejected tracking and personalisation as such, we asked in this qualitative study about the causes of this attitude. 

Surprisingly, most respondents saw added value in personalisation, in principle; however, due to the opaque and deceptive design of current consent mechanisms, no respondent felt able to make real decisions for or against personalisation.

However, a first prototype with an on/off switch for personalisation combined with a privacy dashboard showed that more user-friendly designs may empower laypeople to make more effective privacy decisions.

Link to white paper on SSRN (in review)

Qualitative Study

Design Study

2018–2023

How to Design Privacy Icons to More Effectively Inform Laypeople about the Processing of Their Data?

In this almost five-year research and development process, we developed a process and a methodology for designing more effective privacy information and user controls. 

At the centre of this project was the development of Privacy Icons that were deemed to inform laypeople more effectively about the processing of their data, depending on different usage scenarios - from consent banners, to privacy policies, to consent agents. 

The results formed the basis for the subsequent development of a fully functional consent agent (link zu YPL) and privacy dashboard (link zu SiD).

Read the CLSR paper

Qualitative Study

Legal Analysis

2013–2016

How to Use Data Protection as a Competitive Advantage?

In this four-year research project, we analysed the effects of regulation on innovation processes as part of a so-called Startup Law Clinic. 

One example of this was the principle of purpose limitation in data protection law, which many critics consider to be opposed to the open-endedness of innovation processes. 

The surprising result of this study was that the purpose limitation principle is a regulatory instrument that is, in fact, very open to innovation and, in combination with co-regulatory mechanisms such as certification processes, may even promote data-driven innovation.

Link to dissertation in Nomos eLibrary
Link to refined version (short)
Research Projects (Selection)
Talks
Publications
10/2023–09/2026

Secure in Data Traffic (Privacy Dashboard)

Building on the Consenter project (Your Privacy Lawyer), we supplement the Consent Agent and Consent Banner developed with user-friendly data subject rights. A so-called Privacy Dashboard enables consumers to understand, with a few clicks, why personalised content is being displayed to them and to adapt these parameters to their needs. The Privacy Dashboard thus provides a visual, common interface through which websites and advertisers can disclose to consumers their advertising profiles.

Visit website
11/2023–04/2025

Your Privacy Lawyer (Consenter)

In this project, we are solving the current cookie banner problem by developing user-friendly consent procedures. A central element is a consent agent that helps consumers to better understand their data protection risks and to decide accordingly, while avoiding consent fatigue. The project is also creating a certification programme that guarantees consumers and companies that the data collected will be treated in accordance with the GDPR.

Visit website
08/2020–12/2024

Usable Privacy / Privacy Icons

In this project, we developed interdisciplinary concepts and methods in a team of lawyers, UX and UI designers as well as social scientists, which can be used to develop user-friendly privacy measures and empirically test their effectiveness. In doing so, we developed prototypes, in particular for user-friendly transparency measures (including privacy icons) and usable choice architectures.

Visit website

Lectures

Datenteilen trotz Geschäftsgeheimnissen. Vorstellung der Ergebnisse der Data Governance-Studie im Reallabor Antrieb 4.0

9. Quartalstreffen im Reallabor Antrieb 4.0. Forschungsvereinigung Elektrotechnik beim ZVEI e.V. gefördert durch das Bundesministerium für Wirtschaft und Klimaschutz. Online, Berlin, Germany: 05.12.2024, Max von Grafenstein, Maurice Stenzel

Smart Data Governance. Der digitale Leitfaden für die datengetriebene Verwaltung

Smart Country Convention – Digitales Berlin. Bitkom e.V.. hub27, Messe Berlin, Berlin, Germany: 16.10.2024

Berlin der Begegnung - 13. interdisziplinärer Workshop für exzellente Nachwuchskräfte

Genshagener Kreis e.V. Berlin. Stiftung Genshagen, Im Schloss, Genshagen, Deutschland: 22.11.2022 more information

Data Laws & Data Governance

Data Commons & the Law. Humboldt Institut für Internet und Gesellschaft, Berlin, online: 27.10.2022

What’s the deal? – Zum Gegenstand des Tauschgeschäfts im Datenschutz

DatenTag: Daten gegen Dienstleistung. Stiftung Datenschutz. ESMT, Berlin, Germany: 25.05.2022 more information

Erfolgreiche Einwilligungsagenten und die User Experience

DatenTag: Das TTDSG und neue Wege zur Einwilligungsverwaltung. Stiftung Datenschutz. Historische Kassenhalle im Humboldt Carré, Berlin, Germany: 03.11.2021 more information

Designing Effective Privacy Icons through an Interdisciplinary Research Methodology

Forum Verbraucherinformatik 2021: Verbraucherdatenschutz – Technik und Regulation zur Unterstützung des Individuums (Session: Ethische/rechtliche Überlegungen zu interdisziplinärem, digitalen Daten- und Verbraucherschutz). Verbraucherinformatik. Online, Online, Germany: 23.09.2021, Max von Grafenstein, Timo Jakobi, Julie Heumüller, more information

The General Data Protection Regulation: From Compliance to Competitive Advantage

European Association for Data Protection Professionals (EADPP) Conference (Session: The General Data Protection Regulation: From Compliance to Competitive Advantage). European Association for Data Protection Professionals (EADPP). Mauritslaan 49, 6129 EL Urmond, The Netherlands, Urmond, Netherland: 14.11.2019 more information

#tobediscussed – Digitale Selbstbestimmung in der Mediengesellschaft. ECDF, Medieninnovationszentrum Babelsberg (MIZ)

Robert Koch Forum, Berlin, Deutschland: 20.06.2019 more information

Data-Driven Economy Challenges and Opportunities

Data Governance and Smart Cities (Session: Regulation and Governance). Intereconomics / IW (German Economic Institute). Hamburgische Landesvertretung, Berlin, Deutschland: 17.06.2019 more information

Smart City Governance: Citizens, Privacy and Services

CPDP 2018 Computer, Privacy and Data Protection Conference (Session: Smart City Governance: Citizens, Privacy and Services). Centre for Research into Information, Surveillance and Privacy. Area 42 Petit, Brussels, Belgium: 30.01.2019 more information

Nudging: Regulierung durch Big Data und Verhaltenswissenschaften

Gutachterfachtagung: Big Data: intelligente Datenanalyse für die Datenökonomie. ABIDA-Projekt. Bundesministerium für Bildung und Forschung (BMBF), Berlin, Germany: 17.10.2018, Maximilian von Grafenstein, Jörg Pohle, more information

Taking ownership of wearables’ data by applying the approach of data protection by design

E-Stitches Berlin #3: Taking Ownership of Your Wearable’s Data. KOBA. KOBA, Berlin, Germany: 11.10.2018 more information

The ‘state of the art’ of privacy- and security-by-design (measures)

MyData 2017. University of Helsinki. Tallinn University, Tallinn, Latvia: 30.08.2018, Maximilian Von Grafenstein, Christina Douka

Challenges and Strategies for Certifying Data Anonymisation for Data Sharing

IAPP Europe Data Protection Congress 2017. IAPP. Conference Center, Brussels, Belgium: 08.11.2017

Gemeinsame oder getrennte Infrastruktur

Zukunft gestalten! (Session: Aggregatoren und Plattformen). Unesco Kommission e.V.. Neue Nationalbibliothek, Berlin, Germany: 19.10.2017

Legitimate Interest and Compatible Purpose Vs. Consent

Bitkom Privacy Konferenz 2017. Bitkom. Kalkscheune, Berlin, Germany: 19.09.2017, Maximilian von Grafenstein, Michael Kamps

Die Auswirkungen des Zweckbindungsprinzips auf Innovationsprozesse in Startups

Herbstakademie (Session: Data Protection Law). Deutsche Stiftung für Recht und Informatik. Bucerius Law School, Hamburg, Germany: 15.09.2017

EU General Data Protection Regulation

National Congress for Personal Health. Şişli Hamidiye Etfal Eah Konferans Salonu. Şişli Hamidiye, Istanbul, Turkey: 03.06.2017

Big Data, Big Business?

Annual Conference LESI2017: IP Revolution? Scenarios for the future. Licensing Executives Society. Novotel Tour Eiffel, Paris, France: 24.04.2017

The Interplay between Data Protection Principles and Data-Driven Innovation

EuroDIG 2016. Brussels Meeting Center, Brussels, Belgium: 09.06.2016

IoT & Privacy

Startup Camp Berlin. Humboldt-Universität zu Berlin. Humboldt-Universität zu Berlin, Berlin, Germany: 08.04.2016

Big Data and data protection: A search for regulation exemplified on the principle of purpose limitation

Amsterdam Privacy Conference 2015. Amsterdam Platform for Privacy Research (APPR). Oudemanhuispoort, Amsterdam, Netherlands: 24.10.2015

MAUERSCHAU: A Mobile Virtual Museum - Postmodern Storytelling through Digital Media

EVA Electronic Visualisation and the Arts (Session: Parallel session: Papers - Museum). The Chartered Institute for IT. The Davidson Building, London, United Kingdom: 09.07.2015

MAUERSCHAU - Das Mobile Virtuelle Museum

MAI Tagung - Museums and the internet (Session: BLOCK II: Den Außenraum erschließen). LVR-Fachbereich Kultur, LVR- Archivberatungs- und Fortbildungszentrum. DASA Arbeitswelt Ausstellung / Bundesanstalt für Arbeitsschutz und Arbeitsmedizin (BAuA), Dortmund, Germany: 11.05.2015

Data Protection between Innovation and the Rule of Law

Magical Startups. Magical Startups. W Hotel, Santiago de Chile, Chile: 14.01.2015

Exploring Service Delivery by Startup Law Clinicsi

LINC Conference (Session: Break out session). Queen's University, Amsterdam, Netherland: 01.11.2014

Startups - der „rechtliche“ Weg in die Selbständigkeit

Career Center - Humboldt Innovations Zentrum. Humboldt-Universität zu Berlin, Berlin, Germany: 07.01.2014

Big Data - Verantwortlichkeiten für Wahrscheinlichkeitsresultate

Leadership in Digitaler Kommunikation. Electronic Business School. Electronic Business School, Berlin, Germany: 25.11.2013

Verkehrsdaten: (Echtzeit-)Verkehrsinformationen vs. Totalüberwachung

Future Mobility Camp Berlin 2013. EUREF Campus TU Berlin. EUREF Campus, Berlin, Germany: 26.10.2013

Panels

DatenFrühstück: "Datenschutzsignale"

Stiftung Datenschutz. Stiftung Datenschutz, Leipzig, Germany: 28.05.2024 more information

Fairness in Personalisation: the Role of Transparency and the Balance Between Interests

Privacy Conference 2023. Bitkom e.V.. Online, Berlin, Germany: 12.10.2023 more information

ECDF and Elsevier Conversations on Science in the Digital Future #1: Data Privacy in the Digital Era.

Einstein Center Digital Future, Berlin, Germany: 22.11.2022 more information

Organisational Challenges

Privacy Research Day. Commission Nationale de l'Informatique et des Libertés (CNIL). CNIL, Paris, France: 28.06.2022 more information

Where are the Missing Data Subjects? Democratising Data Protection Through Participation

Computers, Privacy and Data Protection. CDPC. Online, Brussels, Belgium: 28.01.2021 more information

From Strategy to Practice – Data Intermediaries in the EU

MyData Online. MyData Global. Online, Helsinki, Finland: 11.12.2020 more information

GDPR Data Protection Icons and Transparency: Where do we stand?

CPDP 2020 Computer, Privacy and Data Protection Conference. Einstein Centre Digital Future. Petite Halle, Brussels, Belgium: 22.01.2020 more information

Panel Wirtschaftsinformatik im Spannungsfeld der Datenschutzgrundverordnung

14. Internationale Tagung Wirtschaftsinformatik. Universität Siegen. Eintrachtssaal Siegerhalle, Siegen, Deutschland: 25.02.2019, Max von Grafenstein, Kai Hackbarth, Legner, Peter Mertens, Ayten Öksüz, Markus Weber, more information

Certification for GDPR-compliant Anonymity: Real Anonymisation or just another Risk Assessment?

CPDP2018 Computer, Privacy and Data Protection Conference. AirCloak. La Cave, Brussels, Belgium: 30.01.2019 more information

Designkurs: Nudging and Persuasive Design

Designdiskurs: Nudging and Persuasive Design. IDZ Internationales Design Zentrum Berlin, Berlin, Germany: 20.09.2018, Peter Post (Geschäftsführer der Kreativagentur Scholz & Volkmer), Prof. Dr. Max von Grafenstein (HIIG), Dr. Mira Fischer (Verhaltensökonomin), more information

In der Zukunft angekommen. Abschlussdiskussion der DIN/KITS-Konferenz

KITS-Konferenz - Das strategiepolitische Forum der Koordinierungsstelle IT-Sicherheit im DIN. KITS, Berlin, Germany: 02.07.2015

Moderation of workshops and panels

Wie kann der digitale Leitfaden für Data & Smart City Governance die datengetriebene Verwaltung unterstützen?

5. Kongress der Modellprojekte Smart Cities 2024. Bundesministerium für Wohnen, Stadtentwicklung und Bauwesen. KOMED Köln, Cologne, Germany: 20.11.2024, Maurice Stenzel, Alexandra Auer, Max von Grafenstein, more information

Workshop mit Mitgliedern des Digitalausschusses des Deutschen Bundestages zu § 26 TTDSG

Interner Workshop mit Mitgliedern des Digitalausschuss des Deutschen Bundestages zu § 26 TTDSG. Einstein Center Digital Future. Einstein Center Digital Future, Berlin, Germany: 05.06.2024

Cookie Pledge, Do Not Track… how is all that supposed to work from the user’s point of view?

Computers, Privacy and Data Protection conference (CPDP) 2024. UdK Berlin & Einstein Center Digital Future. Maison de la Poste, Brussels, Belgium: 23.05.2024 more information

Launch of the new board game: Admins and Hackers

CPDP 2020 Computer, Privacy and Data Protection Conference. Area42, Brussel, Belgium: 23.01.2020 more information

Exploring the "Design" in "Privacy" by design

CPDP2018 Computer, Privacy and Data Protection. Les Halles de Schaerbeek, Brussels, Belgium: 24.01.2018

Legal Hackathon "Wearables": Fashion Tech and Privacy-by-Design

re:publica 2017. Station, Berlin, Germany: 10.05.2017

Legal Hackathon: „Building Standards of Privacy- and Security-by-Design for the IoT"

AoIR Conference 2016 „Internet Rules!“.. Humboldt Institut für Internet und Gesellschaft, Berlin, Germany: 05.10.2016

Pay per Pixel - Current Challenges for Audio-Visual Media: (Legal) Conditions and New Business Models

Early Stage Researcher Colloquium. Humboldt Institut für Internet und Gesellschaft, Berlin, Germany: 09.10.2014, Henrike Maier, Lies van Roessel, Urs Kind, Maximilian von Grafenstein, Dr., Anett Göritz

Organisation of events

Datenteilen unter Wahrung von Geschäftsgeheimnissen

11.06.2024. Berlin Partner für Wirtschaft und Technologie, Berlin, Germany (National), Maurice Stenzel, Maximilian von Grafenstein

We do not protect data, but fundamental rights! What’s really at stake in Personalization, then?

Computers, Privacy and Data Protection conference (CPDP) 2024. 22.05.2024. Computers, Privacy and Data Protection conference (CPDP) 2024, Brussels, Belgium. Co-Organised by: Nexus Institut; Law & Innovation (International) more information

Reallabor Bürger*innen-Beteiligung: Bessere Luft durch Verkehrswende?

25.11.2023. CityLAB Berlin, Berlin, Germany (National), Luisa Kruse, Alexandra Auer, Maurice Stenzel, Maximilian von Grafenstein, more information

Öffentlichkeitsbeteiligung in der dategentetriebenen Verwaltung

23.10.2023. Humboldt Institut für Internet und Gesellschaft, Berlin, Germany (National), Luisa Kruse, Alexandra Auer, Maurice Stenzel, Maximilian von Grafenstein

1. Netzwerktreffen KI in der Pflege

From 26.09.2023 to 27.09.2023. Urania, Berlin, Germany. Co-Organised by: Universität Bremen, Charité Universitätsmedizin Berlin, Berliner Hochschule für Technik, vediso – Verband für Digitalisierung in der Sozialwirtschaft e.V. (National), Nils Heinemann, Maximilian von Grafenstein, Jörg Pohle, more information

GDPR Certification Schemes: General vs. Specific Schemes – What Do Effective Schemes Look Like?

CPDP 2022 Computer, Privacy and Data Protection Conference. with attending Vip: Jana Krahforst, Chris Taylor, Sebastian Meissner. 23.05.2022. Area42, Brussel, Belgium (International) more information

Effective Transparency and Control Measures (Including Privacy Icons): the Example of Cookie Banners. Where Do We Stand Now?

CPDP 2022 Computer, Privacy and Data Protection Conference. with attending Vip: Jana Krahforst (fraud0), Estelle Hary (CNIL), Nina Herbort (BFDI), AbdelKarim Mardini (Google). 23.05.2022. Area42, Brussel, Belgium (International) more information

Ask an Expert: Datenschutz und Data Governance

16.05.2022. Humboldt Institut für Internet und Gesellschaft, Berlin, Germany (National), Maximilian von Grafenstein, Jörg Pohle, more information

Datenschutz by Design in der (Vollzugs)Praxis – Workshop für Expert*innen

From 28.10.2021 to 28.10.2021. Humboldt Institut für Internet und Gesellschaft, Berlin, Germany. Co-Organised by: Alexander Dix (EAID), Frank Pallas (TU Berlin) (National), Maximilian von Grafenstein, Jörg Pohle, more information

“Citizens, give us your problems! How to Open Data without giving it away.”

2020 Berlin Science Week. 03.11.2020. Online, Berlin, Germany (International), Luiza Bengtsson, Mareike Lisker, Jan Sebastian Götte, Maximilian von Grafenstein, Jörg Pohle, more information

3. Workshop zur Zertifizierung "Prüfprogramme für Auftragsverarbeiter"

13.01.2020. Humboldt Institut für Internet und Gesellschaft, Berlin, Germany (National), Maximilian von Grafenstein, Jörg Pohle

Workshop session

Workshop# 182: Data Governance for Smarter City Mobility at Internet Governance Forum 2019. From 28.11.2019 to 28.11.2019. Estrel Berlin, Berlin, Germany. Co-Organised by: Alina Wernick, Maximilian von Grafenstein, Li-hsien Chang, Natalie Kreindlina, Christopher Olk (International), Li-hsien Chang, Natalie Kreindlina, Alina Wernick, Maximilian von Grafenstein, more information

Data Governance: Between Concepts and Case Studies

02.07.2019. Humboldt Institute for Internet and Society, Berlin, Germany (International), Natalie Kreindlina, Alina Wernick, Christopher Olk, Maximilian von Grafenstein

"Data Protection as a Service – Zertifikate für Webhoster"

20.05.2019. Humboldt Institut für Internet und Gesellschaft, Berlin, Germany (National), Kevin Klug, Maximilian von Grafenstein, Jörg Pohle, Nuri Khadem

Who holds a stake in Smart City Data?

From 15.04.2019 to 15.04.2019. Humboldt Institute for Internet and Society, Berlin, Germany (International), Alina Wernick, Christopher Olk, Maximilian von Grafenstein

Expert workshop for „EXPLOIDS“: Host Intrusion Detection and the State of the Art of Data Protection and Security by Design

01.04.2019. Humboldt Institute for Internet and Society, Berlin, Germany (National), Björn Scheuermann, Maximilian von Grafenstein, Jörg Pohle

Data Protection by Design in Smart Cities

05.11.2018. Humboldt Institut für Internet und Gesellschaft, Berlin, Germany (International), Kevin Klug, Maximilian von Grafenstein, Jörg Pohle, Nuri Khadem

Methodische Fragen zu Prüfprogrammen im Sinne der Artikel 42 und 43 DSGVO (mit ECDF)

29.10.2018. Deutsche Akkreditierungsstelle DAkkS, Berlin, Germany (National), Julian Hölzel, Maximilian von Grafenstein, Jörg Pohle, Nuri Khadem

Nudging and Digital Platforms

with attending Vip: Maximilian Mayer. 10.01.2018. Humboldt Institut für Internet und Gesellschaft, Berlin, Germany (International), Florian Irgmaier, Maximilian von Grafenstein, Jörg Pohle

Game Jam – Unveil the privacy threat

From 07.10.2017 to 08.10.2017. Humboldt Institut for Internet and Society, sirius minds, Berlin, Germany (International), Katharina Beitz, Maximilian von Grafenstein, Thomas Schildhauer, Larissa Wunderlich

Startups Research with an Interdisciplinary Touch

iLINC Conference. 18.05.2015. betahaus Berlin, Berlin, Germany. Co-Organised by: Humboldt Carré (International)

Datenschutz zwischen Innovationsoffenheit und Rechtssicherheit

06.03.2015. Google Launchpad, München / Berlin, Germany (National)

Moot Court on Format Dispute Resolution „Survivor!“ vs. „Celebrity“

07.07.2014. Filmakademie Baden-Württemberg, Ludwigsburg, Germany (National)

Startup Clinics Talks about how to onboard talents with KPMG

27.05.2014. Alexander von Humboldt Institute for Internet and Society, Berlin, Germany (International)

Veröffentlichungsrechte im Netz

12.05.2014. Electronic Media School, Babelsberg, Germany (National)

Fachgespräch zur EU-Datenschutzreform mit dem BMI

27.01.2014. Walter-Hallstein-Institut für Europäisches Verfassungsrecht, Berlin, Germany (National), Emma Peters, Maximilian von Grafenstein, Jörg Pohle, Osvaldo Saldías, Rüdiger Schwarz, Ingolf Pernice

Functions

Academic Board of the European Association of Data Protection Professionals.Vice President
Annual Privacy Forum Lisbon 2020. Member of the Program Committee
PLSC Europe 2020 - European Privacy Law Scholars Conference in Tilburg. Member of the Programm Committee

Participation as an expert

What thinking of data as an economic good can (not) teach us about data governance?

Digital Legal Talks 2022 Law schools of Tilburg University, the University of Amsterdam, Radboud University and Maastricht University. Utrecht, De Zalen van Zeven, Utrecht, Netherlands: 24.11.2022 more information

Media appearances

Tracking im Netz: Manipulation, Diskriminierung und Vertrauensverlust“ durch personalisierte Werbung

12.02.2025, netzpolitik.org, more information

Mitmachaktion am Flughafen Tempelhof: Das CityLab simuliert in Berlin die Verkehrswende

24.11.2023, Tagesspiegel, more information

Datenpolitik: Kann die Luft in Berlin dank Künstlicher Intelligenz besser werden?

03.04.2023, Tagesspiegel, more information

Data Governance: Berlin startet Experiment

30.03.2023, Tagesspiegel Background, more information

Wie lassen sich Datenteilen und Datenschutz vereinbaren?

17.11.2022, Frankfurter Allgemeine Zeitung, more information

Online-Werbung: Wie kann man Cookie-Banner besser machen?

24.06.2022, Tagesspiegel, more information

Datenschutz verständlich machen Symbole wie im Straßenverkehr sollen Bürger aufklären

02.05.2019, Berliner Zeitung, more information

Über den Tellerrand schauen: 10 Jahre Einstein-Stiftung

02.12.2019, Berliner Morgenpost, more information

Interview: Berlin's Take on a High-Tech ‘Smart City’ Could Be Different

19.09.2019, Citylab, more information

Spiele lehren Sicherheit

20.09.2017, Unternehmen heute, more information

Books

Grafenstein, M. v. (2018)

The Principle of Purpose Limitation in Data Protection Laws. The Risk-based Approach, Principles, and Private Standards as Elements for Regulating Innovation

Baden-Baden: Nomos. more information

Journal articles and conference papers

Grafenstein, M. v., & Rupp, V. (2024)

Clarifying “personal data” and the role of anonymisation in data protection law: Including and excluding data from the scope of the GDPR (more clearly) through refining the concept of data protection

Computer Law & Security Review, 52. DOI: 10.1016/j.clsr.2023.105932 more information

Grafenstein, M. v., Kiefaber, I., Heumüller, J., Rupp, V., Graßl, P., Kolless, O., & Puzst, Z. (2024)

Privacy icons as a component of effective transparency and controls under the GDPR: effective data protection by design based on art. 25 GDPR

Computer Law & Security Review, 52. DOI: 10.1016/j.clsr.2023.105924 more information

Grassl, P., Gerber, N., & Grafenstein, M. v. (2024)

How Effectively Do Consent Notices Inform Users About the Risks to Their Fundamental Rights?

European Data Protection Law Review, 10(1), 96-104. DOI: 10.21552/edpl/2024/1/14 more information

Mihaljević, H., Müller, I., Dill, K., Yollu-Tok, A., & von Grafenstein, M. (2023)

More or less discrimination? Practical feasibility of fairness auditing of technologies for personnel selection

AI & Society. DOI: 10.1007/s00146-023-01726-w more information

Jakobi, T., Grafenstein, M. v., Smieskol, P., & Stevens, G. (2022)

A Taxonomy of user-perceived privacy risks to foster accountability of data-based services

Journal of Responsible Technology, 10, 1-14. DOI: 10.1016/j.jrt.2022.100029 more information

Grafenstein, M. v. (2021)

Refining the concept of the right to data protection in article 8 ECFR – part II

European Data Protection Law Review, 7(2), 190-205. DOI: 10.21552/edpl/2021/2/8 more information

Grafenstein, M. v. (2021)

Refining the concept of the right to data protection in article 8 ECFR – part III

European Data Protection Law Review, 7(3), 373-387. DOI: 10.21552/edpl/2021/3/6 more information

Grafenstein, M. v., Jakobi, T., & Stevens, G. (2021)

Effective data protection by design through interdisciplinary research methods: The example of effective purpose specification by applying user-Centred UX-design methods

Computer Law & Security Review, 46. DOI: 10.1016/j.clsr.2022.105722 more information

Grafenstein, M. v. (2020)

Innovationsoffener Datenschutz durch Folgenabschätzungen und Technikgestaltung

Datenschutz und Datensicherheit - DuD, 44(3), 172-175. more information

Grafenstein, M. v., Jakobi T., Gegner, C., Labadie, C., Mertens, P., Öksüz, A. & Stevens, G. (2020)

The Role of IS in the Conflicting Interests Regarding GDPR

Business & Information Systems Engineering. more information

Grafenstein, M. v., Jakobi, T., Stevens, G., Seifert, A.-M., & Becker, M. (2020)

Web Tracking Under the New Data Protection Law: Design Potentials at the Intersection of Jurisprudence and HCI

i-com, 19(1), 31–45. DOI: https://doi.org/10.1515/icom-2020-0004 more information

Wernick, A., Olk, C., & Grafenstein, M. v. (2020)

Defining Data Intermediaries

Technology and Regulation, 65–77. DOI: 10.26116/techreg more information

Grafenstein, M. v. (2020)

Refining the Concept of the Right to Data Protection in Article 8 ECFR – Part I

European Data Protection Law Review, 6(4), 509-521. DOI: 10.21552/edpl/2020/4/7 more information

Grafenstein, M. v., Jain, A., Thorne, M., Rogers, J. et al. (2019)

Our Friends Electric – Reflections on Advocacy and Design Research for the Voice Enabled Internet

ACM CHI Conference on Human Factors in Computing Systems. DOI: 10.1145/3290605.3300344 more information

Grafenstein, M. v., Wernick, A., & Olk, C. (2019)

Data Governance: Enhancing Innovation and Protecting Against Its Risks

Intereconomics, 54 (4), 228-232. DOI: 10.1007/s10272-019-0829-9 more information

Grafenstein, M. v., & Wunderlich, L. (2019)

The concept of data protection law

PinG (Privacy in Germany), 8(1), 2–3. DOI: 10.5281/zenodo.3968996 more information

Grafenstein, M. v. & Schulz, W. (2016)

The right to be forgotten in data protection law: a search for the concept of protection

International Journal of Public Law and Policy - IJPLP. more information

Ulbricht, L. & Grafenstein, M. v. (2016)

Big data through the power lense: marker for regulating innovation

Internet Policy Review. more information

Grafenstein, M. v. (2016)

Die Auswirkungen des Zweckbindungsprinzips auf Innovationsprozesse in Startups

Smart World - Smart Law? Weltweite Netze mit regionaler Regulierung. Tagungsband DSRI-Herbstakademie 2016, 233-246. more information

Grafenstein, M. v., Schneider, E., Richter, N. (2015)

MAUERSCHAU: A Mobile Virtual Museum – Postmodern Storytelling through Digital Media

Kultur und Informatik: Cross Media. more information

Grafenstein, M. v. (2015)

Das Zweckbindungsprinzip zwischen Innovationsoffenheit und Rechtssicherheit – Zur mangelnden Differenzierung der Rechtsgüterbetroffenheit

Datenschutz und Datensicherheit - DuD, 39(12), pp 789-795. more information

Dopfer, M., Grafenstein v., M., Richter, N., Schildhauer, T., Tech, R., Trifonov, S., & Wrobel, M. (2015)

Fördernde und Hindernde Faktoren Für Internet-Enabled Startups (Supporting and Hindering Factors for Internet-Enabled Startups)

HIIG Discussion Paper Series, 2015(06). more information

Editorships

Ulbricht, L., & Grafenstein, M. v. (2016)

Big data: big power shifts [Special issue]

Internet Policy Review, 5(1). DOI: 10.14763/2016.1.406 more information

Book contributions and chapters

Schildhauer, T., Jakobi, T., & Grafenstein, M. v. (2021)

Data privacy: a driver for a competitive advantage.

In M. Einhorn, M. Löffler, E. de Bellis, A. Herrmann, & P. Burghartz (Eds.), The Machine Age of Customer Insight. Bingley, United Kingdom: Emerald Publishing Limited. more information

Grafenstein, M. v., Heumüller, J. & Jakobi, T. (2021)

Die Gestaltung wirksamer Bildsymbole für Verarbeitungszwecke und ihre Folgen für Betroffene mithilfe einer interdisziplinären Forschungsmethodologie

In A. Boden, T. Jakobi, G. Stevens & C. Bala, Verbraucherdatenschutz - Technik und Regulation zur Unterstützung des Individuums (pp. 1-20). Sankt Augustin, Germany: Hochschule Bonn-Rhein-Sieg. DOI: 10.18418/978-3-96043-095-7_07 more information

Grafenstein, M. v. (2019)

Co-Regulation and the Competitive Advantage in the GDPR: Data protection certification mechanisms, codes of conduct and the “state of the art” of data protection-by-design

In González-Fuster, G., van Brakel, R., & P. De Hert, Research Handbook on Privacy and Data Protection Law. Values, Norms and Global Politics, Edward Elgar Publishing, 1st Ed.. Cheltenham: Edward Elgar Publishing. more information

Grafenstein, M. v. (2018)

Regulation as a Facilitator of Startup Innovation: The Purpose Limitation Principle and Data Privacy

In N., Richter, P., Jackson, & T., Schildhauer, (Eds.), Entrepreneurial Innovation and Leadership Preparing for a Digital Future (pp. 41-49). Cham, Switzerland: Palgrave McMillan. more information

Pype, P., Daalderop, G., Schulz-Kamm, E., Walters, E., & Grafenstein, M. v. (2017)

Privacy and Security in Autonomous Vehicles

In D. Watzenig & M. Horn, Automated Driving: Safer and More Efficient Future Driving (pp. 17-28). Berlin, Heidelberg: Springer. more information

Grafenstein, M. v. (2017)

Kommentar zu Art.2 der Datenschutz-Grundverordnung

In Gierschmann, Sibylle Dr., Schlender, Katharina, Stenzel, Rainer Dr. (Eds.), Kommentar - Datenschutzgrundverordnung, 1. Köln: Bundesanzeiger Verlag. more information

Working papers

Kreutzer, S., Heimer, T., Nachtigall, H., Pschorn, L., Bauer, F., Blind, K., Martin, N., Grafenstein, M. v., Streblow, R., Du, J. & Schölzel, J. (2024)

Wissenschaftliche Begleitung und Vernetzung der Projekte zur Entwicklung und praktischen Erprobung von Datentreuhandmodellen in den Bereichen Forschung und Wirtschaft: Bericht zu Arbeitspaket 1.2: Anforderungen und Umsetzungshemmnisse für Datentreuhandmodelle

Publikationsserver der RWTH Aachen University. DOI: 10.18154/RWTH-2024-04375 more information

Kreutzer, S., Heimer, T., Nachtigall, H., Pschorn, L., Waiblinger, F., Blind, K., Martin, N., Horvat, D., Grafenstein, M. v., Schweinberg, M., Streblow, R., Du, J. & Schölzel, J. (2024)

Wissenschaftliche Begleitung und Vernetzung der Projekte zur Entwicklung und praktischen Erprobung von Datentreuhandmodellen in den Bereichen Forschung und Wirtschaft: Arbeitspaket 1.1 Bestandsaufnahme

Publikationsserver der RWTH Aachen University. DOI: 10.18154/RWTH-2024-04376 more information

de Macedo Schäfer, N., Schweinberg, M. J., Stenzel, M., & von Grafenstein, M. (2023)

Data Governance im Spannungsfeld datengetriebener Verwaltung. Herausforderungen von Kommunen bei der Etablierung einer Smart City Administration

HIIG Discussion Paper Series, 2023(4). DOI: 10.5281/zenodo.8297607 more information

Auer, A., von Grafenstein, M., Kruse, L. & de Macedo Schäfer, N. (2023)

Öffentlichkeitsbeteiligung in der datengetriebenen Verwaltung. Ein prozessbezogener Ansatz zur Lösung datenbezogener Interessenkonflikte durch die Ergänzung formeller Beteiligung

HIIG Discussion Paper Series, 2023(5). DOI: 10.2139/ssrn.4603704 more information

Bria, F., Blankertz, A., Fernández-Monge, F., Gelhaar, J., Grafenstein, M. v., Haase, A., Kattel, R., Otto, B., Sagarra Pascual, O., & Rackow, L. (2023)

Governing Urban Data for the Public Interest

The New Hanse Project Blueprint. more information

Grafenstein, M. (2023)

The New Hanse: Data sharing between public and private actors in the public interest – A first legal assessment toward a legal blueprint

The New Hanse Report. more information

Frank, R. D., Grafenstein, M. v., & Rothfritz, L. (2022)

Open Data und die Risikowahrnehmung in der Öffentlichen Daseinsvorsorge

Einstein Center Digital Future. DOI: 10.5281/zenodo.6285549 more information

Grafenstein, M. v. (2022)

Reconciling Conflicting Interests in Data through Data Governance. An Analytical Framework

HIIG Discussion Paper Series, 2022(2). DOI: 10.5281/zenodo.7390542 more information

Grafenstein, M. v. (2021)

Specific certification schemes as rule, general schemes (and criteria) as exception

HIIG Discussion Paper Series, 2021(04). DOI: 10.5281/zenodo.4905484 more information

Grafenstein, M. v., Pallas, J., & Pohle, J. (2021)

Datenschutz durch Technikgestaltung gem. Art. 25 Abs. 1 DS-GVO

HIIG Discussion Paper Series, 2021(5). DOI: 10.5281/zenodo.6325328 more information

Grafenstein, M. v., Heumüller, J., Belgacom, E., Jakobi, T., Smieskol, P., & Wunderlich, L. (2021)

Effective regulation through design – Aligning the ePrivacy regulation with the EU General Data Protection Regulation (GDPR): tracking technologies in personalised internet content and the data protection by design approach

OpenAIRE. DOI: 10.5281/zenodo.5575447 more information

Grafenstein, M. v. (2021)

Kurzpapier: Data Governance. Ein Framework zur Erfassung “erfolgreicher” Data Governance-Modelle

HIIG Discussion Paper Series, 2021(6). DOI: 10.5281/zenodo.6327345 more information

Grafenstein, M. v., & Ulich, A. (2021)

Data-Governance-Framework für das Digital Urban Center for Aging and Health (DUCAH)

Stiftung für Internet und Gesellschaft. more information

Grafenstein, M. v. (2020)

How to build data-driven innovation projects at large with data protection by design

HIIG Discussion Paper Series, 2020(3), 93. more information

Grafenstein, M. v., Jakobi, T. (2019)

Une Nouvelle Gouvernance pour les Données au XXIème Siècle – Des Standards pour la Circulation et la Protection des Données Personelles

more information

Grafenstein, M. v. (2016)

Gesamtheit der Grundrechte als belastbarer Maßstab fur den „risikobasierten“ Ansatz: ein Losungsvorschlag fur das Zweckbindungsprinzip

Die Zukunft des Datenschutzes im Kontext von Forschung und Smart Data - Datenschutzgrundprinzipien im Diskurs, 34-37. more information

Raabe, O., Lenk, A. et al. (2015)

Smart Data – Smart Privacy? Impulse für eine interdisziplinär rechtlich-technische Evaluation

Technical Report des BMWi-Technologieprogramms „Smart Data – Innovationen aus Daten“. more information

Dopfer M., Grafenstein, M. v., Richter, N., Schildhauer, T., Tech, R. P. G., Trifonov, S., Wrobel, M. (2015)

Fördernde Und Hindernde Faktoren Für Internet-Enabled Startups. (Supporting and Hindering Factors for Internet-Enabled Startups.)

HIIG Discussion Paper Series. more information

Grafenstein, M. v. (2014)

Copyright Protection of Formats on the European Single Market – A Definition of the Coypright Protected Work with respect to Utilitarian Coypright Theories

The Single Market and copyright protection of formats. more information

other publications

Pohle, J., Grafenstein, M., & Ulich, A. (2023)

Menschenzentrierte Data Governance im Gesundheits- und Pflegesektor

Digital society blog. more information

Grafenstein, M. v. (2023)

Stellungnahme zum Referentenentwurf des Bundesministeriums für Digitales und Verkehr „Verordnung über Dienste zur Einwilligungsverwaltung nach § 26 Abs. 2 TTDSG“

Humboldt Institute for Internet and Society. more information

Grafenstein, M. v. (2023)

„Es muss ein Primat der Demokratie über Technologie und Geschäftsmodell geben.“ Ein Gespräch mit Paul Nemitz

TE.MA. more information

Rupp, V., Heumüller, J., & von Grafenstein, M. (2022)

Effiziente Datenminimierung im Gebäude- und Quartierssektor

Retrieved from https://zenodo.org/record/6854465#.YuJPHi-22Rt. more information

Grafenstein, M. v. (2022)

Wie lassen sich Datenteilen und Datenschutz vereinbaren?

FAZ. more information

Rehmann, F., Cudok, F., Rupp, V., Grafenstein, M. von., Kegel, J., Aretz, A. & Streblow, R. (2022)

Thesen zur Digitalisierung der Energiewende in Deutschland: Status Quo und Ausblick- eine Expert*innenbefragung der deutschen Forschungslandschaft

Whitepaper. more information

Grafenstein, M. v., Jakobi, T., & Wunderlich, L. (2020)

Der Kiezkartograph mit Datenspende

StadtManufaktur. more information

Grafenstein, M. v., Hölzel, J., Irgmaier, F. & Pohle, J. (2018)

Nudging: Regulierung durch Big Data und Verhaltenswissenschaften

more information

Grafenstein, M. v. (2018)

Transfers of Personal Data to Third Countries: Certification Mechanisms, Binding Corporate Rules, and Codes of Conduct as Suitable Alternatives to the ‘Adequacy Decision’?

Privacy and Cyber Security on the Books and on the Ground, 1 (1). more information

Grafenstein, M. v. (2017)

Serious Games as a Tool for Privacy-by-Design

Digital Society Blog. more information

Grafenstein, M. v. (2017)

Datenschutz fit für das digitale Zeitalter: Jan Phillip Albrecht im Interview

more information

Grafenstein, M. v. (2016)

Legal Hackathon: „Building Standards of Privacy- and Security-by-Design for the IoT”

Digital Society Blog. more information

Grafenstein, M. v. (2015)

Legal support for Startups on a Global Scale – iLINC, the European Network of ICT Law Incubators

Digital Society Blog. more information

Grafenstein, M. v. (2015)

Keine Innovation ohne Investition: Ein Dilemma der klassischen Medienindustrie

Digital Society Blog. more information

Grafenstein, M. v. (2015)

Plattformträger für «Mobiles Museum in Berlin» gesucht!

Digital Society Blog. more information

Grafenstein, M. v. (2015)

Start-ups and Data Protection – Purpose Specification and Limitation

iLINC Policy Briefs. more information

Grafenstein, M. v., & Wunderlich, L. (2015)

A Concept Study for Privacy Icons Representing Different Privacy Risks

Zenodo. more information

Grafenstein, M. v. (2014)

Audiovisuelle Medien und ihre Produzenten auf dem Weg in das ‘digitale Zeitalter’

Digital Society Blog. more information

Grafenstein, M. v. (2014)

re:publica und MEDIA CONVENTION: Politische Netzdebatte vs. Kommerzialisierung?

Digital Society Blog. more information

Grafenstein, M. v. (2014)

Planung vs. explorative Entwicklung

Digital Society Blog. more information

Grafenstein, M. v. (2014)

Schutzinstrumente für oder gegen Innovation

Digital Society Blog. more information

Benefit from our research apparatus
Get in touch with our research team
Discover more
for endusers

Consent Agent

Consenter is a highly advanced and consumer-friendly consent agent that allows you to give and manage your consent across services and contexts for free

Learn more
for service providers

Consent Banner

As a service provider, regain your users’ trust with the 100% GDPR-compliant and easily integrable Consent Banner and enhance your data driven innovations

Learn more
for technology providers

Third Party Assessment

As a third-party service provider, proving GDPR-compliance to your business customers increases legal certainty on all ends and makes you stand out from your competitors

Learn more
for service providers

Data protection 
certificate

Achieve maximum legal certainty for your service and demonstrate compliance to your users, competitors and data protection authorities in a ressource-saving certification process

Learn more
ImprintPrivacy PolicyAbout Law & Innovation Technology
Consenter © 2025 | by Law & Innovation Technology