Beyond the ‘Brussels Effect’? Kenya’s Data Protection Act (DPA) 2019 and the European Union’s General Data Protection Regulation (GDPR) 2018


Hellen Mukiri-Smith and Ronald Leenes

This paper conducts an analysis of several key provisions of the Kenyan Data Protection Act 2019 (DPA) and the European Union’s General Data Protection Regulation (GDPR) 2018. Analysis is carried out through the lens of ‘the Brussels Effect’ theory developed by Anu Bradford to understand ways in which the GDPR has impacted the development and content of the DPA, and areas where the DPA is different from the GDPR. We argue that while the DPA has been influenced by the Brussels effect, other country specific contextual factors including ‘the Huduma Effect’ have helped to shape the DPA.

Key Words: Data Governance | GDPR | Kenya Data Protection Act | Brussel’s Effect | Huduma Effect and Other Contextual Influences

Mukiri-Smith, H. , & Leenes, R. Beyond the ‘Brussels Effect’? Kenya’s Data Protection Act (DPA) 2019 and the European Union’s General Data Protection Regulation (GDPR) 2018`, European Data Protection Law Review, Jahrgang 7, Ausgabe 4 (2021), pp. 502 – 519, DOI:

The Ghost in the Machine – Emotionally Intelligent Conversational Agents and the Failure to Regulate ‘Deception by Design’


Pauline Kuss* and Ronald Leenes**

Abstract Google’s Duplex illustrates the great strides made in AI to provide synthetic agents the capabilities to intuitive and seemingly natural human- machine interaction, fostering a growing acceptance of AI systems as social actors. Following BJ Fogg’s captology framework, we analyse the persuasive and potentially manipulative power of emotionally intelligent conversational agents (EICAs). By definition, human-sounding conversational agents are ‘designed to deceive’. They do so on the basis of vast amounts of information about the individual they are interacting with. We argue that although the current data protection and privacy framework in the EU offers some protection against manipulative conversational agents, the real upcoming issues are not acknowledged in regulation yet.

Google Duplex; conversational agent; persuasion; manipulation; regulatory failure

Pauline Kuss and Ronald Leenes, The Ghost in the Machine – Emotionally Intelligent Conversational Agents and the Failure to Regulate ‘Deception by Design’, 17 Script-ed 12, Aug 2020

Regulating New Technologies in Times of Change


Ronald Leenes, Regulating New Technologies in Times of Change, in: L. Reins (ed.), Regulating New Technologies in Uncertain Times, T.M.C. Asser Press, 2019, pp. 3-17,

Abstract This chapter provides an introduction to the overarching topic and question of this volume on how and whether to regulate new technologies in times of change. It introduces the regulating technology (development) model.

Keywords regulation technology innovation Law of the Horse

download a copy

The ‘rule of law’ implications of data-driven decision-making: a techno-regulatory perspective


Emre Bayamlıoğlu & Ronald Leenes (2018) The ‘rule of law’ implications of data-driven decision-making: a techno-regulatory perspective, Law, Innovation and Technology, 10:2, 295-313, get your free copy here: DOI: 10.1080/17579961.2018.1527475

Techno-regulation is a prominent mechanism for regulating human behaviour. One type of techno-regulation concerns automated decision-making with legal effects. While automated decision-making (ADM) systems in the public domain have traditionally been based on conscious design of decisional norms, increasingly, Data Science methodologies are used to devise these norms. This data-driven approach causes frictions with the underlying principle of public-sector decision-making, namely adherence to the rule of law. In this paper we discuss three major challenges data-driven ADM poses to the Rule Law: law as a normative enterprise, law as a causative enterprise and law as a moral enterprise.

KEYWORDS: Techno-regulation, automated decision-making, rule of law

De anti-doping en data protectie trilogie


De Wet uitvoering antidopingbeleid: De gespannen relatie tussen anti-dopingmaatregelen en gegevensbescherming, deel 1- de anti-doping wereld
van der Sloot, B., Paun, M. & Leenes, R. 2017 In : Privacy & Informatie. 2017-1

De Wet uitvoering antidopingbeleid: De gespannen relatie tussen anti-dopingmaatregelen en gegevensbescherming, deel 2
van der Sloot, B., Paun, M. & Leenes, R. 2017 In : Privacy en informatie. 2017-3

De Wet uitvoering antidopingbeleid: De gespannen relatie tussen anti-dopingmaatregelen en gegevensbescherming, deel 3 
van der Sloot, B., Paun, M. & Leenes, R. 2017 In : Privacy & Informatie.

Regulatory challenges of robotics: some guidelines for addressing legal and ethical issues


Ronald Leenes, Erica Palmerini, Bert-Jaap Koops, Andrea Bertolini, Pericle Salvini & Federica Lucivero, Regulatory challenges of robotics: some guidelines for addressing legal and ethical issues, Law, Innovation and Technology, Pages 1-44 | Received 01 Mar 2017, Accepted 07 Mar 2017, Published online: 23 Mar 2017, free download at

Robots are slowly, but certainly, entering people’s professional and private lives. They require the attention of regulators due to the challenges they present to existing legal frameworks and the new legal and ethical questions they raise. This paper discusses four major regulatory dilemmas in the field of robotics: how to keep up with technological advances; how to strike a balance between stimulating innovation and the protection of fundamental rights and values; whether to affirm prevalent social norms or nudge social norms in a different direction; and, how to balance effectiveness versus legitimacy in techno-regulation. The four dilemmas are each treated in the context of a particular modality of regulation: law, market, social norms, and technology as a regulatory tool; and for each, we focus on particular topics – such as liability, privacy, and autonomy – that often feature as the major issues requiring regulatory attention. The paper then highlights the role and potential of the European framework of rights and values, responsible research and innovation, smart regulation and soft law as means of dealing with the dilemmas.

KEYWORDS: Robotics, regulation, regulatory dilemmas, technology regulation, smart regulation, responsible innovation, soft law

Enhancing accountability in the cloud


Martin Gilje Jaatun, Siani Pearson, Frédéric Gittler, Ronald Leenes, Maartje Niezen, Enhancing accountability in the cloud, International Journal of Information Management (2016),

This article focuses on the role of accountability within information management, particularly in cloud computing contexts. Key to this notion is that an accountable Cloud Provider must demonstrate both willingness and capacity for being a responsible steward of other people’s data. More generally, the notion of accountability is defined as it applies to the cloud, and a conceptual model is presented related to the provision of accountability of cloud services. This allows a consideration of accountability at various different levels of abstraction, including the operationalisation of accountability. It is underpinned by fundamental requirements for strong accountability, which in particular are aimed at avoiding risks in the provision and verification of accounts (that include different types of accountability evidence and notifications, that may need to be provided to other cloud actors including data subjects, cloud customers and regulators). In addition, the article sketches what kind of tools, mechanisms and guidelines support this in practice, and discusses these in the light of the upcoming European Data Protection Regulation.

Under Observation: The Interplay Between eHealth and Surveillance


Samantha Adams, Nadezhda Purtova, Ronald Leenes, Under Observation: The Interplay Between eHealth and Surveillance, Dordrecht, etc: Springer, 2017, DOI: 10.1007/978-3-319-48342-9,

The essays in this book clarify the technical, legal, ethical, and social aspects of the interaction between eHealth technologies and surveillance practices. The book starts out by presenting a theoretical framework on eHealth and surveillance, followed by an introduction to the various ideas on eHealth and surveillance explored in the subsequent chapters. Issues addressed in the chapters include privacy and data protection, social acceptance of eHealth, cost-effective and innovative healthcare, as well as the privacy aspects of employee wellness programs using eHealth, the use of mobile health app data by insurance companies, advertising industry and law enforcement, and the ethics of Big Data use in healthcare. A closing chapter draws on the previous content to explore the notion that people are ‘under observation’, bringing together two hitherto unrelated streams of scholarship interested in observation: eHealth and surveillance studies. In short, the book represents a first essential step towards cross-fertilization and offers new insights into the legal, ethical and social significance of being ‘under observation’.

The Cookiewars – From regulatory failure to user empowerment?


The European regulator has relatively early on seen the potential privacy harms of cookies as means to facilitate the tracking and tracing of individuals as the browse the internet. The ePrivacy Directive regulates the use of cookies (amongst other mechanisms) in this respect, requiring the affected individual’s informed consent. The regulation has, so far, not been very successful in limiting the amount of tracking and tracing of individuals (primarily for the purpose of personalised, or behavioural advertising). It has been strongly opposed by the relevant industries, has seen a very low level of compliance and where compliance exists has been very slow in the making. Furthermore, ironically, the regulatory benefactors, individuals, have also opposed the regulation.

The battle to stop the unconsented tracking \& tracing of individuals seems particualrly lost now that the implementation of the cookie law’s requirement by and large seems to have moved from requiring the individual’s consent for the placement and use of cookies (thus providing the individual with a choice not to be tracked) to a mere acknowledgement that cookies will be used (and hence individuals will be traced, no matter what they want). The industry has succeeded in completely subverting and undermining the regulation’s aim. The ‘cookie law’ can thus be seen as an example of regulatory failure in the domain of privacy and data protection.

However, the cavalry might be around the corner. Although ad-blockers, which by and large also block tracking-cookies from being installed on the user equipment, have been around for some years, their use was until recently confined to techies and nerds. In the last couple of years this has been changing. Ironically, the popularity of Google Chrome goes hand in hand with the rise of ad-blockers on desktops (and laptops). Until recently, ad-blockers did not exist on one of the most important platforms for advertising revenues, iOS. This has changed with the launch of iOS 9 in mid September 2015. Suddenly ad-blockers are clearly on everyones agenda, either as threat or blessing. The adoption rate of both iOS 9 and Safari ad-blockers is stunning and might represent a significant factor to change the ad and tracing game altogether.

This contribution explores the ongoing cookie-wars by discussing the move from regulation to the market and code as modalities for the regulation of human behaviour.

Ronald Leenes (2015), The Cookiewars – From regulatory failure to user empowerment?, in: Marc van Lieshout & Jaap-Henk Hoepman (eds), The Privacy & Identity Lab; 4 years later, Nijmegen: The Privacy & Identity Lab, pp. 31-49, ISBN: 978-90-824835-0-5. available here:

The Governance of Cybersecurity


The Governance of Cybersecurity: A comparative quick scan of approaches in Canada, Estonia, Germany, the Netherlands and the UK, Adams, S., Brokx, M., Dalla Corte, L., Savic, M., Kala, K., Koops, B. J., Leenes, R., Schellekens, M., E Silva, K. & Skorvánek, I. Nov 2015 Tilburg University. 166 p.