Dr Samson Esayas is an Associate Professor at BI Norwegian Business School and a Faculty Associate at Harvard University’s Berkman Klein Center for Internet and Society. He specialises in teaching data protection law, AI regulation, and competition law at BI and has previously taught at the University of Oslo and Queen Mary University of London. He has extensive experience working on several EU and Norwegian government financed research projects dealing with regulatory aspects of various technologies. His research explores the power dynamics stemming from control over data and mediated communications, with a focus on how these evolving power paradigms are addressed by competition and data privacy law. Dr Esayas has published in several renowned journals covering these issues and his work has received international recognition, including the FPF Privacy Papers for Policymakers Award. He earned his PhD from the University of Oslo in 2020 and his dissertation was awarded His Majesty the King’s Gold Medal for outstanding research in 2021. His book on the Interface between data privacy law and competition law is scheduled for publication by Oxford University Press in 2024. He was a visiting researcher at the Berkman Klein Center in 2023 where he collaborated on a project that seeks to offer a global perspective on the societal impacts of AI and its governance.
Esayas, Samson Yoseph & Hauglid, Mathias K. (2024)
Public Sector Digitalisation in Norway: Current Trends and Challenges in the Legal Framework
Motzfeldt, Hanne Marie (red.). Public Digitalisation in a Legal Perspective: Status, Challenges and Opportunities for Nordic-Baltic Cooperation
This chapter explores Norway's public digitalization efforts, assessing the effectiveness of legislative and policy measures in advancing the public sector's digitalization and examining the adequacy of safeguards for fundamental rights. Norway stands out for its highly digitalized public sector, a result of strategic legislative and policy initiatives promoting a digital-friendly environment. We pinpoint three key areas of focus in these endeavors. First, there have been numerous legislative initiatives enabling profiling and automated decision making in public agencies. While driven by efficiency objectives, these initiatives tend to be seen as tools to promote equal treatment. Second, changes have been made to counter challenges in data reuse hindering digital transformation and Artificial Intelligence (AI) implementation. Third, the advocacy for regulatory sandboxes emerges as a powerful force for experimentation and learning, with platforms like the Sandbox for Responsible AI setting examples. Despite the progress, challenges persist. Firstly, most initiatives focus on enabling decisions via hard-coded software, often neglecting advanced AI systems designed for decision support. Secondly, discretionary criteria in public administration law and semantic discrepancies across sector-specific regulations continue to be a stumbling block for automation and streamlined service delivery. Importantly, few laws directly tackle the challenges digitalization presents to fundamental democratic values and rights, due to a fragmented, sector-focused approach. Furthermore, we assess the AI Act's potential to facilitate AI implementation while redressing national law gaps concerning human rights and boosting AI use in public agencies. The Act places public administration under sharp scrutiny, as the bulk of the prohibitions and high-risk AI applications target the public sector’s use of AI. This focus promises to enhance the protection of individuals in this domain, especially concerning transparency, privacy, data protection, and anti-discrimination. Yet, we identify a potential conflict between the AI Act and a tendency in the Norwegian legal framework to restrict the use of AI for certain purposes. Finally, we put forth recommendations to boost digitalization while safeguarding human rights. Legislative actions should pave the way for the integration of advanced AI systems intended for decision support. There is a need for coordination of sector-specific initiatives and assessment of their impact on fundamental rights. To amplify these national endeavors, we point out areas where cross-border collaborations in the Nordic-Baltic regions could be vital, emphasizing data sharing, and learning from successful projects. Regulatory sandboxes offer another promising avenue for collaboration. With its considerable experience in sandboxes tailored for responsible AI, Norway stands as a beacon for other nations in the Nordic and Baltic regions.
Esayas, Samson Yoseph (2023)
The Important Role of Emergence in Conceptualizing the Challenges of New Technologies to Private Law
European Review of Private Law, 31(4), s. 779- 822.
Consider the following legal quandaries: a victim of a wrongdoing without a perpetrator, a work of art without an author, or the possibility that the sum of legally compliant behaviors give rise to non-compliance. Welcome to the world of emergence in law. The concept of emergent properties is central to systems thinking. It is commonly expressed as “the whole is more than the sum of its parts” where the “whole” represents the “emergent property.” This concept helps us understand how complexity emerges and allows systems engineers to look beyond the properties of individual components of a system and understand the system as a complex whole. In practice, this way of thinking militates against two kinds of fallacies: the fallacy of composition and the fallacy of division. The former occurs when one wrongfully attributes the properties of the component parts to the system as a whole whereas the latter arises when one wrongfully attributes the properties of the system as a whole to component parts. I argue that emergence provides an overarching framework to explain the challenges that technological developments associated with big data, artificial intelligence (AI) and robotics pose for different domains of private law, including privacy, data protection, IP, and tort laws. By creating new objects, possibilities for new action and new relationships, changes associated with the above technologies encourage the formation of emergent properties, which in turn pose attribution challenges for these legal domains. Two attribution challenges are particularly noteworthy. If we fail to address them properly, they may lead to the fallacies of composition and/or division. Further, emergence may help explain some of the regulatory responses and suggestions provoked by changes associated with the above technologies. For example, emergence and the desire to avoid the fallacy of division can explain suggestions to grant AI systems some form of legal (electronic) personhood and thereby bestow legal responsibility or entitlement on them. Thus, one way the law might usefully adapt during times of technological change would be by taking emergence seriously. This includes recognizing the possibility that the sum of fully complaint behaviours may create behaviour that is not compliant or not in the spirit of the law. Taking emergence seriously would also include being open to the prospect of a harm or legal entitlement existing without a perpetrator or a rightholder and finding new ways to address this prospect.
Esayas, Samson Yoseph (2019)
Privacy-As-A-Quality Parameter of Competition
Lundqvist, Björn & Gal, Michal (red.). Competition Law for the Digital Economy
Recent decisions from the European Commission recognise privacy as an important parameter of non-price (quality) competition in markets for communication services and professional social networks. This development acknowledges that privacy could be subject to competition as an element of quality, choice or innovation and thus a merger can reduce the incentives to compete based on this parameter. However, there is much uncertainty and scepticism as to what constitutes reduction in privacy, the incentive to reduce privacy and the ultimate anticompetitive effect of such a reduction. This chapter identifies and reflects on some of these uncertainties and scepticisms surrounding the privacy-as-a-quality parameter, including the lack of a link between privacy harms and accumulation of too much information; the lack of economic incentive to reduce privacy; the alleged trade-off between privacy harms and other quality improvements; and the role that data privacy law can play in understanding the degradation of privacy.
Esayas, Samson Yoseph (2019)
Data Privacy in European Merger Control: Critical Analysis of Commission Decisions Regarding Privacy as a Non-Price Competition
In recent years, privacy has started to attract considerable attention in competition discussions, particularly in mergers involving data-rich industries. Prime examples of such mergers include Google/DoubleClick, Facebook/WhatsApp and the recent acquisition of LinkedIn by Microsoft. Given the central role that personal data plays in these mergers and associated privacy concerns for users, competition authorities have started to experiment with ways to incorporate privacy into merger assessment. One emerging approach is to factor in privacy as a non-price competition parameter. In its merger decisions involving Facebook/WhatsApp and subsequently Microsoft/LinkedIn, the European Commission held that data privacy constitutes a key parameter of non-price competition in the market for consumer communications and for professional social networks. This article provides a critical analysis of these decisions regarding the competition in privacy and Privacy Enhancing Technologies (PETs). The analysis is conducted from two angles: one looking at the Commission’s approach in defining the market, particularly on how competition in privacy and PETs is manifested and when two firms are considered competitors based on these parameters and thereby of interest to competition law. The second angle takes aim at the competitive assessment and the theories of harm, particularly when a merger is considered to lead to reduction in privacy as a non-price competition parameter. The article maintains that the Commission’s decision in Microsoft/LinkedIn represents a step forward in the discussion of privacy as a non-price (quality) competition parameter and the use of market power to harm such competition.
Esayas, Samson Yoseph & Svantesson, Dan Jerker B. (2018)
Digital Platforms under Fire – What Australia Can Learn from Recent Developments in Europe
There is a clear trend of a hardening attitude towards digital platforms. In Australia this trend is exemplified by the Australian Competition and Consumer Commission’s current inquiry specifically into digital platforms. Further, it can also be seen in court decisions. Having discussed one such court decision, we give a brief overview of the Australian Competition and Consumer Commission’s digital platforms inquiry. We then seek to bring attention to a selection of particularly relevant European developments that may usefully inform how Australia proceeds in this arena and that may be considered in the Australian Competition and Consumer Commission’s final report due to be provided to the Treasurer on 3 June 2019.
Esayas, Samson Yoseph (2018)
Competition in (data) privacy: 'zero'-price markets, market power, and the role of competition law
Firms compete by offering consumers lower prices but also high-quality products, and a wide range of choices. With the increasing commercialization of personal, there is a growing consensus that the level of privacy protection and deployment of Privacy Enhancing Technologies (PETs) could be subject to competition, as an element of quality, choice or innovation. A case in point is the recognition by the European Commission that data privacy constitutes a key parameter of non-price (quality) competition in markets for consumer communications and professional social networks. This development signifies that market power may be exerted by reducing the level of data privacy and foreclosing competition on PETs deployment. Despite this, how market power affects competition on privacy and PETs remains unclear. This is partially because microeconomic theory offers little help in predicting how market power or lack thereof affects quality (including choice and innovation). The aim of this article is to examine how market power in the underlying services that generate data impacts competition in data privacy and whether the proxies for assessing market power in these underlying services cater to data privacy interests. To this end, first, the article begins by highlighting some emerging but inconclusive literature shedding some light on the link between market structure and competition in data privacy. Secondly, the article identifies and discusses the structural and behavioural considerations that might hinder effective competition through data privacy and PETs. Finally, it examines the role that competition law can play in promoting and maintaining such competition.
Esayas, Samson Yoseph & Daly, Angela (2018)
The Proposed Australian Consumer Right to Access and Use Data: A European Comparison
European Competition and Regulatory Law Review (CoRe), 2(3), s. 187- 202. Doi: 10.21552/core/2018/3/6
This article examines the new Australian consumer Comprehensive right to access and use data, also known as the Consumer Data Right, recently proposed by the Australian Productivity Commission, and adopts a comparative analysis with data protection, competition and consumer developments in the European Union (EU). Firstly, a brief overview is given of the legal context and relevant Big Data developments in Australia. Then, current EU developments, particularly the data portability right under the General Data Protection Regulation (GDPR), and recent proposals from the Commission aiming at fostering access and transfer of data including the data producer’s right to use and authorise the data and the portability of non-personal data for professional users are considered. This is followed by an explanation of the Australian Productivity Commission’s proposed Consumer Right to access and use data, before an analysis is conducted to understand the extent to which this proposed right accords with the European situation. Given the coming into force of the GDPR and its extraterritorial reach, and the EU-Australia Free Trade Agreement currently under negotiation, as well as the transnational reach of Big Data and Cloud services, standardisation across the two jurisdictions is desirable. In this regard, the article examines to what extent the recent initiatives contribute to such standardisation and their implications for the extent to which Australia’s legal framework for data may be considered ‘adequate’ by the EU.
Esayas, Samson Yoseph (2017)
Competition in Dissimilarity: Lessons in Privacy from the Facebook/WhatsApp Merger
CPI Antitrust Chronicle, 1(2), s. 57- 64.
This note comments on the Commission’s decision in the Facebook/WhatsApp merger regarding the competition in privacy and privacy policies between the two firms. In assessing the competition between WhatsApp and Facebook Messenger, the Commission used the differences in privacy policies as a factor that makes the messaging services complementary rather than competitors. The Commission’s approach is based on the conventional view that the more identical the products are, the more substitutable they are and the more fiercely they compete. This article questions the application of such an approach to competition in privacy. First, if privacy and data security are competition parameters, one way this competition can be manifested is through deploying privacy enhancing technology (e.g. end-to-end encryption) and privacy policies (offering better conditions of data collection and processing). Thus, when it comes to privacy and privacy policies, dissimilarity either in the technology or policy can be just the beginning of a competition that exerts competitive pressure on others, rather than make the firms complementary. Secondly, when a service attempts to draw users from an established network by offering superior privacy, the existence of an established network such as Facebook, albeit with a different privacy policy, can still discipline the former’s behavior.
Esayas, Samson Yoseph (2017)
The Idea of ‘Emergent Properties’ in Data Privacy: Towards a Holistic Approach
‘The whole is more than the sum of its parts.’1 This article applies lessons from the concept of ‘emergent properties’ in systems for data privacy law. This concept, rooted in the Aristotelian dictum ‘the whole is more than the sum of its parts’, where the ‘whole’ represents the ‘emergent property’, allows systems engineers to look beyond the properties of individual components of a system and understand the system as a single complex. Applying this concept, the article argues that the current European Union data privacy rules focus on individual Processing activity based on a specific and legitimate purpose, with little or no attention to the totality of the processing activities—ie the whole—based on separate purposes. This implies that when an entity processes personal data for multiple purposes, each Processing must comply with the data privacy principles separately, in light of the specific purpose and the relevant legal basis. This (atomized) approach is premised on two underlying assumptions: (i) distinguishing among different processing activities and relating every piece of personal data to a particular processing is possible, and (ii) if each processing is compliant, the data privacy rights of individuals are not endangered. However, these assumptions are untenable in an era where companies process personal data for a panoply of purposes, where almost all processing generates personal data and where data are combined across several processing activities. These practices blur the lines between different processing activities and complicate attributing every piece of data to a particular processing. Moreover, when entities engage in these practices, there are privacy interests independent of and/or in combination with the individual processing activities. Informed by the discussion about emergent property, the article calls for a holistic approach with enhanced responsibility for certain actors based on the totality of the Processing activities and data aggregation practices.
The following article evaluates two models for providing purchasers of online digital content, including cloud computing services, with visual notice of contract terms and data collection practises. Visualisation of contract terms and privacy policies has the potential to provide cloud consumers with an improved means of understanding the contract terms they are accepting when entering into an agreement with a Cloud Service Provider (CSP). The following paper examines two concrete proposals or models for the visualisation of contract terms and privacy practises as compliance tools in the European context. The article focuses primarily on consumer and data protection law. Although the visualisation models are not currently binding or legally required, they start an important conversation on how such terms can be more effectively conveyed.
An integrated method for compliance and risk assessment
Samarati, Pierangela & Noubir, Guevara (red.). 2015 IEEE Conference on Communications and Network Security (CNS), Florence, 28-30 September, 2015
This paper presents an integrated method for risk and compliance assessment and its evaluation in a case study. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a riskbased approach to compliance where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modeling compliance risks have been developed. The lack of methodological and tool support means the compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. As part of the integrated method, a structured approach for the identification of compliance risks and their graphical modelling is provided. The main goal of the structured approach is to facilitate the identification and assessment of compliance risks and their subsequent documentation in a consistent and reusable fashion. The method is applied in a case study with the aim of assessing the compliance concerns in adopting cloud services. Our experience in the case study demonstrates that the integrated method enables a better structuring in the identification of compliance risks and yields reusable results. As well, the method facilitates communication among different expertise and mitigates subjectivity in making compliance decisions.
Esayas, Samson Yoseph (2015)
The Role of Anonymisation and Pseudonymisation under the EU Data Privacy Rules: Beyond the ‘All or Nothing’ Approach
European Journal of Law and Technology, 6(2)
Substantial uncertainty exists on the role of anonymised or pseudonymised data in the data privacy discourse; this is all the more so as de-anonymisation science advances and the ubiquity of information increases. Such uncertainty affects not only the wider usage of such measures but also creates the temptation, both on the part of the entities and the individuals, to downplay privacy risks associated with anonymised or pseudonymised data. Crucial to mitigating such risks and promoting the use of anonymisation and pseudonymisation as privacy-enhancing techniques is understanding the role of such measures under data privacy rules. This article aims to contribute towards the achievement of such an objective by examining the role of anonymisation and pseudonymisation under the EU data privacy rules, particularly the Data Protection Directive, Regulation 611/2013, the eIDAS Regulation, and the proposed General Data Protection Regulation. This article identifies three major roles of anonymisation and pseudonymisation under the current and en route rules. First, anonymisation and pseudonymisation can serve as a safe harbour from the entire application of data privacy rules provided they are used to irreversibly prevent identification, although achieving this goal seems increasingly challenging in the current state of technological advancement. Second, anonymisation and pseudonymisation can provide a safe harbour from certain data privacy obligations, such as the notification of personal data breaches, provided they are engineered appropriately and complemented by adequate organisational measures. Third, anonymisation and pseudonymisation can constitute mandated measures for compliance with data privacy obligations, such as the data security and purpose specification and limitation principles. All legal perspectives are drawn at EU level, although examples are given from member states when relevant.
This article presents a structured and systematic approach for identifying and modelling compliance risks. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to increasing and diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a risk-based approach to compliance, where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modelling compliance risks have been developed. Due to the lack of methodological and tool support, compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. The proposed approach consists of a five-step process for the structured identification and assessment of compliance risks. This process aims at facilitating the identification of compliance risks and their documentation in a consistent and reusable fashion. As part of the process, the article provides a systematic approach for a graphical modelling of compliance risks, which aims at facilitating communication among experts from different backgrounds. The creation of graphical models can be partly automated based on natural language patterns for regulatory requirements. Furthermore, the structuring of the compliance requirement in a template aims at simplifying the modelling of compliance risks and facilitating a potential future automated model.
Esayas, Samson Yoseph (2015)
Breach Notification Requirements under the European Union Legal Framework: Convergence, Conflicts and Complexity in Compliance
The John Marshall Journal of Computer & Information Law, 31(3), s. 317- 368.
The European Union (EU) legal landscape on data privacy and information security is undergoing significant changes. A prominent legislative development in recent years is the introduction of breach notification requirements within a number of regulatory instruments. In only the past two years, the Community legislator has adopted, and proposed, four different regulatory instruments containing breach notification requirements. There are also existing requirements for the telecom sector. This creates a complex mesh of regulatory frameworks for breach notification where different aspects of the same breach within the same company might have to be dealt with under different regulatory instruments, making compliance with such requirements challenging. In this article, the existing and en route breach notification requirements under the EU legal framework are examined – elaborating their potential areas of convergence or conflict and the resulting complexity in compliance with such requirements. To this end, the article examines the scope of the notification regimes, the types of breaches, when a breach is considered to occur under the relevant rules, and the relevant requirements to notify stakeholders. Furthermore, the article examines why a proactive approach to compliance with breach notification requirements is essential and suggests the need to address breach notification requirements in conjunction with security risk analysis, which is being mandated in most of the regulatory instruments.
Esayas, Samson Yoseph (2014)
Structuring Compliance Risk Identification Using the CORAS Approach: Compliance as an Asset
O'Conner, Lisa (red.). Proceedings IEEE 25th International Symposium on Software Reliability Engineering Workshops ISSREW 2014, 3-6 November, 2014, Naples, Italy
The global scale of modern business and information technology enables companies to trade across borders but at the risk of being subject to laws in diverse jurisdictions. The regulatory requirements with which businesses have to comply are drastically increasing not only in sheer number but also in complexity, confronting businesses with the need to adapt to a complex, evolving regulatory environment. Crucial to a business’s survival and profitability in such environment are understanding and managing legal and compliance risks. This need has spurred significant recent interest in integrated governance, risk, and compliance (GRC) management. A central element in integrated GRC management is following a risk-based approach to compliance which prioritizes compliance requirements based on their level of risk. Despite the need for risk-based compliance, few specific methods or approaches for identifying compliance risks have been developed. This paper presents a structured method for identifying compliance risks from compliance requirements and the business environment.
Esayas, Samson Yoseph (2014)
Utilizing Security Risk Analysis and Security Testing in the Legal Domain
Bauer, Thomas; Grossman, Jürgen, Seehusen, Fredrik, Stølen, Ketil & Wendland, Marc-Florian (red.). Risk Assessment and Risk-Driven Testing. First International Workshop, RISK 2013. Held in Conjunction with ICTSS 2013, Istanbul, Turkey, November 12, 2013. Revised Selected Papers
In recent years, businesses have faced large regulatory fines as a result of information security breaches. This signifies the need for businesses to account for legal issues when addressing their information security risks and to ensure that their day-to-day business operations do not violate legal norms of relevance to information security, such as data privacy laws. This paper offers a twofold contribution to this issue. First, it purposes that organizations’ security risk analysis should be accompanied by an assessment of the legal implications of identified security risks. This enables organizations understand the associated legal risks they would face if the identified security risks were to materialize and prioritize the risks accordingly. Second, the paper underlines the need for security testing to support compliance checking. Particularly, the use of conformance testing would enhance organizations’ level of assurance regarding their compliance with legal norms of relevance to information security.
Esayas, Samson Yoseph (2014)
The IP Address Divide: The Quest of Developing Countries for an ITU-based Distribution Regime
There is discontentment among certain developing countries with regard to the geographical distribution of IPv4 addresses. They blame the IPv4 policies for creating an imbalanced distribution between developed and developing nations. With the introduction of IPv6, there are no signs of these concerns becoming things of the past, as evidenced in various initiatives that call for a UN-based address distribution regime. By reviewing the respective policies for IPv4 and IPv6 distribution, this article argues that at the heart of such concerns and initiatives lies the fact that the core policy features in IPv4 distribution, which are considered responsible for creating the imbalance, have made their way into IPv6 distribution policies. In addition, the assessment of other distribution alternatives reveals that an ITU-based IP address regime or at least the ITU-based proposals on the table thus far do not address the concerns raised by developing countries. Efforts to address such a concern should rather be directed at introducing policy options that would ensure a balanced distribution of IP addresses into the current regime. Ultimately, this article seeks to contribute to the discussion on future directions by suggesting a policy option that the current regime could embrace to alleviate such a genuine concern.
Esayas, Samson Yoseph (2012)
Running Out of Address Space: the Depletion of IPv4 Addresses and What it Entails for Developing Countries
Schartum, Dag Wiese & Bekken, Anne Gunn Berge (red.). Yulex 2012
Esayas, Samson Yoseph (2012)
A walk in to the cloud and cloudy it remains: The challenges and prospects of ‘processing’ and ‘transferring’ personal data
The EU AI Act: A Realtime Experiment to Regulating Generative AI
Medium [Kronikk]
This short piece explores the EU’s ongoing efforts to regulate generative AI. It examines how the EU has taken the lead in legislative endeavours regarding AI, why we must embed flexibility into laws regarding AI, what proactive measures can be taken for the future, and more. The essay is part of the Co-Designing Generative Futures series on Medium, curated by the Berkman Klein Center for Internet & Society at Harvard University. This series features a collection of multidisciplinary and transnational reflections and speculations about the transformative shifts brought on by generative artificial intelligence. These articles are authored by members of the Berkman Klein Center community and expand on discussions that began at the Co-Designing Generative Futures conference in May 2023.
Esayas, Samson Yoseph (2020)
Slik vil Kongressen i USA temme IT-gigantene
Rett24.no [Kronikk]
Esayas, Samson Yoseph (2018)
'Privacy experts warn parents against "sharenting"' ABC Australia
Regulering av KI i offentlig sektor – hva vi har, hva vi får og hva vi trenger
Rett24.no [Kronikk]
Kronikken utforsker hvordan eksisterende og kommende regelverk legger til rett for bruk av kunstig intelligens (KI) i offentlig sektor. Vi belyser to sentrale aspekter ved norsk lovgivning som støtter digitalisering, analyserer EU KI-forordningens (AI Act) innvirkning, og diskuterer ytterligere tiltak Norge bør implementere for å sikre ansvarlig bruk av KI.
An Integrated Approach for Compliance and Security Risk Assessment
Lov & Data [Kronikk]
Organizations that rely on ICT infrastructures need to maintain a high level of information security and protection from cyber-attacks. This is not only due to the self-interest of protecting business critical infrastructures; it is also due to laws that deal with information security. For this reason, technical and legal risks often need to be understood in combination. The RASEN project proposes an approach to integrate compliance and security risk assessment.
Licensing of Reuse of Judgments: Analysis of Selected European Jurisdictions
[Report]. Council of Europe.
Esayas, Samson Yoseph (2023)
Protecting Fundamental Rights in Age of AI: How Would the New EU AI Act Affect Your Business?
[Academic lecture]. Oslo Big Data Day.
Esayas, Samson Yoseph (2023)
The Commercialization of Personal Data and its Implications for Data Privacy Law and Competition Law
[Academic lecture]. The Norwegian Tax Administration (Skatteetaten).
Esayas, Samson Yoseph (2023)
Privacy Fixing (Cartel): The Evolving Frontier of Antitrust Law in the Wake of Texas v. Google LLC
[Academic lecture]. Privacy Law Scholars Conference (PLSC).
At the center of antitrust rules is the ban on price fixing or cartels. As users increasingly exchange their personal information for access to digital services — essentially 'paying' with their data —privacy concerns are attracting scrutiny as a potential arena for collusion. In a recent antitrust lawsuit led by Texas, Google is accused of “privacy fixing,” or coordinating with rivals to harm user privacy in violation of antitrust laws prohibiting cartels. The complaint cites several instances where Google allegedly attempted to influence Microsoft's privacy-related promotional activities, sought alignment on 'privacy goals and strategies' with rivals including Facebook and Microsoft and coordinated efforts to thwart privacy legislation. By examining this example, together with another involving Google and Eyeo, the owner of anti-tracking and ad-blocking software Adblock Plus, this paper seeks to shed light into the emerging concept of privacy fixing and its place in antitrust. This includes exploring why digital companies may find it worthwhile to fix the level of privacy, how this may harm consumers, and the extent to which antitrust law can tackle such harms. The discussions reveal that how these examples of privacy fixing could fit into existing precedents that both restrict advertising and prohibit collaborative efforts leading to uniform trading conditions. Similarly, while antitrust rules offer companies with some immunity from antitrust liability for joint lobbying efforts and subsequent government-imposed restrictions on competition, such immunity does not extend to actions that simply serve as a facade to interfere directly with a competitor's business relationships. Moreover, the examples illustrate the vital role antitrust laws can play in protecting user privacy by tackling supply-side issues arising from anti-competitive collaboration. Addressing privacy concerns within the realm of antitrust does not signify an expansion of antitrust regulations' scope to compensate for data protection legislation shortcomings. Instead, it highlights that certain privacy-related harms fall squarely within the purview of antitrust, for which data privacy legislation alone cannot provide an adequate solution.
Esayas, Samson Yoseph (2023)
Digital Services Act (DSA) & Digital Markets Act (DMA), DPA, AI Act → Policy-Making
[Academic lecture]. Co-Designing Generative Futures: A Global Conversation About AI.
Esayas, Samson Yoseph (2023)
The Next Regulatory Frontier
[Academic lecture]. Co-Designing Generative Futures: A Global Conversation About AI.
Inclusive AI regulation: Perspectives from four continents
[Academic lecture]. Internet Governance Forum 2022.
The diffusion of artificial intelligence (AI) tools in the daily life of several societies urge regulations that embrace its global character, with a lens for inclusion and diversity, so that technology works as a tool for achieving the Sustainable Development Goals (SDGs). In view of the benefits and harms of AI, it is imperative to focus on propositional debates, in order to enhance the positive aspects and diminish the destructive potential of technology through regulation. This panel should follow on a major global endeavor from the proponents and will bring multiple perspectives and regulatory backgrounds to debate the relationship between inclusion and AI regulation. The aim is to leverage globally diverse viewpoints, and practical experience, thereby contributing to the development of regulatory efforts of AI technologies to foster inclusion and diversity. The main questions to be addressed on the panel are: What are the salient concerns and drivers of the AI governance discourse related to inclusion and diversity in your region? Are the main stakeholders participating in the debate on AI regulation? Are their aspirations contemplated? Are there outside key actors who should be included in the regulatory and governance process? What do you think other regions can learn from the initiatives and responses from your region? How do you see (and hope to see) the discourse developing in your region in the coming years? The session will explore a two part methodology, one thought-provoking experience and a second interactive. In the first part, the dynamic will be an exchange between the panelists, focusing on the proposed questions from their regional perspectives. In the second part, the floor will be opened to the audience. Individuals will be able to bring forward their perceptions regarding the future of inclusive regulation for AI. Throughout the whole session, there will be a digital mural where people may present their views of inclusive regulation of AI. The moderator and the rapporteur will be in charge of cataloging the perceptions and insights noted starting with the 4 speakers and moving on with the speakers. In the end we should have a cloud of words and map of perceptions.
Esayas, Samson Yoseph (2022)
Inclusive AI Regulation: Prespectives from the European Union
[Academic lecture]. Internet Governance Forum 2022.
Esayas, Samson Yoseph (2022)
Artificial Intelligence and Fundamental Rights: The Dawn of New Regulation
[Academic lecture]. dScience lunch seminar.
In the last few years, we have seen widespread adoption of artificial intelligence (AI) both by private and public agencies. Increasingly, AI is used to make important decisions including whom to hire for a job, what unemployment benefits someone gets, predicting where or when a crime might occur, whether a defendant is likely to re-offend and ought to be denied bail, how long a person might be in jail, whether someone is at risk of cancer, or who sees an advertisement for a specific job. While these uses generate some societal gains, they also raise several concerns about the fundamental rights of individuals due to the lack of transparency of the systems, risks of discrimination, and manipulation. Despite the heightened risks to fundamental rights, AI governance discourse has primarily focused on ethical frameworks and a patchwork of data and consumer protection rules. This is changing, and we are now seeing countries enacting laws specifically targeting AI. For example, in April 2021, the European Commission presented a proposal for a Regulation on AI. This is the first initiative towards a comprehensive legal framework on AI in the world and aims to guarantee the highest level of protection for fundamental rights and safety while promoting innovation. In this talk, we will look at some of the challenges to fundamental rights resulting from the increasing deployment of AI and how the draft EU AI Act tries to tackle some of the concerns.
Esayas, Samson Yoseph (2022)
The Commercialization of Personal Data and its Implications for Data Privacy Law and Competition Law
[Academic lecture]. Årlige møtet ved Kommunal- og distriktsdepartementet.
Emergent Competitive Harms in Digital Platforms: The Need for a Holistic Approach
[Academic lecture]. 17 Academic Society for Competition Law Conference.
Esayas, Samson Yoseph (2021)
The Commercialization of Personal Data and its Implications for Data Privacy Law and Competition Law
[Academic lecture]. Faglig Påfyll Datatilsynet.
Esayas, Samson Yoseph (2021)
Personal Data as the ‘New Oil’: Implications for the Intersection between Competition & Data Protection Law
[Academic lecture]. Webinar.
Esayas, Samson Yoseph (2021)
The Digital Markets Act (DMA)
[Academic lecture]. Webinar.
Esayas, Samson Yoseph (2020)
Privacy as a Non-Price Parameter: Implications for the Interface between Data Privacy & Competition Law
[Academic lecture]. ASCOLA Nordic Webinar.
Esayas, Samson Yoseph (2018)
Market Power in 'Zero' Price Markets and Competition in (Data) Privacy
[Academic lecture]. Amsterdam Privacy Conference.
Esayas, Samson Yoseph (2018)
Privacy as a Non-Price Competition Parameter: Theories of Harm in Mergers
[Academic lecture]. International Conference on Competition, Digital Platforms and Big Data.
It is widely accepted that firms compete by offering consumers lower prices, high-quality products, and a wide range of choices. With the increasing commercialization of personal, there is now a growing consensus that the level of privacy protection and deployment of Privacy Enhancing Technologies (PETs) could be subject to competition by companies. A case in point is the recognition by the European Commission that data privacy constitutes a key parameter of non-price competition in the market for consumer communications and for professional social networks. This approach treats privacy as a quality, choice or innovation component of the product/service offered to consumers and certain privacy harms as reductions in these parameters that need to be accounted for in the competition analysis. However, little attention has been paid in laying out a concrete theory of harm that outlines how data privacy can be incorporated into competition analysis as a non-price parameter and what constitutes reduction in privacy. This paper is an attempt to fill in this apparent gap. To this end, the paper provides a critical analysis, in light of EU competition law, of three theories harm for incorporating privacy as a non-price competition parameter into merger assessment, namely the privacy-as-a-quality, the consumer choice theory and the maverick-firm theory. Additionally, the paper examines what dimensions of privacy are relevant for competition and what is the (added) value of incorporating privacy into competition analysis.
Esayas, Samson Yoseph (2018)
THE SURVEILLANCE SOCIETY: For Profit Surveillance
[Academic lecture]. Public seminar.
Esayas, Samson Yoseph (2018)
The Commercialization of Personal Data and its Theoretical and Practical Implications for Data Privacy Law and Competition Law
[Academic lecture]. Internal seminar.
Esayas, Samson Yoseph (2018)
The Commercialization of Personal Data and the Idea of Emergent Properties in Data Privacy Law
[Academic lecture]. Lunch seminar.
Esayas, Samson Yoseph (2018)
The Commercialization of Personal Data and its Implications for Data Privacy Law
[Academic lecture]. Guest lecture.
Esayas, Samson Yoseph (2017)
Commercialization of Personal Data and its Implications for the Foundations and Policy Boundaries of Data Privacy Law and Competition Law
[Academic lecture]. Nordic Academic Network in Competition Law Conferenc.
Esayas, Samson Yoseph (2017)
Competition Law: Its Impact on Data Sharing and the Data Economy
[Academic lecture]. XXXII Nordic Conference on Legal Informatics.
Esayas, Samson Yoseph (2017)
Reigning in FinTech through Data Protection Law and Competition Law
[Academic lecture]. Jon Bing Seminar.
Esayas, Samson Yoseph (2015)
An Integrated Method for Compliance and Risk Assessment: Experiences from a Case Study
[Academic lecture]. 2015 IEEE CNS.
Esayas, Samson Yoseph (2015)
The Role of Anonymisation and Pseudonymisation under the EU Data Privacy Rules
[Academic lecture]. Public Seminar on Legal Aspects of Cloud Computing.
Esayas, Samson Yoseph (2014)
What's With the 32-Bit Numbers That the Internet Keeps Defying?
[Article in business/trade/industry journal]. CircleID Internet Infrastructure
Esayas, Samson Yoseph (2013)
Utilizing Security Risk Analysis and Security Testing in the Legal Domain
[Academic lecture]. 1st International Workshop on Risk Assessment and Risk-driven Testing (RISK).
In recent years, businesses have faced large regulatory fines as a result of information security breaches. This signifies the need for businesses to account for legal issues when addressing their information security risks and to ensure that their day-to-day business operations do not violate legal norms of relevance to information security, such as data privacy laws. This paper offers a twofold contribution to this issue. First, it purposes that organizations’ security risk analysis should be accompanied by an assessment of the legal implications of identified security risks. This enables organizations understand the associated legal risks they would face if the identified security risks were to materialize and prioritize the risks accordingly. Second, the paper underlines the need for security testing to support compliance checking. Particularly, the use of conformance testing would enhance organizations’ level of assurance regarding their compliance with legal norms of relevance to information security.
Esayas, Samson Yoseph (2013)
Legal Risk Management: a Method for Proactive Management of Legal Risks
[Academic lecture]. SASSI13 – Security Assessment for Systems, Services and Infrastructures.
It is commonplace that legal services are often sought reactively i.e. when a legal problem has already occurred. Such an approach has not always been viewed as satisfactory because disputes and litigation consumes time and resources which could otherwise be used more productively. In the book ‘The Future of Law’, Richard Susskind predicts a paradigm shift in the approach to a legal problem: from problem solving to problem prevention: where understanding legal problems and identifying associated risks and controlling them before any question of escalation becomes a priority. This raises the questions of what kind of methods a lawyer can employ to ensure legal risk management. One possibility is to supplement the conventional legal method of identifying which law applies to a given case with methods for risk analysis developed in other disciplines, such as IT Security. In such disciplines, the risks can be identified, analyzed and addressed in a structured way. The question remains: to what extent, and in which way, such methods for risk management may be applied within the legal domain.
Esayas, Samson Yoseph (2012)
A Cloud Challenge to the EU Regime on Cross-border Flow of Personal Data
[Academic lecture]. Tirsdagskaffeseminar (TKS).
Esayas, Samson Yoseph (2012)
IPv4 depletion and Ipv6 deployment: impact on developing countries
[Academic lecture]. Igov2 Symposium.
Academic Degrees
Year
Academic Department
Degree
2020
University of Oslo
PhD
2012
University of Oslo
Master of Laws
2008
Hawassa University
Bachelor
Work Experience
Year
Employer
Job Title
2019 - Present
BI Norwegian Business School
Associate professor
2023 - 2024
Harvard University, Berkman Klein Center for Internet and Society
Faculty associate
2023 - 2023
Harvard University, Berkman Klein Center for Internet and Society