RegTech4AI
Bringing AI Law into Practice
An NGF-funded research initiative making EU AI regulation work in practice through regulatory technology. We develop technical methods to implement GDPR and the AI Act, bridging the gap between legal requirements and real-world applications.
Research Focus
GDPR & AI Act Implementation
Developing practical tools and frameworks to help organizations comply with European data protection and AI regulations through automated technical solutions.
Interdisciplinary Approach
Combining expertise from law, computer science, HCI, and NLP to create RegTech solutions that work at the intersection of technology and legal compliance.
Open Research & Tools
Publishing our findings openly and building accessible tools that help the broader community understand and implement AI regulation effectively.
Publications
Our latest research on AI regulation, data protection, and compliance technology.
Are Companies Taking AI Risks Seriously? A Systematic Analysis of Companies' AI Risk Disclosures in SEC 10-K forms
Lucas G. Uberti-Bona Marin, Bram Rijsbosch, Gerasimos Spanakis, Konrad Kollnig
ECML PKDD SoGood (Data Science for Social Good) Workshop
This study presents the first large-scale systematic analysis of AI risk disclosures in SEC 10-K filings. We analyse over 30,000 filings from more than 7,000 companies over the past five years. Our findings reveal a sharp increase in companies mentioning AI risk, up from 4% in 2020 to over 43% in 2024. While legal and competitive AI risks are most frequently mentioned, many disclosures remain generic or lack details on mitigation strategies.
Adoption of Watermarking for Generative AI Systems in Practice and Implications under the new EU AI Act
Bram Rijsbosch, Gijs van Dijck, Konrad Kollnig
arXiv preprint
Watermarking has emerged as a primary mechanism to address the risks posed by AI-generated content and is now becoming a legal requirement under the EU AI Act. This paper provides both an empirical and legal analysis of watermarking measures. We find that only a minority of AI image generators currently implement adequate watermarking (38%) and deep fake labelling (18%) practices.
Abuse of Relative Dominance by Digital Platforms: A Law and Economics Perspective
Qian Li, Caroline Cauffman
GRUR International
This paper examines how digital platforms with significant market power can impose unfair trading terms on business partners. It discusses the challenges in proving dominance under Article 102 of the Treaty on the Functioning of the European Union (TFEU) due to the multi-sided nature of platforms and their innovative business models.
Excessive Data Collection and (Mis)use of Data: A Comparative Law and Economics Study on the Chinese Didi Case and the German Facebook Case
Qian Li
The Chinese Journal of Comparative Law
This study examines the coexistence of market dominance and information asymmetry resulting from excessive data collection and misuse in digital markets. It analyzes the Chinese Didi case and the German Facebook case to evaluate different legal approaches, highlighting concerns in both competition law and data protection law.
Regulating Pressing Systemic Risks – But Not Too Soon?
Defne Halil, Konrad Kollnig, Aurelia Tamò-Larrieux
Internet Policy Review
This paper analyzes the data access provisions of the EU's Digital Services Act (DSA) and presents the results of 27 data access requests across EU member states. The findings indicate delays and challenges in obtaining meaningful data for research, emphasizing the need for timely access to address systemic risks on online platforms.
Can the GPC Standard Eliminate Consent Banners in the EU?
Sebastian Zimmeck, Harshvardhan J. Pandit, Frederik Zuiderveen Borgesius, Cristiana Teixeira Santos, Konrad Kollnig, Robin Berjon
arXiv preprint
This paper explores whether the Global Privacy Control (GPC) standard can be adapted to the EU legal framework to mitigate consent fatigue caused by ubiquitous consent banners. It analyzes GPC as a technical specification and examines its compatibility with EU data protection laws, identifying areas of friction and proposing resolutions to align GPC with EU requirements.
Every Keystroke You Make: A Tech-Law Measurement and Analysis of Event Listeners for Wiretapping
Shaoor Munir, Nurullah Demir, Qian Li, Konrad Kollnig, Zubair Shafiq
arXiv preprint
This study investigates the use of JavaScript event listeners by third-party trackers for real-time keystroke interception on websites. It conducts a tech-law analysis mapping U.S. wiretapping laws to web tracking, finding that 38.52% of websites install third-party event listeners to intercept keystrokes, with at least 3.18% transmitting intercepted information to third-party servers.
Data Portability Strategies in the EU: Moving Beyond Individual Rights
Yongle Chao, Meihe Xu, Aurelia Tamò-Larrieux, Konrad Kollnig
Computer Law & Security Review
Data portability has traditionally been considered an individual right to enhance data subjects' control over their personal data under the GDPR. This paper argues that the concept of data portability has evolved beyond its original scope of protecting individual rights, toward better access and flow for multiple stakeholders. We analyze the evolution of data portability as an important novel policy instrument in EU legislation, and contend that data interoperability is both a technical issue and a political concern.
The Humans
Our team brings together researchers from computer science, law, HCI, and NLP at Maastricht University.
Research Team
Konrad Kollnig
Project Lead & Assistant Professor in CS and Law
Kamil Szostak
PhD Student
Bram Rijsbosch
PhD Student
Lucas Giovanni Uberti-Bona Marin
PhD Student
Ishitaa Narwane
PhD Student
Qian Li
Postdoc
Supporting Faculty
Gijs van Dijck
Professor
Johanna T. Gunawan
Assistant Professor in CS/HCI/Law
Marta Kołacz
Assistant Professor in Law
Jerry Spanakis
Assistant Professor in NLP and Law