Research theme

Technology law and policy

The current regulatory climate for digital technology is moving in the direction of increased regulation, but many of the far-reaching proposals for change have significant flaws. Those flaws often result from technologists misunderstanding how the law works and from lawyers and policy analysts not understanding technology. Few among the perceived problems associated with technology can be proportionately addressed through law. Failure to accept that poses a risk not just to some abstract notion of ‘innovation’. It threatens the essence of the opportunities we now have to communicate, to form communities, and to work or trade. It also threatens our security and privacy.

My current projects include research on legally-mandated financial surveillance (AML/CFT, especially for cryptocurrencies) and on legal liability associated with automated trading in cryptocurrencies (MEV). I also follow closely the EU Digital Services Act and the Digital Markets Act. I’m particularly concerned with making sure that regulation doesn’t lead to the worsening of user privacy and security.

In my work on technology law and policy, I build on my background in UK and EU public law, legal philosophy and technology.

My current teaching includes:

  • Privacy and Data Governance — an optional module for final-year law students at the University of Surrey School of Law.
  • Ethics and Regulation of Artificial Intelligence — a compulsory module on the MSc in AI course offered by the Department of Electrical and Electronic Engineering at the University of Surrey.

My research affiliations (read more):

Research papers

Proposed additional GDPR enforcement rules (LIBE Report): compatibility with the Charter of Fundamental Rights and consistency with the GDPR
February 2024
MEV: Comment on IOSCO’s Consultation Report on Policy Recommendations for DeFi
Regulation of Crypto-Finance Research Project (October 2023)
Schrems III: Gauging the Validity of the GDPR Adequacy Decision for the United States
International Center for Law & Economics Issue Brief 2023-09-25
Interpreting the EU Digital Markets Act consistently with the EU Charter’s rights to privacy and protection of personal data
Bocconi University, MediaLaws.eu (August 2023)
Blockchain Censorship
arXiv:2305.18545 [cs.CR]
Battle of the Crypto Bots: Automated Transaction Copying in Decentralized Finance
(2023) 26 University of Pennsylvania Journal of Business Law (forthcoming)
Blockchain Transaction Ordering as Market Manipulation
(2023) 20 Ohio State Technology Law Journal 1-87
Key Legal Issues of the EU’s New U.S. Data Protection Adequacy Decision
Stanford Law School (January 2023)
MEV on Ethereum: A Policy Analysis
International Center for Law & Economics (January 2023)
Response to the U.S. Treasury Department’s consultation on digital assets and illicit finance
International Center for Law & Economics (November 2022)
Minimizing Privacy Risks in Regulating Digital Platforms: Interoperability in the EU DMA
CPI Antitrust Chronicle, July 2022
Report on the UK Online Safety Bill
Institute of Economic Affairs (February 2022)
Privacy and Security Implications of Regulation of Digital Services in the EU and in the US
Stanford Law School (January 2022)
Report on the definition of ‘AI’ in the EU AI Regulation
Center for Data Innovation (December 2021)
Reports on the EU Digital Services Act
EPICENTER (June 2021, October 2021)
The Great Transatlantic Data Disruption
International Center for Law & Economics and Progressive Policy Institute (October 2021)
Regulating for Cybersecurity
Warsaw Enterprise Institute (June 2021)
How to Protect Consumer Privacy and Data Security in the Age of 5G?
Consumer Choice Center (April 2019)

Blogs and op-eds

Norwegian decision banning behavioural advertising on Facebook and Instagram
How the New Interoperability Mandate Could Violate the EU Charter
Lawfare, 6 July 2023
The CJEU’s Decision in Meta’s Competition Case Part 2: Sensitive Data and Privacy Enforcement by Competition Authorities
The CJEU’s Decision in Meta’s Competition Case: Consequences for Personalized Advertising Under the GDPR (Part 1)
The Legal Risks of Automated Transaction Copying in Crypto Markets
The FinReg Blog, Duke University, 6 June 2023
EU Digital Markets Act (DMA) and Digital Services Act (DSA) and online advertising
Mobile Dev Memo, 11 April 2023
Keeping data flowing is in India’s interest
The Times of India, 28 March 2023
EU privacy law and online advertising
Mobile Dev Memo, 1 March 2023
After the FTX Crash, What’s Next for Crypto?
Truth on the Market, 13 December 2022
European Commission Tentatively Finds US Commitments ‘Adequate’: What It Means for Transatlantic Data Flows
Truth on the Market, 13 December 2022
Biden’s Data Flows Order: Does It Comport with EU Law?
Truth on the Market, 11 November 2022
Why the EU’s Rushed ‘Travel Rule’ for Crypto Should Be Struck Down
Coindesk, 25 July 2022
Privacy, Crypto, and EU Financial Surveillance
Truth on the Market, 11 July 2022
DMA Update: It’s Still a Privacy Danger
Truth on the Market, 22 June 2022
ADPPA Mimics GDPR’s Flaws, and Goes Further Still
Truth on the Market, 22 June 2022
The Digital Markets Act is a security nightmare
New Europe, 11 February 2022
EU’s Compromise AI Legislation Remains Fundamentally Flawed
Truth on the Market, 8 February 2022
Privacy and Security Risks of Interoperability and Sideloading Mandates
Truth on the Market, 26 January 2022
Will the EU Lose Access to U.S. Data Flows and Software?
Lawfare, 5 November 2021
Users of online platforms need protection from foreign authorities under the DSA
Europe Must Rethink the Digital Services Act
The Mace, 30 June 2021
The Digital Markets Act Shouldn’t Mandate Radical Interoperability
Truth on the Market, 19 May 2021
Brief comments on the draft EU Regulation on Artificial Intelligence
La 5G nous rappelle l’importance de la vie privée des consommateurs
La Tribune, 15 April 2019