'I want to achieve that persons affected by data breaches, like the Odidio Hack, have access to effective remedies'
What does it mean to do a PhD? How do you become a PhD candidate, and what does it take? Sophia Salziger about her doctoral research on the possibility of claiming non-material damages when your personal data is leaked, as happened recently after the Odido hack.
By Tim van Zuijlen
How did your journey lead you to pursuing a PhD in Groningen?
''I studied Law in the International Context of Technology, Politics, and Economy at Dresden University of Technology. After working for a year, I realised that I wanted to expand my knowledge, which brought me to the University of Groningen for an LLM in International Human Rights Law.
While writing my thesis, my supervisor asked if I had ever considered a PhD. At the time, I had no idea what daily PhD work really looked like, but the seed was planted. After completing a second LLM in Global Criminal Law, I was fortunate enough to start my doctoral research in Groningen.''
Can you tell us a bit more about your research? Is there something that you want to achieve?
''My research is about access to effective judicial remedies and focuses on compensating for damages resulting from data protection infringements. In cases of data protection infringements, the damage that humans suffer is usually so-called ‘non-material’.
An example is the fear that your personal data might end up in the wrong hands and will be misused in the future. This type of damage is highly subjective and difficult to prove. The assessment is therefore complex.
Courts are struggling with this and have so far taken different approaches to determining what is eligible for compensation and how much money should be awarded, which in turn leads to inequality. When you go to court, the outcome is uncertain: some courts award compensation, while others do not. Some courts award high compensation and others low.
With my PhD, I aim to provide guidance that helps judges and lawyers navigate that complexity. I want to achieve that persons affected by data breaches have access to effective remedies and are treated equally everywhere.
That sounds like a huge problem, because data breaches happen all the time! We recently had a large data breach at Odido, but there are also breaches at the public health screening and the GGDs. Are we learning from these events about if and how non-material damage can be compensated?
''These cases are a perfect example of the ‘fear of future misuse’. When a data breach occurs, your personal data may end up in the dark web, and, even if it hasn't been misused yet, that fear can be an actual harm. Under Article 82 of the GDPR, you can claim for compensation for this fear, but proving such a fear is difficult. It might be easier for affected persons to pursue a collective claim.
In the Netherlands under the WAMCA, it seems that the standard of proof required to demonstrate damage in a collective claim is lower than the level of individualised evidence needed for an individual claim.
In any case, courts will assess whether the company’s data controller has implemented ‘appropriate’ technical and organisational measures, for which the expertise of IT specialists is required. Hence, this is advice for all data controllers: ensure that your technical and organisational measures are up to date, because if you cannot prove that you have implemented appropriate measures ‘in a concrete manner’, you will be presumed at fault and held liable for any resulting damage!
As you can see, establishing liability and awarding compensation in data breaches, like the Odido hack, is a lengthy, high-effort process. This also shows us that we need more experts with an interdisciplinary background."
This has many perspectives. Not just legal, but also technical and organisational. Did that year working at NGOs and in the private sector also shape your doctoral research?
''Yes, it did, in terms of both ‘technical and organisational’ aspects! I worked with NGOs in the fields of international humanitarian aid and human rights advocacy. I had tight deadlines, which taught me to work efficiently and manage my time effectively.
Later, I worked for a company where I implemented the GDPR. I wasn't a data protection specialist then, but I had to learn fast, write training materials and implement technical and organisational measures.
I am very grateful for this practical insight and experience, because it has enabled me to gain a better understanding of the theoretical and technical phrases in the GDPR and other privacy laws.
Now in my PhD, one of my aims is to find effective solutions for both parties - affected persons and responsible data controllers - making the GDPR applicable and efficient in practice rather than creating bureaucratic hurdles."
And now, finally, you are in the finishing stages of your doctoral research. Can you already look back and find what personal qualities helped you in your PhD, and are there any tips for starting and aspiring PhDs?
"I think being curious is of great help, as well as being open to creative solutions and to keep asking questions. Patience is also vital, because you will encounter obstacles and closed doors, but if you keep reading, searching and reaching out to others, new avenues will eventually present themselves.
A PhD isn't a 9-to-5 job; it's a multifaceted experience: not just research, but much more, including teaching, supervising students, networking at conferences and visiting research institutes. Spending hours working in your office can be isolating, but interacting with other researchers who share your interests and concerns can foster a sense of community.
If I were to give students some advice, I would say to them: even if you feel that your grades define you, your value as a researcher lies more in your specific interests and skills than in a grade or a ‘cum laude’ on your diploma. In short: don’t let the academic environment intimidate you.
My practical advice for starting a PhD: start writing early on! Don't spend the first three years simply consuming information. Use the time to gradually develop as a researcher and drive your project forward, so that unforeseen life events don’t set you back.