Call for papers Privacy Research Day, June 24th 2026, Paris

Topics

This list is non-exhaustive, and submission may concern any other topic relevant to privacy and data protection.

“Protection of Children and Vulnerable Users”

This topic explores specific privacy and security challenges faced by users whose personal, social, or professional situations create particular vulnerabilities. These include minors, seniors, and so-called excluded population or marginalized communities. The diversity of these profiles calls for reflection on adapting protection mechanisms. The focus will be on emerging risks and uses, whether related to the deployment of artificial intelligence (mental health, deepfakes) or new forms of control and protection (age verification, geolocation, parental control).

Key questions include:

• What risks are most prevalent for different types of users? What concretely makes a user vulnerable?
• What are protective strategies considered and/or applied by children/vulnerable users?
• How can childrens/vulnerable users be protected while still granting them autonomy?
• How can services be designed to adapt to different risk profiles?

“Privacy Without Borders”

The GDPR is said to have created a “Brussels Effect,” and we are witnessing a proliferation of data protection laws introducing new ideas. In the context of the G7, it would be particularly relevant to examine the cross-border effects of these texts: the “California Effect” with the CCPA / CPRA , the “Beijing Effect” with the PIPL , the concept of “Privacy by Design” originating in Ontario (Canada), and others.

This theme is more broadly open to work on international cooperation enabled or encouraged by these regulations, their effects on data transfers, and the role of Privacy Enhancing Technologies (PETs), which provide technical guarantees independently of regulatory frameworks and can therefore internationally act as compliance facilitators.

Key questions include:

• What legal issues arise from the interaction of different national or international legislations?
• What common denominators exist across different legislations?
• What legal and technical tools are available for data exporters and importers?
• Do PETs facilitate compliance with certain regulations?
• How can users be informed of their rights under different legal frameworks?
• How do privacy standards travel and adapt to regional specificities?

“Artificial Intelligence Through the Lens of…”

• Data protection: AI systems require large volumes of (often personal) data for training and blur the line between data and AI models, from which personal data can often be extracted.
• Security: AI systems can amplify the scale of known cyberattacks and enable entirely new ones (e.g., side-channel attacks that can decipher keystrokes via sound).
• Regulation: Regulators and legal frameworks evolves and adapts to these challenges, particularly those associated with so-called “agentic” AI systems, including issues of liability and the potential use of such systems by regulators themselves.

Key questions include:

• How do the interface and functioning of AI systems contribute the processing of more personal data?
• What new threats are emerging, and how does AI change security practices or the exercise of rights?
• In general, how are regulatory bodies exposed to new challenges?

“Wearables and IoT”

The integration of analytical capabilities and ubiquitous connectivity enables connected objects - whose size has significantly decreased - to continuously analyze their environment and collect data. The acceptability and use of these objects, particularly smart glasses, raise new privacy challenges. The theme also covers smart home devices, which are increasingly deployed in households in a similarly discreet manner.

Key questions include:

• What the privacy perceptions related to wearables and IoT?
• How does the decreasing size/visibility of connected objects affect a user's ability to remain aware of data collection, and what mechanisms can work for screenless devices?
• Do wearables and IoT raise new legal questions and use cases different from those of smartphones?

“Science based regulation”

This theme aims to explore cases where scientific research is mobilized by or intended for regulators, and observe situations in which regulators transform scientific work into "serviceable truths" (technical evidence used to ground legal decisions, enforce sovereignty, and shape European digital policy). The objective is to better understand the practical challenges of using scientific resources (typologies, survey results, methods, tools, recommendations) to support regulation.

Key questions include:

• What conditions enable effective interaction between science and regulation?
• How do regulators turn complex scientific data into “regulatory objectivity” and administrative proof?
• Which academic contributions have been used in litigation or regulatory decisions and how?
• What quantitative or qualitative methods are used to quantify and sanction often “invisible” digital damages?

“Monetization of Personal Data and Business Models in the Digital Economy”

This theme welcomes contributions analyzing business models in the platform economy from a multidisciplinary perspective. Starting from the economic stakes of collecting and processing personal data and the associated risks, discussions will address current and foreseeable evolutions of these business models (e.g., consent-or-pay models), the role of technological developments, choice architectures, and corresponding regulations.

Key questions include:

• How is the economic value of personal data perceived by platforms, and how does this compare to the value perceived by users?
• Under what conditions does the “consent-or-pay” model respect the consent required by regulations like the GDPR? What is an appropriate price for such models?
• To what extent do new regulation frameworks (DMA, Data Act, etc.) rebalance the power dynamics between “gatekeepers” and users? Under what provisions and tools?

“Data Security: From technical Tools to Social Practices”

This theme examines privacy protection as both a technical challenge and a matter of social adoption, analyzing how individuals and organizations equip themselves to face digital vulnerabilities.

• Implementation of Privacy-Enhancing Technologies (PETs): this strand explores how techniques such as advanced encryption, differential privacy, and zero-knowledge proofs are now being integrated into consumer products and infrastructures. Contributions may analyze how these tools help meet GDPR requirements by natively reducing data collection, simplifying administrative obligations, enabling secure data flows, and in some instances enhancing competitiveness.
• Usable Privacy and Security: this strand focuses on the interface between tools and users, drawing on research in social sciences, design, and human-computer interaction. The challenge is to understand the often-complex transition from the existence of a technical solution (e.g., password managers or two-factor authentication) to its effective adoption. Research may examine risk perception mechanisms, including gaps between real threats and users’ expressed fears.

Key questions include:

• How do emerging PETs balance high-level data utility with robust security guarantees in commercial products?
• To what extent can PETs "automate" GDPR requirements (like data minimization) and reduce the legal burden for organizations?
• Why is there a persistent gap between the availability of PETs and their actual deployment?
• How do users' mental models and "expressed fears" differ from actual technical threats, and how does this affect their defensive strategies?

More information: privacyresearchday[@]cnil.fr