Granular of holistic approach? Enforcing privacy rights in complex ICT ecosystems

ICT ecosystems are complex systems of devices, networks, backends operated and managed by multiple stakeholders.
They are the backbone of infrastructures such as healthcare, smart manufacturing, transport, defense, energy, and others, which processes massive amounts of personal data. There is no convergence on how ensure the enforcement of privacy rights in such complex ecosystems. Most approaches are granular in that they focus on implementing privacy controls
in every piece of the system, while others advocate for a more holistic approach to privacy (inter-organizational privacy)
where all components share one common set of rules or principles or are based on interoperable frameworks or architectures. This panel aims at finding a solution to this debate, while covering aspects such as risk identification, governance,
transparency, the engineering of control and protection capabilities, and the role of assurance to ensure trustworthiness.

• Is privacy preserved when composing privacy friendly systems? Should we move away from a one shot, static, monodisciplinary and single perspective privacy impact assessment towards a multi-stakeholder perspective?
• How can a framework (e.g. the NIST privacy framework) help address the data protection issues raised by the multiplication of actors? Can we use is as a common framework to create an ecosystem practice for privacy rights enforcement,
for instance in a data space?
• Are there specific collaboration needs between stakeholders in the ecosystem, concerning risk management, architecture and engineering practice, and contractual agreements?
• Do we need to define a roadmap on ecosystem practice, including the definition of further regulations and standards
(on systems of systems, interoperability and assurance)?