[en] This paper presents lessons learned and best practices developed for an interdisciplinary research project bridging law and software engineering, in the context of regulatory compliance with the General Data Protection Regulation (GDPR). By exploring challenges and successes encountered in such collaborations, it presents practical tools to support legal scholars in fostering meaningful interdisciplinary cooperation with software engineer researchers. Particularly, this paper brings examples on how to address the gap between the legal discipline and legal provisions, which often lack a nuanced understanding of technical realities, and software engineering, which may overlook critical regulatory contexts. The paper specifically discusses early-stage research challenges in, first, establishing common conceptual and operational ground between disciplines, addressing terminological gaps and divergent methodological assumptions. A second early step in interdisciplinary research involves defining a realistic research scope by balancing normative legal goals with technical feasibility, which should incentivise legal scholars to regard other normative sources than legal provisions. Finally, this paper addresses particularly a hybrid process for translating legal provisions into structured, traceable requirements, incorporating legal design techniques to preserve both legal accuracy and technical usability. By documenting these practices and challenges, the paper fills a gap in existing legal literature on interdisciplinarity methods, empowering legal scholars to engage confidently in collaborative research, advancing both academic inquiry and societal impact.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > SVV - Software Verification and Validation NCER-FT - FinTech National Centre of Excellence in Research
Disciplines :
Law, criminology & political science: Multidisciplinary, general & others Computer science
Author, co-author :
SICLARI, Martina ✱; University of Luxembourg > Faculty of Law, Economics and Finance > Department of Law > Team Stanislaw TOSZA
LANNIER, Salomé ✱; University of Luxembourg > Faculty of Law, Economics and Finance (FDEF) > Department of Law (DL)
VOORDECKERS, Olivier ; University of Luxembourg > Faculty of Law, Economics and Finance (FDEF) > Department of Law (DL)
TOSZA, Stanislaw ; University of Luxembourg > Faculty of Law, Economics and Finance (FDEF) > Department of Law (DL)
ABUALHAIJA, Sallam ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV
CECI, Marcello ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV
SANNIER, Nicolas ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV
BIANCULLI, Domenico ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV
✱ These authors have contributed equally to this work.
External co-authors :
no
Language :
English
Title :
Beyond silos: Bridging the gap between law and software engineering – challenges, successes, and lesson drawing
Publication date :
November 2025
Journal title :
Internet Policy Review
eISSN :
2197-6775
Special issue title :
Special issue The craft of interdisciplinary research and methods in public interest cybersecurity, privacy, and digital rights governance
This research was funded in whole, or in part, by the Luxembourg National Research Fund (FNR), grant reference NCER22/IS/16570468/NCER-FT. For the purpose of open access, and in fulfilment of the obligations arising from the grant agreement, the authors have applied a Creative Commons Attribution 4.0 International (CC BY 4.0) license to any Author Accepted Manuscript version arising from this submission.
Abualhaija, S., Ceci, M., Sannier, N., Bianculli, D., Lannier, S., Siclari, M., Voordeckers, O., & Tosza, S. (2025). LLM-assisted extraction of regulatory requirements: A case study on the GDPR. Proceedings of the 33rd IEEE International Requirements Engineering Conference.
Alecci, M., Sannier, N., Ceci, M., Abualhaija, S., Samhi, J., Bianculli, D., Bissyande, T. F. D. A., & Klein, J. (In press). Toward LLM-driven GDPR compliance checking for Android apps. Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering (FSE Companion ’25). ACM-Association for Computing Machinery.
Amaral, O., Azeem, M. I., Abualhaija, S., & Briand, L. C. (2022). NLP-based automated compliance checking of data processing agreements against GDPR (Version 2). arXiv. https://doi.org/10.48550/ARXIV.2209.09722
Apostel, L., Berger, G., Briggs, A., & Michaud, G. (1972). Interdisciplinarity: Problems of teaching and research in universities. OECD.
Arora, C., Sabetzadeh, M., & Briand, L. C. (2019). An empirical study on the potential usefulness of domain models for completeness checking of requirements. Empirical Software Engineering, 24(4), 2509–2539. https://doi.org/10.1007/s10664-019-09693-x
Article 29 Working Party. (2013). Opinion 02/2013 on apps on smart devices. EU.
Article 29 Working Party. (2017). Guidelines on the right to data portability under Regulation 2016/ 679. EU.
Athan, T., Governatori, G., Palmirani, M., Paschke, A., & Wyner, A. (2015). LegalRuleML: Design principles and foundations. In W. Faber & A. Paschke (Eds), Reasoning Web. Web Logic Rules (Vol. 9203, pp. 151–188). Springer International Publishing. https://doi.org/10.1007/978-3-319-21768-0_6
Azeem, M. I., & Abualhaija, S. (2024). A multi-solution study on GDPR AI-enabled completeness checking of DPAs. Empirical Software Engineering, 29(4), 96. https://doi.org/10.1007/s10664-024-10491-3
Baptista, B. V., & Klein, J. T. (2022). Institutionalizing interdisciplinarity and transdisciplinarity: Collaboration across cultures and communities (1st edn). Routledge. https://doi.org/10.4324/9781003129424
Board, E. D. P. (2023). Guidelines 01/2022 on data subject rights—Right of access. EU.
Bobkowska, A., & Kowalska, M. (2010). On efficient collaboration between lawyers and software engineers when transforming legal regulations to law-related requirements. 2nd International Conference on Information Technology, 105–109.
Bowyer, A., Holt, J., Go Jefferies, J., Wilson, R., Kirk, D., & David Smeddinck, J. (2022). Human-GDPR interaction: Practical experiences of accessing personal data. CHI Conference on Human Factors in Computing Systems, 1–19. https://doi.org/10.1145/3491102.3501947
Bracken Bull, L. J., & Oughton, E. A. (2006). ‘What do you mean?’ The importance of language in developing interdisciplinary research. Transactions of the Institute of British Geographers, 31(3), 371–382.
Breuker, J., Boer, A., Hoekstra, R., & Berg, K. (2006). Developing content for LKIF: Ontologies and frameworks for legal reasoning. Proceedings of the 19th Annual Conference on Legal Knowledge and Information Systems, JURIX’06, 169–174.
Bufalieri, L., Morgia, M. L., Mei, A., & Stefa, J. (2020). GDPR: When the right to access personal data becomes a threat. 2020 IEEE International Conference on Web Services (ICWS), 75–83. https://doi.org/10.1109/ICWS49710.2020.00017
Cejas, O. A., Sannier, N., Abualhaija, S., Ceci, M., & Bianculli, D. (2024). GDPR-relevant privacy concerns in mobile apps research: A systematic literature review (No. arXiv:2411.19142). arXiv. http s://doi.org/10.48550/arXiv.2411.19142
De Hert, P., Papakonstantinou, V., Malgieri, G., Beslay, L., & Sanchez, I. (2018). The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Computer Law & Security Review, 34(2), 193–203. https://doi.org/10.1016/j.clsr.2017.10.003
Edwards, L., & Veale, M. (2018). Enslaving the algorithm: From a “right to an explanation” to a “right to better decisions”? IEEE Security & Privacy, 16(3), 46–54. https://doi.org/10.1109/MSP.2018.2701152
Erdelez, S., & O’Hare, S. (1997). Legal informatics: Application of information technology in law. Annual Review of Information Science and Technology, 32, 367–402.
German, D. M., Webber, J. H., & Di Penta, M. (2010). Lawful software engineering. Proceedings of the FSE/SDP Workshop on Future of Software Engineering Research, 129–132. https://doi.org/10.1145/1882362.1882390
Hoekstra, R., Breuker, J., Bello, M. D., & Boer, A. (2007). The LKIF core ontology of basic legal concepts. Proceedings of the 2nd Workshop on Legal Ontologies and Artificial Intelligence Techniques, LOAIT’07, 43–63.
Hoepman, J.-H. (2014). Privacy design strategies. In N. Cuppens-Boulahia, F. Cuppens, S. Jajodia, A. Abou El Kalam, & T. Sans (Eds), ICT Systems Security and Privacy Protection (Vol. 428, pp. 446–459). Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-642-55415-5_38
Hoess, A., Hoess, A., Pocher, N., Roth, T., & Fridgen, G. (2024). Towards a design science research process for legal compliance by design. PACIS 2024 Proceedings. https://aisel.aisnet.org/pacis2024/t rack04_dessci/track04_dessci/3
Humphreys, L., Boella, G., Van Der Torre, L., Robaldo, L., Di Caro, L., Ghanavati, S., & Muthuri, R. (2021). Populating legal ontologies using semantic role labeling. Artificial Intelligence and Law, 29(2), 171–211. https://doi.org/10.1007/s10506-020-09271-3
Klein, J. T. (2017). Typologies of interdisciplinarity: The boundary work of definition. In R. Frodeman (Ed.), The Oxford Handbook of Interdisciplinarity (2nd edn, pp. 21–34). Oxford University Press. http s://doi.org/10.1093/oxfordhb/9780198733522.013.3
Klymenko, O., Kosenkov, O., Meisenbacher, S., Elahidoost, P., Mendez, D., & Matthes, F. (2022). Understanding the implementation of technical measures in the process of data privacy compliance: A qualitative study. Proceedings of the 16th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement, 261–271. https://doi.org/10.1145/3544902.3546234
Nay, J. J., Karamardian, D., Lawsky, S. B., Tao, W., Bhat, M., Jain, R., Lee, A. T., Choi, J. H., & Kasai, J. (2024). Large language models as tax attorneys: A case study in legal capabilities emergence. Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, 382(2270), 20230159. https://doi.org/10.1098/rsta.2023.0159
Negri-Ribalta, C., Lombard-Platet, M., & Salinesi, C. (2024). Understanding the GDPR from a requirements engineering perspective—A systematic mapping study on regulatory data protection requirements. Requirements Engineering, 29(4), 523–549. https://doi.org/10.1007/s00766-024-00423-4
Norström, A. V., Cvitanovic, C., Löf, M. F., West, S., Wyborn, C., Balvanera, P., Bednarek, A. T., Bennett, E. M., Biggs, R., De Bremond, A., Campbell, B. M., Canadell, J. G., Carpenter, S. R., Folke, C., Fulton, E. A., Gaffney, O., Gelcich, S., Jouffray, J.-B., Leach, M., … Österblom, H. (2020). Principles for knowledge co-production in sustainability research. Nature Sustainability, 3(3), 182–190. https://doi.org/10.103 8/s41893-019-0448-2
Pins, D., Jakobi, T., Stevens, G., Alizadeh, F., & Krüger, J. (2022). Finding, getting and understanding: The user journey for the GDPR’S right to access. Behaviour & Information Technology, 41(10), 2174–2200. https://doi.org/10.1080/0144929X.2022.2074894
Pisani, G. (2024). The right to self-determination in the digital platform economy. Computer Law & Security Review, 53, 105964. https://doi.org/10.1016/j.clsr.2024.105964
Pohl, C., Truffer, B., & Hirsch-Hadorn, G. (2017). Addressing wicked Problems through transdisciplinary research. In R. Frodeman (Ed.), The Oxford Handbook of Interdisciplinarity (2nd edn, pp. 319–331). Oxford University Press. https://doi.org/10.1093/oxfordhb/9780198733522.013.26
Pöhn, D., Mörsdorf, N., & Hommel, W. (2023). Needle in the haystack: Analyzing the right of access according to GDPR Article 15 five years after the implementation. Proceedings of the 18th International Conference on Availability, Reliability and Security, 1–10. https://doi.org/10.1145/3600160.3605064
Robaldo, L., Bartolini, C., Palmirani, M., Rossi, A., Martoni, M., & Lenzini, G. (2020). Formalizing GDPR provisions in reified I/O logic: The DAPRECO knowledge base. Journal of Logic, Language and Information, 29(4), 401–449. https://doi.org/10.1007/s10849-019-09309-z
Ruschemeier, H. (2023). AI as a challenge for legal regulation—The scope of application of the artificial intelligence act proposal. ERA Forum, 23(3), 361–376. https://doi.org/10.1007/s12027-022-00725-6
Senarath, A., & Arachchilage, N. A. G. (2019). A data minimization model for embedding privacy into software systems. Computers & Security, 87, 101605. https://doi.org/10.1016/j.cose.2019.101605
Sommerville, I. (2011). Software engineering (9th edn). Addison-Wesley.
Sørum, H., & Presthus, W. (2021). Dude, where’s my data? The GDPR in practice, from a consumer’s point of view. Information Technology & People, 34(3), 912–929. https://doi.org/10.1108/ITP-08-2019-0433
The Court of Justice of the European Union. (n.d.). Judgment of the court (first chamber) of 4 May 2023: FF v Österreichische Datenschutzbehörde and CRIF GmbH (No. Case C-487/21). The Court of Justice of The European Union. https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ 0487
Veale, M., & Zuiderveen Borgesius, F. (2021). Demystifying the draft EU Artificial Intelligence Act—Analysing the good, the bad, and the unclear elements of the proposed approach. Computer Law Review International, 22(4), 97–112. https://doi.org/10.9785/cri-2021-220402
Veys, S., Serrano, D., Stamos, M., Herman, M., Reitinger, N., Mazurek, M. L., & Ur, B. (2021). Pursuing usable and useful data downloads under GDPR/CCPA access rights via co-design (pp. 217–242). http s://www.usenix.org/conference/soups2021/presentation/veys
Vienni-Baptista, B., Fletcher, I., Lyall, C., & Ohlmeyer, J. H. (Eds). (2023). Foundations of interdisciplinary and transdisciplinary research: A reader. Bristol University Press.
Vienni-Baptista, B., Fletcher, I., Lyall, C., & Pohl, C. (2022). Embracing heterogeneity: Why plural understandings strengthen interdisciplinarity and transdisciplinarity. Science and Public Policy, 49(6), 865–877. https://doi.org/10.1093/scipol/scac034
Wachter, S., Mittelstadt, B., & Floridi, L. (2017). Why a right to explanation of automated decision-making does not exist in the general data protection regulation. International Data Privacy Law, 7(2), 76–99. https://doi.org/10.1093/idpl/ipx005
Waidelich, L., Lambert, M., Al-Washash, Z., Kroschwald, S., Schuster, T., & Döring, N. (2023). Using large language models for the enforcement of consumer rights in Germany. In J. Maślankowski, B. Marcinkowski, & P. Rupino Da Cunha (Eds), Digital Transformation (Vol. 495, pp. 1–15). Springer Nature Switzerland. https://doi.org/10.1007/978-3-031-43590-4_1
Weingart, P. (2000). 2. Interdisciplinarity: The Paradoxical Discourse. In N. Stehr & P. Weingart (Eds), Practising Interdisciplinarity (pp. 25–42). University of Toronto Press. https://doi.org/10.3138/9781442678729-004
Witt, A., Huggins, A., Governatori, G., & Buckley, J. (2024). Encoding legislation: Amethodology for enhancing technical validation, legal alignment and interdisciplinarity. Artificial Intelligence and Law, 32(2), 293–324. https://doi.org/10.1007/s10506-023-09350-1
Zowghi, D., & Gervasi, V. (2002). The three Cs of requirements: Consistency, completeness, and correctness. In Eighth International Workshop on Requirements Engineering: Foundation for Software Quality.
