Automated Processing of Privacy Policies Under the EU General Data Protection Regulation

Giuseppe Contissa, Koen Docter, Francesca Lagioia, Marco Lippi, Hans-Wolfgang Micklitz, Przemyslaw Palka, Giovanni Sartor, Paolo Torroni
2018 International Conference on Legal Knowledge and Information Systems  
Two years after its entry into force, the EU General Data Protection Regulation became applicable on the 25th May 2018. Despite the long time for preparation, privacy policies of online platforms and services still often fail to comply with information duties and the standard of lawfulness of data processing. In this paper we present a new methodology for processing privacy policies under GDPR's provisions, and a novel annotated corpus, to be used by machine learning systems to automatically
more » ... ck the compliance and adequacy of privacy policies. Preliminary results confirm the potential of the methodology. Introduction: the legal and technological context In Europe the processing of online personal data falls under the the General Data Protection Regulation (GDPR), which aims at making all data processing (from collection, to usage to transfers) lawful, fair and transparent. The enforcement of GDPR is based on two complementary approaches: (1) the administrative control by independent supervisory authorities and (2) the exercise of private rights by data subjects and/or civil society. The supervisory authority can either act on its own motion, or as a result of a complaint by a data subject or an NGO. To ensure transparency and enable the effective exercise of data subjects' rights, the GDPR requires controllers to provide the data subject with the information enlisted in Art. 13 and 14. Art. 12 stipulates that all this information must be given "in a concise, transparent, intelligible and easily accessible form, using clear and plain language". The document containing this information, namely the privacy policy, fails to be GDPR compliant if it foresees unlawful processings, if it does not contain required information, or if it uses unclear language. Our research indicates that many privacy policies fail to meet the requirements of the GDPR (see 4).
doi:10.3233/978-1-61499-935-5-51 dblp:conf/jurix/ContissaDL0MPST18 fatcat:677jziiigjeapnzzap4euuiloy