Date: 2018
Type: Working Paper
CLAUDETTE meets GDPR : automating the evaluation of privacy policies using Artificial Intelligence
Working Paper, European Consumer Organisation (BEUC) Study Report, 2018
CONTISSA, Giuseppe, DOCTER, Koen, LAGIOIA, Francesca, LIPPI, Marco, MICKLITZ, Hans-Wolfgang, PALKA, Przemyslaw, SARTOR, Giovanni, TORRONI, Paolo, CLAUDETTE meets GDPR : automating the evaluation of privacy policies using Artificial Intelligence, European Consumer Organisation (BEUC) Study Report, 2018 - https://hdl.handle.net/1814/60795
Retrieved from Cadmus, EUI Research Repository
This report contains preliminary results of the study aiming at automating legal evaluation of privacy policies, under the GDPR, using artificial intelligence (machine learning), in order to empower the civil society representing the interests of consumers. We outline what requirements a GDPR-complaint privacy policy should meet (comprehensive information, clear language, fair processing), as well as what are the ways in which these documents can be unlawful (if required information is insufficient, language unclear, or potentially unfair processing indicated). Further, we analyse the contents of privacy policies of Google, Facebook (and Instagram), Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, AirBnB, Booking.com, Skyscanner, Netflix, Steam and Epic Games. The experiments we conducted on these documents, using various machine learning techniques, lead us to the conclusion that this task can be, to a significant degree, realized by computers, if a sufficiently large data set is created. This, given the amount of privacy policies online, is a task worth investing time and effort. Our study indicates that none of the analysed privacy policies meets the requirements of the GDPR. The evaluated corpus, comprising 3658 sentences (80.398 words) contains 401 sentences (11.0%) which we marked as containing unclear language, and 1240 sentences (33.9%) that we marked as potentially unlawful clause, i.e. either a "problematic processing” clause, or an “insufficient information” clause (under articles 13 and 14 of the GDPR). Hence, there is a significant room for improvement on the side of business, as well as for action on the side of consumer organizations and supervisory authorities.
Additional information:
Posted: 25 Jul 2018
Cadmus permanent link: https://hdl.handle.net/1814/60795
External link: http://www.claudette.eu/gdpr/
https://www.beuc.eu/publications/beuc-x-2018-066_claudette_meets_gdpr_report.pdf
https://www.beuc.eu/publications/beuc-x-2018-066_claudette_meets_gdpr_report.pdf
Series/Number: European Consumer Organisation (BEUC) Study Report; 2018
Files associated with this item
Files | Size | Format | View |
---|---|---|---|
There are no files associated with this item. |