Claudette Meets GDPR: Automating the Evaluation of Privacy Policies Using Artificial Intelligence

Contissa, Giuseppe; Docter, Koen; Lagioia, Francesca; Lippi, Marco; Micklitz, Hans‐W.; Pałka, Przemysław; Sartor, Giovanni; Torroni, Paolo

doi:10.2139/ssrn.3208596

Download This Paper

Open PDF in Browser

Add Paper to My Library

Claudette Meets GDPR: Automating the Evaluation of Privacy Policies Using Artificial Intelligence

59 Pages Posted: 25 Jul 2018

See all articles by Giuseppe Contissa

Giuseppe Contissa

European University Institute - Department of Law (LAW); University of Bologna - Research Center of History of Law, Philosophy and Sociology of Law, and Computer Science and Law (CIRSFID)

Francesca Lagioia

European University Institute - Department of Law (LAW); University of Bologna - Research Center of History of Law, Philosophy and Sociology of Law, and Computer Science and Law (CIRSFID)

Marco Lippi

Università degli studi di Modena e Reggio Emilia (UNIMORE)

Hans‐W. Micklitz

European University Institute - Department of Law (LAW)

Przemysław Pałka

Jagiellonian University in Krakow - Faculty of Law and Administration; Information Society Project at Yale

Giovanni Sartor

European University Institute Law Department

Paolo Torroni

University of Bologna - Department of Computer Science and Engineering

Date Written: July 2, 2018

Abstract

This report contains preliminary results of the study aiming at automating legal evaluation of privacy policies, under the GDPR, using artificial intelligence (machine learning), in order to empower the civil society representing the interests of consumers. We outline what requirements a GDPR-complaint privacy policy should meet (comprehensive information, clear language, fair processing), as well as what are the ways in which these documents can be unlawful (if required information is insufficient, language unclear, or potentially unfair processing indicated). Further, we analyse the contents of privacy policies of Google, Facebook (and Instagram), Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, AirBnB, Booking.com, Skyscanner, Netflix, Steam and Epic Games. The experiments we conducted on these documents, using various machine learning techniques, lead us to the conclusion that this task can be, to a significant degree, realized by computers, if a sufficiently large data set is created. This, given the amount of privacy policies online, is a task worth investing time and effort. Our study indicates that none of the analysed privacy policies meets the requirements of the GDPR. The evaluated corpus, comprising 3658 sentences (80.398 words) contains 401 sentences (11.0%) which we marked as containing unclear language, and 1240 sentences (33.9%) that we marked as potentially unlawful clause, i.e. either a "problematic processing” clause, or an “insufficient information” clause (under articles 13 and 14 of the GDPR). Hence, there is a significant room for improvement on the side of business, as well as for action on the side of consumer organizations and supervisory authorities.

Keywords: GDPR, Artificial Intelligence, Machine Learning, Consumer, Law, Privacy, Policy, Automation, Data Protection

Suggested Citation: Suggested Citation

Contissa, Giuseppe and Contissa, Giuseppe and Docter, Koen and Lagioia, Francesca and Lippi, Marco and Micklitz, Hans-W. and Pałka, Przemysław and Sartor, Giovanni and Torroni, Paolo, Claudette Meets GDPR: Automating the Evaluation of Privacy Policies Using Artificial Intelligence (July 2, 2018). Available at SSRN: https://ssrn.com/abstract=3208596 or http://dx.doi.org/10.2139/ssrn.3208596