Claudette Meets GDPR: Automating the Evaluation of Privacy Policies Using Artificial Intelligence

59 Pages Posted: 25 Jul 2018

See all articles by Giuseppe Contissa

Giuseppe Contissa

European University Institute - Department of Law (LAW); University of Bologna - Research Center of History of Law, Philosophy and Sociology of Law, and Computer Science and Law (CIRSFID)

Koen Docter

European University Institute

Francesca Lagioia

European University Institute - Department of Law (LAW); University of Bologna - Research Center of History of Law, Philosophy and Sociology of Law, and Computer Science and Law (CIRSFID)

Marco Lippi

Università degli studi di Modena e Reggio Emilia (UNIMORE)

Hans‐W. Micklitz

European University Institute - Department of Law (LAW)

Przemysław Pałka

Yale Law School Center for Private Law

Giovanni Sartor

European University Institute Law Department

Paolo Torroni

University of Bologna - Department of Computer Science and Engineering

Date Written: July 2, 2018

Abstract

This report contains preliminary results of the study aiming at automating legal evaluation of privacy policies, under the GDPR, using artificial intelligence (machine learning), in order to empower the civil society representing the interests of consumers. We outline what requirements a GDPR-complaint privacy policy should meet (comprehensive information, clear language, fair processing), as well as what are the ways in which these documents can be unlawful (if required information is insufficient, language unclear, or potentially unfair processing indicated). Further, we analyse the contents of privacy policies of Google, Facebook (and Instagram), Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, AirBnB, Booking.com, Skyscanner, Netflix, Steam and Epic Games. The experiments we conducted on these documents, using various machine learning techniques, lead us to the conclusion that this task can be, to a significant degree, realized by computers, if a sufficiently large data set is created. This, given the amount of privacy policies online, is a task worth investing time and effort. Our study indicates that none of the analysed privacy policies meets the requirements of the GDPR. The evaluated corpus, comprising 3658 sentences (80.398 words) contains 401 sentences (11.0%) which we marked as containing unclear language, and 1240 sentences (33.9%) that we marked as potentially unlawful clause, i.e. either a "problematic processing” clause, or an “insufficient information” clause (under articles 13 and 14 of the GDPR). Hence, there is a significant room for improvement on the side of business, as well as for action on the side of consumer organizations and supervisory authorities.

Keywords: GDPR, Artificial Intelligence, Machine Learning, Consumer, Law, Privacy, Policy, Automation, Data Protection

Suggested Citation

Contissa, Giuseppe and Docter, Koen and Lagioia, Francesca and Lippi, Marco and Micklitz, Hans-W. and Pałka, Przemysław and Sartor, Giovanni and Torroni, Paolo, Claudette Meets GDPR: Automating the Evaluation of Privacy Policies Using Artificial Intelligence (July 2, 2018). Available at SSRN: https://ssrn.com/abstract=3208596 or http://dx.doi.org/10.2139/ssrn.3208596

Giuseppe Contissa

European University Institute - Department of Law (LAW) ( email )

Via Bolognese 156 (Villa Salviati)
50-139 Firenze
ITALY

University of Bologna - Research Center of History of Law, Philosophy and Sociology of Law, and Computer Science and Law (CIRSFID) ( email )

Via Galliera 3
I-40121 Bologna
Italy

Koen Docter

European University Institute ( email )

Villa Schifanoia
133 via Bocaccio
Firenze (Florence), Tuscany 50014
Italy

Francesca Lagioia

European University Institute - Department of Law (LAW) ( email )

Via Bolognese 156 (Villa Salviati)
50-139 Firenze
Italy

University of Bologna - Research Center of History of Law, Philosophy and Sociology of Law, and Computer Science and Law (CIRSFID) ( email )

Via Galliera 3
I-40121 Bologna
Italy

Marco Lippi

Università degli studi di Modena e Reggio Emilia (UNIMORE) ( email )

Viale A. Allegri 9
Modena, Modena 42121
Italy

Hans-W. Micklitz

European University Institute - Department of Law (LAW) ( email )

Via Boccaccio 121 (Villa Schifanoia)
I-50122 Firenze
Italy

Przemysław Pałka (Contact Author)

Yale Law School Center for Private Law ( email )

Giovanni Sartor

European University Institute Law Department ( email )

Via Bolognese 156 (Villa Salviati)
50-139 Firenze
ITALY

Paolo Torroni

University of Bologna - Department of Computer Science and Engineering

Scuola di Ingegneria e Architettura
Viale del Risorgimento 2
Bologna, Bologna 40136
Italy

Register to save articles to
your library

Register

Paper statistics

Downloads
105
rank
240,792
Abstract Views
671
PlumX