analyzing gdpr compliance through the lens of privacy
play

Analyzing GDPR Compliance Through the Lens of Privacy Policy - PowerPoint PPT Presentation

Analyzing GDPR Compliance Through the Lens of Privacy Policy Jayashree Mohan , Melissa Wasserman, Vijay Chidambaram General Data Protection Regulation (GDPR) Respect the rights of data owner Personal Gathered legally, Protect it from Data


  1. Analyzing GDPR Compliance Through the Lens of Privacy Policy Jayashree Mohan , Melissa Wasserman, Vijay Chidambaram

  2. General Data Protection Regulation (GDPR) Respect the rights of data owner Personal Gathered legally, Protect it from Data for a purpose misuse/exploitation Non-compliance can result in hefty fines and penalties

  3. 2019 : The year of enforcement! Taxa 4x35 ( $180 K) Google ( $55 million) Haga Hospital ( $550 K) March 2019 Jan 2019 July 2019 No timely deletion Lack of explicit consent Lax controls over logging and transparency and access Mariott British Airways ( $124 million) ( $230 million) July 2019 July 2019 Poor data security Poor data security

  4. 2019 : The year of enforcement! Taxa 4x35 ( $180 K) Google ( $55 million) Haga Hospital ( $550 K) March 2019 Jan 2019 July 2019 No timely deletion Lack of explicit consent Lax controls over logging and transparency and access Mariott British Airways ( $124 million) ( $230 million) July 2019 July 2019 Poor data security Poor data security

  5. Transparency Google ( $55 million) Jan 2019 Lack of explicit consent and transparency

  6. What GDPR Requirements did Google fail to meet? “L “Lack of transparency, inadequate information and lack of valid consent regard re rding a ads p pers rson onali lization on” Transparency GDPR Article 12 The controller sha The hall take appropriate measures to provide any information… re relat lating to o proce rocessing to o the dat ata a subject ct in a a con conci cise, , tran ranspare arent, , intelli lligible le an and ea easily a acces essible f e form, u using ng c clea ear a and p plain l language. e. Clear and Concise Privacy Policy

  7. Privacy Policy Ask consent and establish user rights via privacy policy Data Processor/ Controller Users/ Customers

  8. Privacy Policy Long Use jargons Difficult to comprehend How can users consent to their personal-data use if they cannot read/understand privacy policies?

  9. Main takeaways 1. What are the key information any GDPR compliant system should provide to its user in a straight-forward way? 2. Identifying GDPR dark patterns : Case study of privacy policy of 10 popular cloud services 3. A systems perspective on solving GDPR dark patterns

  10. Main takeaways 1. What are the key information any GDPR compliant system should provide to its user in a straight-forward way? 2. Identifying GDPR dark patterns : Case study of privacy policy of 10 popular cloud services 3. A systems perspective on solving GDPR dark patterns

  11. Outline • GDPR-compliant privacy policy • Case study of privacy policy of 10 cloud services • GDPR dark patterns • Future directions

  12. Outline • GDPR-compliant privacy policy • Case study • GDPR dark patterns • Future directions

  13. GDPR Compliant Privacy Policy 1 WHO uses the collected data Processing Entities : The source of data, and the entities with whom data is shared.

  14. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 Data categories: Attributes of personally identifiable information collected

  15. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected Purpose: The legal basis for collection and processing of each data category

  16. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected 4 WHEN will the collected data expire and be deleted Retention: The policy or period of retention for each data category

  17. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected 4 WHEN will the collected data expire and be deleted 5 HOW can a user exercise control over his/her data User controls: How can users access/enforce their rights over data

  18. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected 4 WHEN will the collected data expire and be deleted 5 HOW can a user exercise control over his/her data 6 DOES the controller ensure safety of user data Data Protection: Measures taken to ensure safety and protection of user data

  19. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected 4 WHEN will the collected data expire and be deleted 5 HOW can a user exercise control over his/her data 6 DOES the controller ensure safety of user data 7 DOES the controller appropriately notify users of changes in policy Policy updates: Notify users appropriately of changes to privacy policy and ask consent

  20. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected 4 WHEN will the collected data expire and be deleted 5 HOW can a user exercise control over his/her data 6 DOES the controller ensure safety of user data 7 DOES the controller appropriately notify users of changes in policy

  21. Outline • GDPR-compliant privacy policy • Case study • GDPR dark patterns • Future directions

  22. Purpose Controls Protection Updates Processing Data Retention Bloomberg Onavo Instagram Uber edx Snapchat icloud Whatsapp Flybe Metro bank

  23. Outline • GDPR-compliant privacy policy • Case study • GDPR dark patterns • Future directions

  24. GDPR Dark Patterns Oftentimes we simply click ‘I agree’. What are we signing up for ? • 4 common dark-patterns in cloud service

  25. 1. User rights : All or Nothing One checkbox to access all services Deactivate account to object to processing any piece of collected info No fine-grained control over personal data Uber’s Privacy Policy “U “Uber may continue to process your information notwiths hstanding the he objection to the extent permitted under GD GDPR” edx’s Privacy Policy “Deleting user information does not apply to "hi “D historical activity logs or arch archive ves unle less an and until l these log logs an and dat ata a nat aturally rally ag age-of off ”

  26. 2. Purpose bundling Promotions Ads Affliates • No option to opt of specific services • All the processing is bundled into one Services consent box Instagram: “Our Service Providers will be given access to your information as is re reas ason onab ably ly necessary to provide the Service under re reas ason onab able le confidentiality terms” Google was fined $55 Million for a similar charge “Go Google’s consent flow doesn’t comply with the GD GDPR according to the CNIL. L. By default, Go Google really pushes you to sign in or sign up to a Go Google account. The com accou compan any tells lls you ou that at you our r exp xperi rience ce will ll be wors orse if you ou don’t have a Go Google account. According to the CNIL, L, Go Google should separate the actio se ion of creatin ing an account from the actio ion of se settin ing up a device — consent bundling is illegal under the GD de GDPR.”

  27. 3. Notifications • Notify users of changes in privacy policy by appropriate means • Ask for consent to the modified policy • Show users the new additions to privacy policy instead of asking them to accept the new terms by reading the entire policy document Edx, Bloomberg ”Label the Privacy Policy as "Revised (date)[...]. By accessing the Site after any changes have been made, you accept the modified Privacy Policy and any changes contained therein"

  28. 4. Data Protection Many services including Uber and Onavo state nothing about data protection strategies used ( encryption ) or international transfer policies Highest GDPR fine so far was levied on British Airways for negligent data protection UK Information Commissioner on BA fine : “P “People’s personal data is just tha hat – pe personal. Wh When an org organ anisat ation on fa fails to protect it fr from loss, da damage or theft ft it is mo more than an inconvenience. That’s ’s wh why the law w is clear – wh when you are entrusted wi with personal data you mu must look after af r it. Thos ose that at don on’t will ll face ace scru crutiny from rom my of office ce to o ch check ck they have ave take aken ap approp ropri riat ate steps to o prot rotect ct fun fundamental privacy rights.”

  29. Outline • GDPR-compliant privacy policy • Case study • GDPR dark patterns • Future directions

  30. Is it enough if companies get their privacy policy right? Are users able to enforce their rights that the privacy policy claims to provide?

  31. Enable users a hassle-free control over their personal data GDPR-compliant systems Simple, straight-forward privacy policies Write clear, concise privacy policies Understand how GDPR affects the design and operation of Internet companies [Seven GDPR Sins : HotCloud’19] Translate these to the need for infrastructural Tools to parse and identify GDPR compliance and changes user rights from a privacy policy [Impact of GDPR on Storage Systems: HotStorage’19] [Polisis: Security’18]

  32. Security & Policy Privacy Access Control Systems

Recommend


More recommend