An AI-Assisted Approach for Checking the Completeness of Privacy Policies against GDPR

Damiano Torre, Sallam Abualhaija, Mehrdad Sabetzadeh, Lionel Briand, Katrien Baetens, Peter Goes, Sylvie Forastier

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Privacy policies are critical for helping individuals make informed decisions about their personal data. In Europe, privacy policies are subject to compliance with the General Data Protection Regulation (GDPR). If done entirely manually, checking whether a given privacy policy complies with GDPR is both time-consuming and error-prone. Automated support for this task is thus advantageous. At the moment, there is an evident lack of such support on the market. In this paper, we tackle an important dimension of GDPR compliance checking for privacy policies. Specifically, we provide automated support for checking whether the content of a given privacy policy is complete according to the provisions stipulated by GDPR. To do so, we present: (1) a conceptual model to characterize the information content envisaged by GDPR for privacy policies, (2) an AI-Assisted approach for classifying the information content in GDPR privacy policies and subsequently checking how well the classified content meets the completeness criteria of interest; and (3) an evaluation of our approach through a case study over 24 unseen privacy policies. For classification, we leverage a combination of Natural Language Processing and supervised Machine Learning. Our experimental material is comprised of 234 real privacy policies from the fund industry. Our empirical results indicate that our approach detected 45 of the total of 47 incompleteness issues in the 24 privacy policies it was applied to. Over these policies, the approach had eight false positives. The approach thus has a precision of 85% and recall of 96% over our case study.

Original languageEnglish
Title of host publicationProceedings - 28th IEEE International Requirements Engineering Conference, RE 2020
EditorsTravis Breaux, Andrea Zisman, Samuel Fricker, Martin Glinz
PublisherIEEE Computer Society
Pages136-146
Number of pages11
ISBN (Electronic)9781728174389
DOIs
Publication statusPublished - Aug 2020
Externally publishedYes
Event28th IEEE International Requirements Engineering Conference, RE 2020 - Zurich, Switzerland
Duration: 31 Aug 20204 Sep 2020

Publication series

NameProceedings of the IEEE International Conference on Requirements Engineering
Volume2020-August
ISSN (Print)1090-705X
ISSN (Electronic)2332-6441

Conference

Conference28th IEEE International Requirements Engineering Conference, RE 2020
Country/TerritorySwitzerland
CityZurich
Period31/08/204/09/20

Keywords

  • Case Study Research
  • Legal Compliance
  • Machine Learning (ML)
  • Natural Language Processing (NLP)
  • Privacy Policies
  • The General Data Protection Regulation (GDPR)

Fingerprint

Dive into the research topics of 'An AI-Assisted Approach for Checking the Completeness of Privacy Policies against GDPR'. Together they form a unique fingerprint.

Cite this