A Generic Information and Consent Framework for the IoT

The Internet of Things (IoT) raises specific issues in terms of information and consent, which makes the implementation of the General Data Protection Regulation (GDPR) challenging in this context. In this report, we propose a generic framework for information and consent in the IoT which is protective both for data subjects and for data controllers. We present a high level description of the framework, illustrate its generality through several technical solutions and case studies, and sketch a prototype implementation

GDPR Privacy Policies in CLAUDETTE: Challenges of Omission, Context and Multilingualism

The latest developments in natural language processing and machine learning have created new opportunities in legal text analysis. In particular, we look at the texts of online privacy policies after the implementation of the European General Data Protection Regulation (GDPR). We analyse 32 privacy policies to design a methodology for automated detection and assessment of compliance of these documents. Preliminary results confirm the pressing issues with current privacy policies and the beneficial use of this approach in empowering consumers in making more informed decisions. However, we also encountered several serious issues in the process. This paper introduces the challenges through concrete examples of context dependence, omission of information, and multilingualism

The coexistence between Blockchain and GDPR

The constant evolution of technology sometimes cannot avoid conflict with the parallel evolution of surrounding regulations and legislation. This dissertation highlights the Blockchain architectural design and its inherent and apparent incompatibility with the standing European directives concerning General Data Protection Regulation (GDPR) thanks to one of its most prominent features - immutability. As Blockchain-based solutions emerge and their adoption increases, the concerns about current regulation regarding storage of personal data and the conciliation with the Blockchain’s model arises. As a consequence, this research aims to find out a practical way of making Blockchains compatible with GDPR and providing a solution, with the elaboration of a Proof of Concept, along with interviews to experts of Blockchain and GDPR’s fields with the purpose of obtaining results and drawing conclusions.A constante evolução que categoriza a tecnologia não pode, por vezes, evitar conflitos com a evolução paralela de regulamentos e de legislações envolventes. Esta dissertação destaca a discrepância entre a arquitetura inerente dos sistemas de Blockchain e a sua incompatibilidade aparente e inerente às diretrizes europeias assentes sobre o Regulamento Geral de Proteção de Dados, graças a uma das suas características mais importantes – imutabilidade. À medida que as soluções baseadas em Blockchain surgem e a sua adopção aumenta, surgem preocupações sobre a regulamentação atual em relação ao armazenamento de dados pessoais e a conciliação com o modelo da Blockchain. Consequentemente, esta pesquisa tem como objectivo descobrir uma maneira prática de tornar a tecnologia Blockchain compatível com o Regulamento Geral de Proteção de Dados e fornecer uma solução através da elaboração de uma Prova de Conceito, além de entrevistas com especialistas das áreas de Blockchain e Regulamento Geral de Proteção de Dados com o objetivo de obter resultados e tirar conclusões

Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

New consent management platforms (CMPs) have been introduced to the web to conform with the EU's General Data Protection Regulation, particularly its requirements for consent when companies collect and process users' personal data. This work analyses how the most prevalent CMP designs affect people's consent choices. We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK (n=680). We found that dark patterns and implied consent are ubiquitous; only 11.8% meet the minimal requirements that we set based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices. We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22--23 percentage points; and providing more granular controls on the first page decreases consent by 8--20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.Comment: 13 pages, 3 figures. To appear in the Proceedings of CHI '20 CHI Conference on Human Factors in Computing Systems, April 25--30, 2020, Honolulu, HI, US

Management of open access research infrastructures in large EU projects: the “CultureLabs” case

Working Paper Ircres-CNR 09/2021. Research funding organizations, particularly at international level, are increasingly promoting the creation and maintenance of open access research infrastructures (RI). These resources have assumed a pivotal role as support for the new open and networked science in their dimension of technical and operational frameworks that allow scientists and stakeholders to collaborate and share scientific data and results. In Social Sciences and Humanities (SSH), the creation and exploitation of open data platforms is still attempting to catch up with longer-standing practices in the “hard sciences” as the resistance to wider data sharing has not yet been completely overcome. This paper aims to describe how a large project, financed by the European Commission, managed the creation of a RI in the field of SSH, showing the steps undertaken to comply with the GDPR regulations and prepare the data for useful sharing and reuse. In this regard, the authors present the case study of the Horizon 2020 “CultureLabs” project, placing emphasis on some specific practical factors that they believe are particularly important for implementing open access principles in the establishment and maintenance of RIs in the new course of science based on sharing and openness. In particular, the authors will focus on creation of “useful” and GDPR-compliant data and the impact on research activities as a result of their (re)utilisation; the control of the data management process; and the compliance with funders’ requirements (e.g. in terms of data security). The reflection on the interplay of these aspects, operated through a case study, appears to be crucial in moving away from a merely theoretical approach to addressing the issue of open access, and it hopes to serve as a guide or a warning for those who create and administer open RIs

European Health Data Space – an opportunity now to grasp the future of data-driven healthcare

Peer reviewedPostprin