Let the Computer Say NO! The Neglected Potential of Policy Definition Languages for Data Sovereignty

During interaction with today’s internet services and platform ecosystems, consumer data is often harvested and shared without their consent; that is, consumers seized to be the sovereigns of their own data with the proliferation of the internet. Due to the rapid and abundant nature of interactions in today’s platform ecosystems, manual consent management is impractical. To support development of semi-automated solutions for reestablishing data sovereignty, we investigate the use of policy definition languages as machine-readable and enforceable mechanisms for fostering data sovereignty. We conducted a realist literature review of the capabilities of policy definition languages developed for pertinent application scenarios (e.g., for access control in cloud computing). We consolidate extant literature into a framework of the chances and challenges of leveraging policy definition languages as central building blocks for data sovereignty in platform ecosystems

On Compliance of Cookie Purposes with the Purpose Specification Principle

International audienceThe enforcement of the General Data Protection Regulation and the ePrivacy Directive relies upon auditing legal compliance of websites. Data controllers, as part of their accountability and transparency obligations, need to declare the purposes of cookies that they use in their websites. This leads to relevant questions such as: How should purposes be described according to the purpose specification principle? And how to ensure a scalable auditing, enabled by automated means, for legal compliance of cookie purposes? In this paper, we investigate the legal compliance of purposes for 20,218 third-party cookies. Surprisingly, only 12.85% of third-party cookies have a corresponding cookie policy where a cookie is even mentioned. Overall, we find out that purposes declared in cookie policies do not comply with the purpose specification principle in 95% of cases in our automatized audit. Finally, we provide recommendations on standardized specification of purposes following the recent draft recommendation of the French Data Protection Authority (CNIL) on cookies

JURI SAYS:An Automatic Judgement Prediction System for the European Court of Human Rights

In this paper we present the web platform JURI SAYS that automatically predicts decisions of the European Court of Human Rights based on communicated cases, which are published by the court early in the proceedings and are often available many years before the final decision is made. Our system therefore predicts future judgements of the court. The platform is available at jurisays.com and shows the predictions compared to the actual decisions of the court. It is automatically updated every month by including the prediction for the new cases. Additionally, the system highlights the sentences and paragraphs that are most important for the prediction (i.e. violation vs. no violation of human rights)

Are cookie banners indeed compliant with the law?: Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners

International audienceIn this paper, we describe how cookie banners, as a consent mechanism in web applications, should be designed and implemented to be compliant with the ePrivacy Directive and the GDPR, defining 22 legal requirements. While some are provided by legal sources, others result from the domain expertise of computer scientists. We perform a technical assessment of whether technical (with computer science tools), manual (with a human operator) or user studies verification is needed. We show that it is not possible to assess legal compliance for the majority of requirements because of the current architecture of the web. With this approach, we aim to support policy makers assessing compliance in cookie banners, especially under the current revision of the EU ePrivacy framework

Selbstbestimmung, Privatheit und Datenschutz

In diesem Open-Access-Sammelband werden die aktuelle Herausforderungen für Privatheit und Datenschutz aufgezeigt, die durch die zunehmende Digitalisierung entstehen. Die Beitragsautoren analysieren, wie diese durch Governancemechanismen adressiert werden können. Als Alternative zu einem rein profitorientierten Digitalkapitalismus bzw. Digitalautoritarismus wird für einen eigenständigen europäischen Weg beim Datenschutz argumentiert, der auf eine gemeinwohlorientierte Technikentwicklung abzielt. Insbesondere befassen sich die Beiträge mit den Möglichkeiten für die Stärkung der Selbstbestimmung in der Datenökonomie und mit algorithmischen Entscheidungssystemen

Three Dimensions of Privacy Policies

Privacy policies are the main way to obtain information related to personal data collection and processing.Originally, privacy policies were presented as textual documents. However, the unsuitability of this format for the needs of today's society gave birth to others means of expression. In this report, we systematically study the different means of expression of privacy policies. In doing so, we have identified three main categories, which we call dimensions, i.e., natural language, graphical and machine-readable privacy policies. Each of these dimensions focus on the particular needs of the communities they come from, i.e., law experts, organizations and privacy advocates, and academics, respectively. We then analyze the benefits and limitations of each dimension, and explain why solutions based on a single dimension do not cover the needs of other communities. Finally, we propose a new approach to expressing privacy policies which brings together the benefits of each dimension as an attempt to overcome their limitations