Abstract
Although the General Data Protection Regulation (GDPR) defines several potential legal bases for personal data processing, in many cases data controllers, even when they are located outside the European Union (EU), will need to obtain consent from EU citizens for the processing of their personal data. Unfortunately, existing approaches for obtaining consent, such as pages of text followed by an agreement/disagreement mechanism, are neither specific nor informed. In order to address this challenge, we introduce our Consent reqUest useR intErface (CURE) prototype, which is based on the GDPR requirements and the interpretation of those requirements by the Article 29 Working Party (i.e., the predecessor of the European Data Protection Board). The CURE prototype provides transparency regarding personal data processing, more control via a customization, and, based on the results of our usability evaluation, improves user comprehension with respect to what data subjects actually consent to. Although the CURE prototype is based on the GDPR requirements, it could potentially be used in other jurisdictions also.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
GDPR Art. 6(1)(b–f).
- 2.
For the lawful personal data processing data subject’s consent is not required.
- 3.
GDPR Art. 6(1)(a).
- 4.
Art. 4(11) is complemented by Art. 7 that provides information on conditions for consent.
- 5.
Article 29 Working Party Guidelines on consent under Regulation 2016/6791 are available at https://bit.ly/2BdQs08.
- 6.
Article 29 Working Party was an independent European working party that dealt with data protection issues. On 25.05.2018 it was replaced by the European Data Protection Board under the GDPR.
- 7.
A Privacy Finder is a search engine service that informs users whether the privacy policies of the displayed search results coincide with users’ privacy preferences. It also generates a privacy report for each search result, providing users with the core information from the privacy policy.
- 8.
Compliance tools are offered by various companies, e.g., ShareThis Inc., eccenca GmbH, etc.
- 9.
Usercentrics’ consent request can be viewed at https://usercentrics.com.
- 10.
Norwegian Consumer Council Report is available at https://bit.ly/2N1TRRC.
- 11.
Our questionnaire is available at https://bit.ly/2DNOGC3.
- 12.
The prototype is available in two languages: English (http://cr-slider.soft.cafe/en/) and German (http://cr-slider.soft.cafe/de/).
- 13.
The source code is available at https://bit.ly/2GErFC7.
- 14.
Scalable Policy-awarE linked data arChitecture for prIvacy, trAnsparency and compLiance (SPECIAL) project is described in detail on https://www.specialprivacy.eu/.
References
Acquisti, A., Adjerid, I., Brandimarte, L.: Gone in 15 seconds: the limits of privacy transparency and control. IEEE Secur. Priv. 11(4), 72–74 (2013)
Angulo, J., Fischer-Hübner, S., Pulls, T., Wästlund, E.: Usable transparency with the data track: a tool for visualizing data disclosures. In: Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems, pp. 1803–1808. ACM (2015)
Bastien, J.C.: Usability testing: a review of some methodological and technical aspects of the method. Int. J. Med. Inform. 79, e18–e23 (2010)
Benedek, J., Miner, T.: Measuring desirability: new methods for evaluating desirability in a usability lab setting. Proc. Usability Prof. Assoc. 2003(8–12), 57 (2002)
Bier, C., Kühne, K., Beyerer, J.: PrivacyInsight: the next generation privacy dashboard. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 135–152. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44760-5_9
Borgesius, F.Z.: Informed consent: we can do better to defend privacy. IEEE Secur. Priv. 13(2), 103–107 (2015)
Brewer, M.B., Crano, W.D.: Research design and issues of validity. In: Reis, H.T., Judd, C.M. (eds.) Handbook of Research Methods in Social and Personality Psychology, pp. 3–16. Cambridge University Press, Cambridge (2000)
Charters, E.: The use of think-aloud methods in qualitative research: an introduction to think-aloud methods. Brock Educ. J. 12(2), 68–82 (2003)
Checkland, P., Holwell, S.: Action research. In: Kock, N. (ed.) Information Systems Action Research. Integrated Series in Information Systems, vol. 13, pp. 3–17. Springer, Boston (2007). https://doi.org/10.1007/978-0-387-36060-7_1
Costante, E., Sun, Y., Petković, M., den Hartog, J.: A machine learning solution to assess privacy policy completeness: (short paper). In: Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society, pp. 91–96. ACM (2012)
Drozd, O., Kirrane, S.: I agree: customize your personal data processing with the core user interface. In: Gritzalis, S., Weippl, E.R., Katsikas, S.K., Anderst-Kotsis, G., Tjoa, A.M., Khalil, I. (eds.) TrustBus 2019. LNCS, vol. 11711, pp. 17–32. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-27813-7_2
Friedman, B., Howe, D.C., Felten, E.: Informed consent in the mozilla browser: implementing value-sensitive design. In: Proceedings of the 35th Annual Hawaii International Conference on System Sciences, p. 10. IEEE (2002)
Hartson, H.R., Castillo, J.C., Kelso, J., Neale, W.C.: Remote evaluation: the network as an extension of the usability laboratory. In: Proceedings of the SIGCHI. ACM (1996)
Ivory, M.Y., Hearst, M.A.: The state of the art in automating usability evaluation of user interfaces. ACM Comput. Surv. (CSUR) 33(4), 470–516 (2001)
Kelley, P.G., Bresee, J., Cranor, L.F., Reeder, R.W.: A nutrition label for privacy. In: Proceedings of the 5th Symposium on Usable Privacy and Security, p. 4. ACM (2009)
Kirrane, S., et al.: A scalable consent, transparency and compliance architecture. In: Gangemi, A., et al. (eds.) ESWC 2018. LNCS, vol. 11155, pp. 131–136. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98192-5_25
Kumar, P.: Privacy policies and their lack of clear disclosure regarding the life cycle of user information. In: 2016 AAAI Fall Symposium Series (2016)
Liccardi, I., Pato, J., Weitzner, D.J.: Improving mobile app selection through transparency and better permission analysis. J. Priv. Confid. 5(2), 1–55 (2014)
MacKenzie, I.S.: User studies and usability evaluations: from research to products. In: Proceedings of the 41st Graphics Interface Conference, pp. 1–8. CIPS (2015)
McDonald, A.M., Cranor, L.F.: The cost of reading privacy policies. ISJLP 4, 543 (2008)
McDonald, A.M., Reeder, R.W., Kelley, P.G., Cranor, L.F.: A comparative study of online privacy policies and formats. In: Goldberg, I., Atallah, M.J. (eds.) PETS 2009. LNCS, vol. 5672, pp. 37–55. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03168-7_3
Mont, M.C., Sharma, V., Pearson, S.: Encore: dynamic consent, policy enforcement and accountable information sharing within and across organisations. Technical report, HP Laboratories HPL-2012-36 (2012)
Peffers, K., Tuunanen, T., Rothenberger, M.A., Chatterjee, S.: A design science research methodology for information systems research. JMIS 24(3), 45–77 (2007)
Piras, L., et al.: Defend architecture: a privacy by design platform for GDPR compliance. In: Gritzalis, S., et al. (eds.) TrustBus 2019. LNCS, vol. 11711, pp. 78–93. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-27813-7_6
Railean, A., Reinhardt, D.: Let there be lite: design and evaluation of a label for IoT transparency enhancement. In: Proceedings of the 20th International Conference on Human-Computer Interaction with Mobile Devices and Services Adjunct, pp. 103–110. ACM (2018)
Raschke, P., Küpper, A., Drozd, O., Kirrane, S.: Designing a GDPR-compliant and usable privacy dashboard. In: Hansen, M., Kosta, E., Nai-Fovino, I., Fischer-Hübner, S. (eds.) Privacy and Identity 2017. IAICT, vol. 526, pp. 221–236. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-92925-5_14
Reeder, R.W., et al.: Expandable grids for visualizing and authoring computer security policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1473–1482. ACM (2008)
Schaub, F., Balebako, R., Durity, A.L., Cranor, L.F.: A design space for effective privacy notices. In: Eleventh Symposium on Usable Privacy and Security, pp. 1–17 (2015)
Seidman, I.: Interviewing as Qualitative Research: A Guide for Researchers in Education and the Social Sciences. Teachers College Press, New York (2013)
Steinsbekk, K.S., Myskja, B.K., Solberg, B.: Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem? EJHG 21(9), 897 (2013)
Tidwell, J.: Designing Interfaces: Patterns for Effective Interaction Design. O’Reilly Media, Inc., Sebastopol (2010)
Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (Un)informed consent: studying GDPR consent notices in the field. arXiv preprint arXiv:1909.02638 (2019)
Van Someren, M., Barnard, Y., Sandberg, J.: The Think Aloud Method: A Practical Approach to Modelling Cognitive Processes. Academic Press, London (1994)
Weitzner, D.J., et al.: Transparent accountable data mining: new strategies for privacy protection (2006)
Wijesekera, P., et al.: The feasibility of dynamically granted permissions: aligning mobile privacy with user preferences. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1077–1093. IEEE (2017)
Acknowledgments
This paper is supported by the European Union’s Horizon 2020 research and innovation programme under grant 731601. We would like to thank our colleagues from SPECIAL and WU for their legal support and help with the user studies.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 IFIP International Federation for Information Processing
About this paper
Cite this paper
Drozd, O., Kirrane, S. (2020). Privacy CURE: Consent Comprehension Made Easy. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds) ICT Systems Security and Privacy Protection. SEC 2020. IFIP Advances in Information and Communication Technology, vol 580. Springer, Cham. https://doi.org/10.1007/978-3-030-58201-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-58201-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58200-5
Online ISBN: 978-3-030-58201-2
eBook Packages: Computer ScienceComputer Science (R0)