Skip to main content
SpringerLink
Log in

Analyzing GDPR Compliance Through the Lens of Privacy Policy

  • Conference paper
  • First Online:
Heterogeneous Data Management, Polystores, and Analytics for Healthcare (DMAH 2019, Poly 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11721))

Abstract

With the arrival of the European Union’s General Data Protection Regulation (GDPR), several companies are making significant changes to their systems to achieve compliance. The changes range from modifying privacy policies to redesigning systems which process personal data. Privacy policy is the main medium of information dissemination between the data controller and the users. This work analyzes the privacy policies of large-scaled cloud services which seek to be GDPR compliant. We show that many services that claim compliance today do not have clear and concise privacy policies. We identify several points in the privacy policies which potentially indicate non-compliance; we term these GDPR dark patterns. We identify GDPR dark patterns in ten large-scale cloud services. Based on our analysis, we propose seven best practices for crafting GDPR privacy policies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Apple privacy policy. www.apple.com/legal/privacy/en-ww/. Accessed May 2019

  2. Bloomberg privacy policy. www.bloomberg.com/notices/privacy/. Accessed May 2019

  3. Brandom, R.: Facebook and Google hit with \$8.8 billion in lawsuits on day one of GDPR. The Verge, 25 May 2018

    Google Scholar 

  4. Data breaches. www.marketwatch.com/story/how-the-number-of-data-breaches-is-soaring-in-one-chart-2018-02-26. Accessed May 2019

  5. Data Deletion on Google Cloud Platform. https://cloud.google.com/security/deletion/. Accessed May 2019

  6. Deloitte privacy survey. www.businessinsider.com/deloitte-study-91-percent-agree-terms-of-service-without-reading-2017-11. Accessed May 2019

  7. Devecsery, D., Chow, M., Dou, X., Flinn, J., Chen, P.M.: Eidetic systems. In: USENIX OSDI (2014)

    Google Scholar 

  8. Drawbridge shutdown. https://adexchanger.com/mobile/drawbridge-exits-media-business-europe-gdpr-storms-castle/. Accessed May 2019

  9. edX privacy policy. www.edx.org/edx-privacy-policy. Accessed May 2019

  10. Facebook privacy future. www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/. Accessed May 2019

  11. Facebook data privacy policy. www.facebook.com/policy.php. Accessed May 2019

  12. Facebook users. https://s21.q4cdn.com/399680738/files/doc_financials/2019/Q1/Q1-2019-Earnings-Presentation.pdf. Accessed May 2019

  13. Faloutsos, C., Ranganathan, M., Manolopoulos, Y.: Fast subsequence matching in time-series databases, vol. 23. ACM (1994)

    Google Scholar 

  14. Flavián, C., Guinalíu, M.: Consumer trust, perceived security and privacy policy: three basic elements of loyalty to a web site. Ind. Manag. Data Syst. 106(5), 601–620 (2006)

    Article  Google Scholar 

  15. Flybe privacy policy. https://www.flybe.com/privacy-policy. Accessed May 2019

  16. Gaming shutdown. https://www.judiciary.senate.gov/imo/media/doc/Layton%20Testimony1.pdf. Accessed May 2019

  17. Gavriloaie, R., Nejdl, W., Olmedilla, D., Seamons, K.E., Winslett, M.: No registration needed: how to use declarative policies and negotiation to access sensitive resources on the semantic web. In: Bussler, C.J., Davies, J., Fensel, D., Studer, R. (eds.) ESWS 2004. LNCS, vol. 3053, pp. 342–356. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25956-5_24

    Chapter  Google Scholar 

  18. GDPR fines. https://www.dlapiper.com/en/uk/insights/publications/2019/01/gdpr-data-breach-survey/. Accessed May 2019

  19. Google privacy policy. www.gstatic.com/policies/privacy/pdf/20190122/f3294e95/google_privacy_policy_en.pdf. Accessed May 2019

  20. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM conference on Computer and communications security, pp. 89–98. ACM (2006)

    Google Scholar 

  21. Hacigümüş, H., Iyer, B., Li, C., Mehrotra, S.: Executing SQL over encrypted data in the database-service-provider model. In: Proceedings of the 2002 ACM SIGMOD International Conference on Management of Data, pp. 216–227. ACM (2002)

    Google Scholar 

  22. Haselton, T.: Credit reporting firm Equifax says data breach could potentially affect 143 million US consumers. CNBC, 7 September 2017

    Google Scholar 

  23. iCloud privacy policy. https://www.apple.com/uk/legal/internet-services/icloud/en/terms.html. Accessed May 2019

  24. Instagram privacy policy. https://help.instagram.com/402411646841720. Accessed May 2019

  25. Instapaper privacy policy. https://github.com/Instapaper/privacy/commit/05db72422c65bb57b77351ee0a91916a8f266964. Accessed May 2019

  26. Microsoft privacy policy. https://privacy.microsoft.com/en-us/privacystatement?PrintView=true. Accessed May 2019

  27. Onavo privacy policy. https://www.onavo.com/privacy_policy. Accessed May 2019

  28. Privacy policy. https://en.wikipedia.org/wiki/Privacy_policy. Accessed May 2019

  29. General Data Protection Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46. Official Journal of the European Union, vol. 59, no. 1–88 (2016)

    Google Scholar 

  30. Shah, A., Banakar, V., Shastri, S., Wasserman, M., Chidambaram, V.: Analyzing the impact of GDPR on storage systems. In: 11th USENIX Workshop on Hot Topics in Storage and File Systems (HotStorage 2019), Renton, WA. USENIX Association (2019). http://usenix.org/conference/hotstorage19/presentation/banakar

  31. Shastri, S., Wasserman, M., Chidambaram, V.: The Seven Sins of personal-data processing systems under GDPR. In: USENIX HotCloud (2019)

    Google Scholar 

  32. Sivathanu, M., et al.: INSTalytics: cluster filesystem co-design for big-data analytics. In: 17th USENIX Conference on File and Storage Technologies (FAST 2019), pp. 235–248 (2019)

    Google Scholar 

  33. Snapchat privacy policy. https://www.snap.com/en-US/privacy/privacy-policy/. Accessed May 2019

  34. Tai, A., Wei, M., Freedman, M.J., Abraham, I., Malkhi, D.: Replex: a scalable, highly available multi-index data store. In: 2016 USENIX Annual Technical Conference (USENIX ATC 2016), pp. 337–350 (2016)

    Google Scholar 

  35. The Performance Impact of Adding MySQL Indexes. https://logicalread.com/impact-of-adding-mysql-indexes-mc12/#.XOMPrKZ7lPM. Accessed May 2019

  36. Tu, S., Kaashoek, M.F., Madden, S., Zeldovich, N.: Processing analytical queries over encrypted data. Proc. VLDB Endowment 6, 289–300 (2013)

    Article  Google Scholar 

  37. Twitter - Pokemon GO information. https://twitter.com/swipp_it/status/1131410732292169728. Accessed May 2019

  38. Twitter - requesting user information requires specification. https://twitter.com/carljackmiller/status/1117379517394432002. Accessed May 2019

  39. Twitter - user information. https://twitter.com/carljackmiller/status/1127525870770577409. Accessed May 2019

  40. Uber privacy policy. https://privacy.uber.com/policy/. Accessed May 2019

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Texas at Austin, Austin, USA

    Jayashree Mohan & Vijay Chidambaram

  2. School of Law, University of Texas at Austin, Austin, USA

    Melissa Wasserman

  3. VMWare Research, Palo Alto, USA

    Vijay Chidambaram

Authors
  1. Jayashree Mohan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Melissa Wasserman
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vijay Chidambaram
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jayashree Mohan .

Editor information

Editors and Affiliations

  1. Massachusetts Institute of Technology, Lexington, MA, USA

    Vijay Gadepally

  2. Intel Corporation, Portland, OR, USA

    Timothy Mattson

  3. Massachusetts Institute of Technology, Cambridge, MA, USA

    Michael Stonebraker

  4. Stony Brook University, Stony Brook, NY, USA

    Fusheng Wang

  5. University of Washington, Seattle, WA, USA

    Gang Luo

  6. Google, Mountain View, CA, USA

    Yanhui Laing

  7. Lucerne University of Applied Sciences, Rotkreuz, Switzerland

    Alevtina Dubovitskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mohan, J., Wasserman, M., Chidambaram, V. (2019). Analyzing GDPR Compliance Through the Lens of Privacy Policy. In: Gadepally, V., et al. Heterogeneous Data Management, Polystores, and Analytics for Healthcare. DMAH Poly 2019 2019. Lecture Notes in Computer Science(), vol 11721. Springer, Cham. https://doi.org/10.1007/978-3-030-33752-0_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-33752-0_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-33751-3

  • Online ISBN: 978-3-030-33752-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation