Abstract
With the arrival of the European Union’s General Data Protection Regulation (GDPR), several companies are making significant changes to their systems to achieve compliance. The changes range from modifying privacy policies to redesigning systems which process personal data. Privacy policy is the main medium of information dissemination between the data controller and the users. This work analyzes the privacy policies of large-scaled cloud services which seek to be GDPR compliant. We show that many services that claim compliance today do not have clear and concise privacy policies. We identify several points in the privacy policies which potentially indicate non-compliance; we term these GDPR dark patterns. We identify GDPR dark patterns in ten large-scale cloud services. Based on our analysis, we propose seven best practices for crafting GDPR privacy policies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Apple privacy policy. www.apple.com/legal/privacy/en-ww/. Accessed May 2019
Bloomberg privacy policy. www.bloomberg.com/notices/privacy/. Accessed May 2019
Brandom, R.: Facebook and Google hit with \$8.8 billion in lawsuits on day one of GDPR. The Verge, 25 May 2018
Data breaches. www.marketwatch.com/story/how-the-number-of-data-breaches-is-soaring-in-one-chart-2018-02-26. Accessed May 2019
Data Deletion on Google Cloud Platform. https://cloud.google.com/security/deletion/. Accessed May 2019
Deloitte privacy survey. www.businessinsider.com/deloitte-study-91-percent-agree-terms-of-service-without-reading-2017-11. Accessed May 2019
Devecsery, D., Chow, M., Dou, X., Flinn, J., Chen, P.M.: Eidetic systems. In: USENIX OSDI (2014)
Drawbridge shutdown. https://adexchanger.com/mobile/drawbridge-exits-media-business-europe-gdpr-storms-castle/. Accessed May 2019
edX privacy policy. www.edx.org/edx-privacy-policy. Accessed May 2019
Facebook privacy future. www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/. Accessed May 2019
Facebook data privacy policy. www.facebook.com/policy.php. Accessed May 2019
Facebook users. https://s21.q4cdn.com/399680738/files/doc_financials/2019/Q1/Q1-2019-Earnings-Presentation.pdf. Accessed May 2019
Faloutsos, C., Ranganathan, M., Manolopoulos, Y.: Fast subsequence matching in time-series databases, vol. 23. ACM (1994)
Flavián, C., GuinalĂu, M.: Consumer trust, perceived security and privacy policy: three basic elements of loyalty to a web site. Ind. Manag. Data Syst. 106(5), 601–620 (2006)
Flybe privacy policy. https://www.flybe.com/privacy-policy. Accessed May 2019
Gaming shutdown. https://www.judiciary.senate.gov/imo/media/doc/Layton%20Testimony1.pdf. Accessed May 2019
Gavriloaie, R., Nejdl, W., Olmedilla, D., Seamons, K.E., Winslett, M.: No registration needed: how to use declarative policies and negotiation to access sensitive resources on the semantic web. In: Bussler, C.J., Davies, J., Fensel, D., Studer, R. (eds.) ESWS 2004. LNCS, vol. 3053, pp. 342–356. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25956-5_24
GDPR fines. https://www.dlapiper.com/en/uk/insights/publications/2019/01/gdpr-data-breach-survey/. Accessed May 2019
Google privacy policy. www.gstatic.com/policies/privacy/pdf/20190122/f3294e95/google_privacy_policy_en.pdf. Accessed May 2019
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM conference on Computer and communications security, pp. 89–98. ACM (2006)
Hacigümüş, H., Iyer, B., Li, C., Mehrotra, S.: Executing SQL over encrypted data in the database-service-provider model. In: Proceedings of the 2002 ACM SIGMOD International Conference on Management of Data, pp. 216–227. ACM (2002)
Haselton, T.: Credit reporting firm Equifax says data breach could potentially affect 143 million US consumers. CNBC, 7 September 2017
iCloud privacy policy. https://www.apple.com/uk/legal/internet-services/icloud/en/terms.html. Accessed May 2019
Instagram privacy policy. https://help.instagram.com/402411646841720. Accessed May 2019
Instapaper privacy policy. https://github.com/Instapaper/privacy/commit/05db72422c65bb57b77351ee0a91916a8f266964. Accessed May 2019
Microsoft privacy policy. https://privacy.microsoft.com/en-us/privacystatement?PrintView=true. Accessed May 2019
Onavo privacy policy. https://www.onavo.com/privacy_policy. Accessed May 2019
Privacy policy. https://en.wikipedia.org/wiki/Privacy_policy. Accessed May 2019
General Data Protection Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46. Official Journal of the European Union, vol. 59, no. 1–88 (2016)
Shah, A., Banakar, V., Shastri, S., Wasserman, M., Chidambaram, V.: Analyzing the impact of GDPR on storage systems. In: 11th USENIX Workshop on Hot Topics in Storage and File Systems (HotStorage 2019), Renton, WA. USENIX Association (2019). http://usenix.org/conference/hotstorage19/presentation/banakar
Shastri, S., Wasserman, M., Chidambaram, V.: The Seven Sins of personal-data processing systems under GDPR. In: USENIX HotCloud (2019)
Sivathanu, M., et al.: INSTalytics: cluster filesystem co-design for big-data analytics. In: 17th USENIX Conference on File and Storage Technologies (FAST 2019), pp. 235–248 (2019)
Snapchat privacy policy. https://www.snap.com/en-US/privacy/privacy-policy/. Accessed May 2019
Tai, A., Wei, M., Freedman, M.J., Abraham, I., Malkhi, D.: Replex: a scalable, highly available multi-index data store. In: 2016 USENIX Annual Technical Conference (USENIX ATC 2016), pp. 337–350 (2016)
The Performance Impact of Adding MySQL Indexes. https://logicalread.com/impact-of-adding-mysql-indexes-mc12/#.XOMPrKZ7lPM. Accessed May 2019
Tu, S., Kaashoek, M.F., Madden, S., Zeldovich, N.: Processing analytical queries over encrypted data. Proc. VLDB Endowment 6, 289–300 (2013)
Twitter - Pokemon GO information. https://twitter.com/swipp_it/status/1131410732292169728. Accessed May 2019
Twitter - requesting user information requires specification. https://twitter.com/carljackmiller/status/1117379517394432002. Accessed May 2019
Twitter - user information. https://twitter.com/carljackmiller/status/1127525870770577409. Accessed May 2019
Uber privacy policy. https://privacy.uber.com/policy/. Accessed May 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Mohan, J., Wasserman, M., Chidambaram, V. (2019). Analyzing GDPR Compliance Through the Lens of Privacy Policy. In: Gadepally, V., et al. Heterogeneous Data Management, Polystores, and Analytics for Healthcare. DMAH Poly 2019 2019. Lecture Notes in Computer Science(), vol 11721. Springer, Cham. https://doi.org/10.1007/978-3-030-33752-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-33752-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-33751-3
Online ISBN: 978-3-030-33752-0
eBook Packages: Computer ScienceComputer Science (R0)