The Layered Privacy Language Art. 12 - 14 GDPR Extension - Privacy Enhancing User Interfaces

摘要

Where personal data is collected or processed, users (Data Subjects) have to be informed about it by the privacy policy. Although this document is essential and contains all legally required information, users often do not read the privacy policies [1] [2]. This behaviour has various reasons, for example complexity, legal language or the length of the privacy policy [3]. Thus, the presentation of the privacy policy has to be reconsidered. McDonald and Cranor analysed the cost of reading privacy policies in their study. The result was the following: if every American internet user read all privacy policies, which are displayed to him, the whole nation would spend 54 billion hours per year reading. Breaking down this sum, every American citizen would require 40 minutes a day reading privacy polices [4]. As a result of this great expenditure of time, many users agree/consent to privacy policies without understanding them. The GDPR, which intends to strengthen the rights of Data Subjects, e.g. by requiring free and informed consent [5, Art. 7], seems not to have any noticeable effect on this behaviour. To avoid unknown processing of personal data, the Data Subject has to understand the contents of the privacy policy, which is not trivial. Primarily the complexity of the GDPR, its definition of information that has to be provided to the Data Subject [5, Art. 12 - 14] and the creation of GDPR compliant privacy policies are challenging tasks for the Controller, which can be supported by the Data Protection Officer (DPO). Because no uniform approach of creating and handling is available, the management of privacy policies is a tedious and time-consuming task which may be individual for each DPO and Controller. Furthermore, this results in various structures, wordings and presentations of privacy policies, hindering the understanding for the Data Subjects.