On 21 January 2019 the French Data Protection Authority (CNIL) handed Google the largest ever penalty for a breach of the General Data Protection Regulation (GDPR). The 50 million euro fine penalised the tech giant for its failure to meet the GDPR’s principle of transparency – the quality meant to ensure that data subjects know how and why their data is processed. CNIL found, for example, that it took some five or six actions for a user to access meaningful information on Google’s use of personal data for personalised ads.
It might come as a surprise for an organisation of Google’s technical and legal resources to fall foul of a regulation introduced with such fanfare nearly a year ago. But such is the lack of clarity concerning the GDPR’s transparency provisions that organisations of all sizes are still struggling to come to terms with their implementation.
To help this transition, Dr. Dayana Spagnuelo, Dr. Gabriele Lenzini, and Dr. Ana Ferreira conducted a wide ranging review of the numerous Transparency Enhancing Technologies (TETs) currently available. The team used Natural Language Processing to correlate GDPR articles relating to transparency with technical requirements for achieving it. This gave them the grounds to measure how effective individual TET are in helping organisations achieve transparency in their systems and processes.
Their paper, “Accomplishing Transparency within the General Data Protection Regulation”, offers insights that could help companies improve the transparency of their services, demonstrate compliance and avoid costly fines. The paper’s importance was recognised with the Best Paper Award at the 5th International Conference on Information Systems Security and Privacy (ICISSP), in Prague.
“Transparency is a difficult concept, because unlike lawfulness and fairness – the other principles in the GDPR, which are both legal in nature – transparency is socio-technical and hasn’t been defined,” says Spagnuelo, who recently completed her PhD at SnT and is now a Junior Lecturer at Vrije Universiteit Amsterdam. “It requires a fresh and dynamic body of knowledge, and it’s exciting to be a part of shaping this new technical property.”
Spagnuelo’s doctoral research took on the task of defining transparency, measuring the factors that qualify the property, and helping implement them in real systems. “This award is recognition that the work she did in Luxembourg is relevant and innovative,” says Dr. Gabriele Lenzini, Spagnuelo’s PhD supervisor at SnT. “We will continue to work together on this important socio-technical topic, hoping it can bring new partnerships and collaborations to the SnT.”
Reference: Dayana Spagnuelo (Vrije Universiteit Amsterdam), Gabriele Lenzini (SnT/University of Luxembourg), Ana Ferreira (CINTESIS/University of Porto). Accomplishing Transparency within the General Data Protection Regulation, 5th International Conference on Information Systems Security and Privacy (2019).
SnT is turning 10! We’ve come a long way since launching our activities in 2009. Today, nearly 300 talented people work together to innovate in Luxembourg and around the world. Stay tuned for a year full of celebrations, excellence in research and new milestones.
OVER 40 INDUSTRY PARTNERS | MORE THAN 70 EUROPEAN PROJECTS | 103 GRADUATED PHDS | 4 SPIN-OFFS