Automated Detection of GDPR Disclosure Requirements in Privacy Policies using Deep Active Learning
This addresses the challenge of verifying legal compliance for companies and regulators, but it is incremental as it applies an existing method to a new dataset.
The paper tackled the problem of assessing GDPR compliance in privacy policies by developing a CNN-based model that classifies policies with 89.2% accuracy, revealing that 97% of websites fail to meet at least one requirement.
Since GDPR came into force in May 2018, companies have worked on their data practices to comply with this privacy law. In particular, since the privacy policy is the essential communication channel for users to understand and control their privacy, many companies updated their privacy policies after GDPR was enforced. However, most privacy policies are verbose, full of jargon, and vaguely describe companies' data practices and users' rights. Therefore, it is unclear if they comply with GDPR. In this paper, we create a privacy policy dataset of 1,080 websites labeled with the 18 GDPR requirements and develop a Convolutional Neural Network (CNN) based model which can classify the privacy policies with an accuracy of 89.2%. We apply our model to perform a measurement on the compliance in the privacy policies. Our results show that even after GDPR went into effect, 97% of websites still fail to comply with at least one requirement of GDPR.