It has been five years since the General Data Protection Regulation (GDPR) went into effect in the EU. Ever since, research has continued to show that the creators of online services find it difficult to implement the legal requirements of EU legislation into practice. They mainly resort to lengthy privacy policies and often deceptive cookie notices to ask users for their consent to data processing, rather than revise their own data processing practices and opt for approaches that collect less personal data. This comes to the detriment of service providers and users, who are both faced with decreased usability of websites, apps, and devices.
This talk investigates approaches to both understand the roadblocks that keep system creators and users from adopting a privacy-by-design mindset and to find ways to address them. This is ever more important in the light of new European platform regulations that intend to create boundaries for personalized advertising and introduce interoperability requirements, which in turn pose new opportunities to empower system creators and users alike to take control of users' privacy.
Christine Utz (she/her) is a postdoctoral researcher at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. She holds bachelor’s and master’s degrees in information security and a PhD in computer science from Ruhr University Bochum, as well as a law degree from the University of Bayreuth. Her doctoral research concerned effects of the GDPR on third-party web tracking and was conducted within the framework of an interdisciplinary graduate school, SecHuman - Security for People in Cyberspace. She combines online measurements with methods from human-computer interaction to foster people’s awareness and agency regarding the processing of their personal data. Her work was published at leading venues for security & privacy and human-computer interaction and was repeatedly featured at the FTC PrivacyCon in Washington, DC.