Beyond Notice and Consent: Towards More Usable Privacy Under European Data Protection and Platform Regulations

It has been five years since the General Data Protection Regulation (GDPR) went into effect in the EU. Ever since, research has continued to show that the creators of online services find it difficult to implement the legal requirements of EU legislation into practice. They mainly resort to lengthy privacy policies and often deceptive cookie notices to ask users for their consent to data processing, rather than revise their own data processing practices and opt for approaches that collect less personal data. This comes to the detriment of service providers and users, who are both faced with decreased usability of websites, apps, and devices. This talk investigates approaches to both understand the roadblocks that keep system creators and users from adopting a privacy-by-design mindset and to find ways to address them. This is ever more important in the light of new European platform regulations that intend to create boundaries for personalized advertising and introduce interoperability requirements, which in turn pose new opportunities to empower system creators and users alike to take control of users' privacy.

From GDPR to Information Flow Semantics

Inevitably, personal data is transferred from EU to third countries. GDPR should follow this data wherever it is transferred. How can this requirement be enforced in practice? Currently, data transfers from EU to third countries are mostly regulated by legal agreements between data exporters and data importers. But these agreements tend to be complicated, unforeseeable, and ultimately inefficient. Technology can be employed to automatically ensure that transferred data is used by a third country is a way that does not violate GDPR. This talk explores information flow control as a tool to enforce GDPR, before it dives into new information flow semantics.

Is Privacy by Construction Possible?

Finding suitable ways to handle personal data in conformance with the law is challenging. For existing systems the challenge is to be able to show evidence that they are already complying with the GDPR, or otherwise to work towards compliance by modifying their systems and procedures, or alternatively reprogramming their systems in order to pass the eventual controls. In this short non-technical talk I will give my personal opinion on issues related to the ambition of achieving Privacy by Construction.

Challenges of User-centric Privacy Enhancing Technologies

The GDPR promotes the principle of Privacy by Design and Default, acknowledging that the individual’s privacy is best protected if privacy law is complemented by privacy enhancing technologies (PETs). While technically advanced PETs have been researched and developed in the last four decades, challenges remain for making PETs and their configurations usable. In particular, PETs are often based on “crypto-magic” operations that are counterintuitive and for which no real-world analogies can be easily found.

Can we enforce GDPR principles via information flow control?

In this talk, I will present some work in progress on using IFC principles for enforcing GDPR-style privacy principles. Privacy legislation such as the GDPR specifies legal requirements for protecting the private data of individuals but remains vague …